Breaking finance and business news, tax information, jobs and more for finance directors and senior finance professionals.

The Information Commissioner’s Office has found the Department of Health in breach of the Data Protection Act following an investigation into a security breach.

The ICO was alerted in May 2007 to the security breach which allowed for the sensitive personal details relating to junior doctors, including religious beliefs and sexual orientation, being accessible to anyone accessing the Medical Training Application Service (MTAS) website.

In order to protect against unauthorised access the Department of Health has been required to encrypt any personal data on their website which could cause distress to individuals if disclosed.

Prosecution 

Regular penetration and vulnerability testing must also be carried out on developing applications and systems to minimise unauthorised access. The Information Commissioner has also ruled that staff are trained on compliance with the Data Protection Act.

The ICO has required the Department of Health to sign a formal undertaking to comply with the principles of the Data Protection Act. Failure to meet the terms of the undertaking is likely to lead to further enforcement action by the ICO and could result in prosecution by the Office.

Mick Gorrill, assistant commissioner at the ICO, called the breach of security "unacceptable".

"Organisations must ensure that the personal information they hold on us is secure. This is an important principle of the Data Protection Act. Individuals must feel confident that their personal details cannot be accessed by another party," he said.

He added that research by the ICO shows that nine out of ten individuals are concerned that organisations are failing to keep their information secure and said that it is essential that the Department of Health took the appropriate measures in order to protect individuals’ personal information.

Related articles

• FSA fines Norwich Union over data losses
• Executives lack data policy ownership
• New data losses at DVLA and building society
• Fasthosts apologises after sites are hacked
• HMRC breach 'godsend' for security professionals
• HMRC loses 25 million personal records

Related links

• Information Commissioner’s Office
• Department of Health
• Medical Training Application Service