The Foreign and Commonwealth Office (FCO) has been sanctioned for a breach of the Data Protection Act by the Information Commissioner's Office (ICO).
In May, an investigation by Channel 4 found a breach in the online application facility for UKvisas, the body to which applications are made, which is provided by Home Office and the FOC. Due to the breach, personal data of people applying for visas from Russia, India and Nigeria were openly available on the application website, which had been outsourced to firm VFS Global.
The rest of online applications worldwide, and indeed the bulk of online Indian applications, are made through the visa4UK site, which is not connected to VFS. But just nine per cent of visa applications are done over the internet, with the rest happening in person, according to UKvisas.
In a statement, UKvisas said: "We regret that mistakes were made which meant that the data was vulnerable and that the technical problem was not fixed when first identified. But it is important that neither we nor the investigator could find any evidence that those vulnerabilities were exploited and data actually stolen, or visas issued wrongly as a result."
Mick Gorrill, assistant commissioner at the ICO, said: "Organisations have a duty under the Data Protection Act to keep our personal information secure. If organisations fail to take this responsibility seriously, they not only leave individuals vulnerable to identity theft but risk losing individuals' confidence and trust. We investigate any organisation in breach of the Act and will not hesitate to take appropriate action."
The ICO said the FCO fully cooperated with the investigation, and has required the FCO to sign a "formal undertaking" to comply to the Data Protection Act.
According to a spokesman for UKvisas the undertaking means the websites set up by VFS will not be reopened, but will be replaced by the visas4UK system, which is used for applications from other countries. As well, the body will undergo a strategic review of data processing and an audit of data security processes. The visa4UK website will be subject to regular monitoring and training will be given to all staff.
Despite the failure, UKvisas defended the outsourcing of applications, saying it had improved efficiency and the customer experience. "We were breaking new ground when we started down this path. It is a great example of innovation in the delivery of public services. As the project gathered pace, we recognised that the arrangements which had developed locally around our overseas network had to be put on a sounder footing."
VSF, who could not be reached for comment at the time of publication, will keep their 297 million, five-year outsourcing contract with partner CSC, as they will still be running application offices around the world.
