Feeds

ICO raps UK Student Loans Co for leaking MEDICAL files and more

Computer says d'oh

Providing a secure and efficient Helpdesk

The Information Commissioner’s Office (ICO) has criticised Blighty's Student Loans Company for handing students' medical reports and other private files over to the wrong people.

In various blunders, records including medical notes and a psychological assessment were accidentally leaked to an unnamed outside organisation, sent to an unnamed third-party or simply posted to the wrong addresses.

The ICO carried out an investigation into the cock-ups, and faulted insufficient checks – particularly during the scanning of documents to add to accounts – for the mix-ups. The more sensitive the files, the less they were scrutinised by the loan company, the watchdog concluded.

Stephen Eckersley, head of enforcement at the ICO, commented on Tuesday: “For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies. Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after."

The Student Loans Company (SLC) has since promised to improve [PDF] its procedures and staff training. Further failures, particularly ones along the same lines, are likely to result in fines against the non-profit organisation by the ICO.

In the undertaking to try harder next time, the SLC noted:

The Information Commissioner was provided with a report on the 29 August 2012 which stated that medical details of a customer, containing sensitive personal data, had been sent to an external organisation in error. The Commissioner received another report on the 04 October 2012 that a further two incidents had occurred, one in which a psychological assessment of a customer, containing sensitive personal data, was disclosed to a third party in error and a second in which two items of correspondence were sent to an incorrect address.

Following investigation it was established that in the first reported incident the medical evidence had been incorrectly scanned onto another customer’s account. It was also found that whilst checking procedures were in place at the time of the incident, in the particular department processing the documents, items containing sensitive personal data were subject to fewer checks than those containing less sensitive data.

Martin Sugden, chief exec of data classification and secure messaging firm Boldon James, said that the softly, softly approach to enforcement taken in this case so far is appropriate.

“The Information Commissioner’s Office continues to play 'good cop' with organisations that are careless with users’ data, but in this instance I believe they have done the right thing in allowing the Student Loans Company time to improve their data security practices," Sugden said.

He added: "Whilst this data loss incident may have only involved a small number of records, it’s highly concerning that there were fewer checks in place around the handling of sensitive documents than there were against other customer data. The student loan company knew the issues and they didn’t follow it through." ®

Bootnote

If you're wondering why on Earth Blighty's Student Loans Company has medical records to lose, consider that disabled undergraduates have to provide evidence of their conditions to apply for support grants.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.