The Identity and Passport Service (IPS) has admitted a data breach in its online passport application progress checking service.

The incident was formally reported to the Information Commissioner’s Office (ICO) but has not been made public until now.

“A parent was able to discover the existence of a child’s passport application by using the online application progress checking service, possibly without entitlement,” according to an annual report from the IPS.

The parent involved contacted the IPS in June 2007 to warn them.

The ICO advised the IPS it should require anyone making enquiries into the passport application progress to provide the application’s unique reference number. The IPS said it would continue to monitor and assess its information risks to identify and address any weaknesses.

In the next year the service will improve security communications and training, formalise security responsibilities and improve incident reporting processes, it said.

The report makes clear that the service is not required to disclose security incidents if disclosure created an “unacceptable risk of harm”.

The Home Office said such exemptions would apply if there was a danger to national security, if an investigation would be compromised, or if revealing a breach would conflict with data protection legislation by also revealing personal details.

“No such exemptions have been applied in the last year,” said a spokesman.

Last year an online visa application site run by VFS Global for the Foreign and Commonwealth Office was shut after it emerged that online applications for visas could be seen by other applicants, by making a simple change in the browser’s URL address.