The Department of Health broke the Data Protection Act through security failings on its Medical Training Application Service (MTAS) website which exposed the personal details of junior doctors.
Mick Gorrill, assistant commissioner at the ICO, said: “This is an unacceptable breach of security. Organisations must ensure that the personal information they hold on us is secure – this is an important principle of the Data Protection Act."
The ICO began investigating a site security breach in April this year which exposed doctors’ personal details, including religious beliefs and sexual orientation which were accessible to anyone using the site.
The DoH has been required to encrypt any personal data on its websites. Regular penetration and vulnerability testing must also be carried out on developing applications and systems to minimise unauthorised access. The information commissioner Richard Thomas has also ruled that staff are trained on compliance with the Data Protection Act.
The ICO has made the DoH sign a formal undertaking to fully comply with the data protection principles. Any further failures could result in prosecutions, the ICO has confirmed.
“It is essential that the Department of Health takes the appropriate measures that we have outlined to protect individuals’ personal information.”
The site, which was designed to process junior doctors’ applications for training places was plagued by problems, and has since been axed for failing to provide a workable service.