UK government guilty of breaking data protection laws

UK government guilty of breaking data protection laws

Visa farce exposes user details

The UK Foreign and Commonwealth Office (FCO) has been found guilty of breaking data protection laws after security on an online visa application site failed.

The breach occurred in a web site set up by the FCO and the UK Home Office to handle visa applications from overseas. A flaw in the site meant that users could see as many as 50,000 other applicants' details when they logged in, an investigation by the UK Information Commissioners Office (ICO) has found.

Mick Gorrill, assistant commissioner at the ICO, said: "Organisations have a duty under the Data Protection Act to keep our personal information secure."

"If organisations fail to take this responsibility seriously, they not only leave individuals vulnerable to identity theft but risk losing individuals' confidence and trust. We investigate any organisation in breach of the Act and will not hesitate to take appropriate action."

The running of the site was outsourced to an Indian company VFS and a customer alerted them to the problem in December of 2005. However the flaw remained in place and the FCO only admitted there was a problem earlier this year.

Following the Information Commissioner's report, the FCO has admitted responsibility for the breach, corrected the fault and ended its relationship with VFS.

"The VFS on-line application websites will not be re-opened and will be replaced by visa4UK, the UKvisas online application facility which will be the only online application system used by UKvisas," said the FCO in a statement.

"A strategic review of data processing will be undertaken by UKvisas in order to strengthen Data Protection Act risk management processes and a detailed audit carried out of the data processor’s data security procedures. Regular monitoring of the visa4UK website will be undertaken to ensure that the systems in place to provide effective protection."