Data Protection Act infringed by UK Foreign Office

By EDRi · November 21, 2007

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Following an investigation into the online visa application system for UK,
the Information Commissioner’s Office (ICO) ruled on 13 November 2007 that
the Foreign and Commonwealth Office (FCO) was in breach of the Data
Protection Act, having failed to properly protect visa applications made
over the Internet through its UK visas website.

The site is run by FCO together with the Home Office and is outsourced to an
Indian company called VFS. The problem was first signalled by a member of
the public who alerted VFS being concerned of the fact that he could read
details about other applicants. But only this year have VFS and FCO admitted
there was a problem after the issue was brought out by a Channel 4 News
investigation showing the visa applicant data was not secure.

The ICO investigation has shown that at least 50 000 applications to the
British High Commission in India were affected and found “inadequate
central control of the moves to outsourcing” stating that officials had a
“piecemeal” approach to privacy. The report concluded that: “The earlier
contracts paid insufficient attention to the requirements of the Data
Protection Act and to basic IT security.”

FCO fully cooperated with ICO during the investigation also providing ICO
with an independent report into the breach. ICO asked FCO to sign a formal
undertaking to comply with the Data Protection Act which comprises the eight
basic principles of personal data protection.

“Organisations have a duty to keep our personal information secure (…) If
they fail to take this responsibility seriously, they not only leave
individuals vulnerable to identity theft, but risk losing confidence and
trust” said Mick Gorrill, assistant commissioner at the Information
Commissioner’s Office.

Failure by FCO to meet the terms of the undertaking may lead to further
action by the ICO.

Foreign Office in breach of the Data Protection Act – ICO Press Release

Government broke data protection laws (14.11.2007)