The Student Loans Company (SLC) has received a dressing down from data protection watchdog the Information Commissioner’s Office (ICO) after admitting it sent applicants’ personal information including medical details to the wrong people.
The ICO noted that not enough checks were carried out by the SLC when documents were scanned and added to customer accounts.
Perversely, the more sensitive documents actually received fewer checks because “the data controller wished to limit the number of individuals who could access sensitive personal data of this kind”, it said.
The mix-up meant that a customer’s psychological assessment was sent to the wrong person on at least one occasion.
“For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies,” said ICO head of enforcement, Stephen Eckersley. “Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after.”
Eckersley added in a statement that although the ICO’s investigation proved information was not being properly looked after, SLC CEO Mick Laverty had now signed a formal undertaking.
This document commits the Student Loans Company to ensure “adequate checks” are carried out on all correspondence before it is sent out, and that all staff are made aware, and regularly monitored for understanding, of data protection policy.
The undertaking also specifies that the SLC data controller “shall implement such other security measures as are appropriate to ensure that personal data is protected against unauthorized and unlawful processing, accidental loss, destruction, and/or damage”.
Given some of the hefty fines handed out by the ICO, the SLC is somewhat lucky to have escaped more serious punishment.
Martin Sugden, CEO of data loss prevention firm Boldon James, argued that the ICO has done the right thing in giving the SLC time to improve its data security practices.
“The related ICO report shows that over 50% of data loss incidents are due to human error means that
organizations need to spend time helping their staff help themselves,” he added.
“Whilst everyone makes mistakes, it is the Student Loans Company who will ultimately be penalized, and as a non-profit organization, any fines levied against them could have a significant impact on the organization.”