Foreign Office in website security breach

November 13, 2007

By Pam Caulfield

http://www.24dash.com/centralgovernment/29252.htm



The Foreign Office broke data protection rules by failing to ensure its UK visas website was secure, the privacy watchdog said today.

A security breach meant the personal data of visa applicants was visible to other people visiting the website, the Information Commissioner's Office (ICO) found.

The Foreign and Commonwealth Office (FCO) has now signed a formal undertaking to comply with the Data Protection Act.

It follows an investigation by the ICO, sparked in May when the security breach on the visa processing website came to light.

ICO assistant commissioner Mick Gorrill said: "Organisations have a duty under the Data Protection Act to keep our personal information secure.

"If organisations fail to take this responsibility seriously, they not only leave individuals vulnerable to identity theft but risk losing individuals' confidence and trust.

"We investigate any organisation in breach of the Act and will not hesitate to take appropriate action."

During the investigation, the FCO gave the ICO an independent report into the security breach.

The ICO was alerted to a potential security breach at the UK visas website by Channel 4 News.

That report said the security flaw affected up to 50,000 online visa applications to the British High Commission in India.

UKvisas is the joint Home Office and Foreign and Commonwealth directorate responsible for visa processing.

A company called VFS was contracted by UKvisas to operate the website facility where the breach occurred.

According to the Foreign Office undertaking, VFS will be replaced by a new visa application facility called visa4UK.

UKvisas will carry out both a strategic review of its data processing and an audit of data security procedures.

Staff will be given data protection training and the website will be regularly monitored to ensure there is no unauthorised access to it.

The ICO is an independent body which monitors compliance with the Data Protection Act.


main page ATTRITION feedback