The Information Commissioner’s Office (ICO) has criticised Blighty's Student Loans Company for handing students' medical reports and other private files over to the wrong people.
In various blunders, records including medical notes and a psychological assessment were accidentally leaked to an unnamed outside organisation, sent to an unnamed third-party or simply posted to the wrong addresses.
The ICO carried out an investigation into the cock-ups, and faulted insufficient checks – particularly during the scanning of documents to add to accounts – for the mix-ups. The more sensitive the files, the less they were scrutinised by the loan company, the watchdog concluded.
Stephen Eckersley, head of enforcement at the ICO, commented on Tuesday: “For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies. Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after."
The Student Loans Company (SLC) has since promised to improve [PDF] its procedures and staff training. Further failures, particularly ones along the same lines, are likely to result in fines against the non-profit organisation by the ICO.
In the undertaking to try harder next time, the SLC noted:
The Information Commissioner was provided with a report on the 29 August 2012 which stated that medical details of a customer, containing sensitive personal data, had been sent to an external organisation in error. The Commissioner received another report on the 04 October 2012 that a further two incidents had occurred, one in which a psychological assessment of a customer, containing sensitive personal data, was disclosed to a third party in error and a second in which two items of correspondence were sent to an incorrect address.
Following investigation it was established that in the first reported incident the medical evidence had been incorrectly scanned onto another customer’s account. It was also found that whilst checking procedures were in place at the time of the incident, in the particular department processing the documents, items containing sensitive personal data were subject to fewer checks than those containing less sensitive data.
Martin Sugden, chief exec of data classification and secure messaging firm Boldon James, said that the softly, softly approach to enforcement taken in this case so far is appropriate.
“The Information Commissioner’s Office continues to play 'good cop' with organisations that are careless with users’ data, but in this instance I believe they have done the right thing in allowing the Student Loans Company time to improve their data security practices," Sugden said.
He added: "Whilst this data loss incident may have only involved a small number of records, it’s highly concerning that there were fewer checks in place around the handling of sensitive documents than there were against other customer data. The student loan company knew the issues and they didn’t follow it through." ®
If you're wondering why on Earth Blighty's Student Loans Company has medical records to lose, consider that disabled undergraduates have to provide evidence of their conditions to apply for support grants.