Feeds

ICO raps UK Student Loans Co for leaking MEDICAL files and more

Computer says d'oh

Choosing a cloud hosting partner with confidence

The Information Commissioner’s Office (ICO) has criticised Blighty's Student Loans Company for handing students' medical reports and other private files over to the wrong people.

In various blunders, records including medical notes and a psychological assessment were accidentally leaked to an unnamed outside organisation, sent to an unnamed third-party or simply posted to the wrong addresses.

The ICO carried out an investigation into the cock-ups, and faulted insufficient checks – particularly during the scanning of documents to add to accounts – for the mix-ups. The more sensitive the files, the less they were scrutinised by the loan company, the watchdog concluded.

Stephen Eckersley, head of enforcement at the ICO, commented on Tuesday: “For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies. Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after."

The Student Loans Company (SLC) has since promised to improve [PDF] its procedures and staff training. Further failures, particularly ones along the same lines, are likely to result in fines against the non-profit organisation by the ICO.

In the undertaking to try harder next time, the SLC noted:

The Information Commissioner was provided with a report on the 29 August 2012 which stated that medical details of a customer, containing sensitive personal data, had been sent to an external organisation in error. The Commissioner received another report on the 04 October 2012 that a further two incidents had occurred, one in which a psychological assessment of a customer, containing sensitive personal data, was disclosed to a third party in error and a second in which two items of correspondence were sent to an incorrect address.

Following investigation it was established that in the first reported incident the medical evidence had been incorrectly scanned onto another customer’s account. It was also found that whilst checking procedures were in place at the time of the incident, in the particular department processing the documents, items containing sensitive personal data were subject to fewer checks than those containing less sensitive data.

Martin Sugden, chief exec of data classification and secure messaging firm Boldon James, said that the softly, softly approach to enforcement taken in this case so far is appropriate.

“The Information Commissioner’s Office continues to play 'good cop' with organisations that are careless with users’ data, but in this instance I believe they have done the right thing in allowing the Student Loans Company time to improve their data security practices," Sugden said.

He added: "Whilst this data loss incident may have only involved a small number of records, it’s highly concerning that there were fewer checks in place around the handling of sensitive documents than there were against other customer data. The student loan company knew the issues and they didn’t follow it through." ®

Bootnote

If you're wondering why on Earth Blighty's Student Loans Company has medical records to lose, consider that disabled undergraduates have to provide evidence of their conditions to apply for support grants.

Security for virtualized datacentres

More from The Register

next story
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.