Never mind the information commissioner, what about the FDA? I'm pretty certain that all computer systems used by pharma companies need to be validated and documented to an FDA standard

That would be the US Food and Drug Administration then? Not sure if they have jurisdiction in the UK...

The problem was that they used a recycled link in an email that went to a specific user's information, with the ability to update the data on that page. At most, anyone who clicked the link was able to see the details of only the last person to enter data, not everyone's on the email list. It isn't as big of a breech as this article makes it out to be.

"Not as bad as it sounds" is like saying you are "just a little bit pregnant". This is a binary issue. The data leaked or it did not leak. Period.

The data leaked.

The data that leaked included medical details.

This is contrary to the Data Protection Act 1998.

This "not as bad as it sounds" comment sounds like an attempt to whitewash this. Roche was trusted with that data. It proved itself to be untrustworthy by its actions.

FDA do have some jurisdiction in the uk, in that they can audit Pharma sites. However the UK has an equivalent called the MHRA (Medicines and Health Regulatory Agency) which will have the power to look in to this. Regardless the websystem will have probably been assessed and not requiring validation and therefore wont have been, hence the leak. I would guess that this will be changed ...