Various sites (The Telegraph, BBC, Channel 4) are reporting on the data security breach that occurred yesterday, involving the sensitive personal data (including religion, sexual orientation and any criminal convictions) of around 7,000 junior doctors. The information was available in an Excel spreadsheet on a website for around 9 hours yesterday, but was removed after Channel 4 notified the Department of Health.
A Department of Health spokesperson said:
“This URL was made available to a strictly-limited number of people making checks as part of the employment process. This information was never publicly available through the NHS Medical Training Application Service website and was only accessible for only a short period of time after details of the URL were leaked. The MTAS team fixed the problem as soon as it was brought to their attention.”
The Channel 4 journalist was able to access the details once he had been tipped off by a doctor concerned by security on the site, so the point about the information not being “publicly available through the NHS [MTAS] website” seems to be an attempt at spin; however the quote does seem to suggest that the MTAS team was adopting a policy of security through obscurity.