Thursday, 26 April 2007 at 22:42
Yesterday, someone working for MTAS; the Medical Training Application Service used by medical students and doctors to apply for training posts; copied an Excel spreadsheet into an unsecured area of the website for distribution.
This would normally be unremarkable; however, this particular spreadsheet contained the personal details of literally thousands of medical students applying for their foundation year posts, resulting in possibly the largest privacy crisis ever to hit UK public service staff.
As reported on Channel 4 News, this file did not just contain names and addresses, although that would have been bad enough. Each applicants’ entry in the spreadsheet also contained their telephone numbers, email addresses, gender, CRB-type information and even details on race and sexual orientation; content which should have been separated from names at the outset. This is in addition to their referee’s details and their answers to every question in the rigorous online application form.
I just can’t believe that any specialist IT organisation would be so stupid as to upload sensitive personal information to an insecure area on the web. If they were going for maximum points on breaking Data Protection laws, they’ve done pretty well. And quite frankly, the DOH response does not give me confidence:
“We apologise to any applicants whose details have been improperly accessed. This URL was made available to a strictly limited number of people making checks as part of the employment process.
This information was never publicly available through the MTAS website and was only accessible for a short period of time after details of the URL were leaked. The MTAS team fixed the problem as soon as it was brought to their attention.”
- Department of Health statement
The information was publicly accessible; anything uploaded to an insecure folder on the web is by definition publicly accessible – and to the whole world. And as MTAS hadn’t even gone to the trouble of including a robots.txt file in their website, even a quick search on Google is enough to turn up any ‘hidden’ folders that they might not want everyone to know about.
My point here is that it can’t simply be regarded as an ‘IT glitch’: it would appear that there are some fundamental problems with the way MTAS is being run. Someone uploaded the file for distribution, and someone else must have given them permission to do so.
I can’t hear about problems like this without starting to wonder about other public sector systems, such as the new NHS Care Records Service. I really hope that the IT guys behind that one are top-notch, because if it’s as leaky a boat as MTAS, we could be in for a lot of trouble.
I wish all the best to those going through the MTAS nightmare at the moment and I hope there are no long-term problems for those whose details have been released. It’s a system which I initially rather applauded, but any system is only as good as the people behind it.
A complete disaster. I have withdrawn my permission for my records to be uploaded onto the national record database.
I do not see how ethically I can be expected to encorage my patients to allow their personal medical details to be uploaded on to the NHS records system when I have no confidence that their records will remain confidential.