The Foreign Office has been slammed for breaching the Data Protection Act after a probe by the Information Commissioner into a security flaw on a website used by people applying for UK visas.

The Information Commissioner’s Office launched an investigation after being alerted in May to the security error on the UKvisas website provided by VFS Global, a commercial partner of the joint Foreign Office and Home Office agency, UKVisas.

The security hole meant that the personal data of people applying for visas to enter the UK was visible to other website users.

Independent investigators, led by Linda Costelloe Baker, have also probed the security breach, painting a damning picture of “organisational failures” by both the government agency and its contractor.

The investigation strongly criticised UKVisas’ outsourcing of the online service to a firm that is not an IT specialist, the contractor’s performance and the failure to respond adequately when the security hole was first revealed in December 2005.

The ICO based its ruling on the findings of the Costelloe Baker report.

But the watchdog body stopped short of slapping an enforcement notice on the Foreign Office, opting instead to require the department to sign a formal undertaking to comply with Data Protection Act principles in future.

Failure to meet the terms of the undertaking was likely to lead to further enforcement action, the ICO said.

Mick Gorrill, assistant commissioner at the ICO, said: “Organisations have a duty under the Data Protection Act to keep our personal information secure. If organisations fail to take this responsibility seriously, they not only leave individuals vulnerable to identity theft but risk losing individuals’ confidence and trust. We investigate any organisation in breach of the Act and will not hesitate to take appropriate action.”

The undertaking commits the Foreign Office to scrapping the VFS online application website and replacing it with the visa4UK online application service – a commitment already made by foreign secretary David Miliband.

UKvisas must also carry out a strategic review of data processing and a detailed audit of its data security procedures, regularly monitor the security of the visa4UK website and provide continuing data protection training to UKvisas staff, the document stipulates.