Feeds

ICO raps UK Student Loans Co for leaking MEDICAL files and more

Computer says d'oh

Choosing a cloud hosting partner with confidence

The Information Commissioner’s Office (ICO) has criticised Blighty's Student Loans Company for handing students' medical reports and other private files over to the wrong people.

In various blunders, records including medical notes and a psychological assessment were accidentally leaked to an unnamed outside organisation, sent to an unnamed third-party or simply posted to the wrong addresses.

The ICO carried out an investigation into the cock-ups, and faulted insufficient checks – particularly during the scanning of documents to add to accounts – for the mix-ups. The more sensitive the files, the less they were scrutinised by the loan company, the watchdog concluded.

Stephen Eckersley, head of enforcement at the ICO, commented on Tuesday: “For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies. Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after."

The Student Loans Company (SLC) has since promised to improve [PDF] its procedures and staff training. Further failures, particularly ones along the same lines, are likely to result in fines against the non-profit organisation by the ICO.

In the undertaking to try harder next time, the SLC noted:

The Information Commissioner was provided with a report on the 29 August 2012 which stated that medical details of a customer, containing sensitive personal data, had been sent to an external organisation in error. The Commissioner received another report on the 04 October 2012 that a further two incidents had occurred, one in which a psychological assessment of a customer, containing sensitive personal data, was disclosed to a third party in error and a second in which two items of correspondence were sent to an incorrect address.

Following investigation it was established that in the first reported incident the medical evidence had been incorrectly scanned onto another customer’s account. It was also found that whilst checking procedures were in place at the time of the incident, in the particular department processing the documents, items containing sensitive personal data were subject to fewer checks than those containing less sensitive data.

Martin Sugden, chief exec of data classification and secure messaging firm Boldon James, said that the softly, softly approach to enforcement taken in this case so far is appropriate.

“The Information Commissioner’s Office continues to play 'good cop' with organisations that are careless with users’ data, but in this instance I believe they have done the right thing in allowing the Student Loans Company time to improve their data security practices," Sugden said.

He added: "Whilst this data loss incident may have only involved a small number of records, it’s highly concerning that there were fewer checks in place around the handling of sensitive documents than there were against other customer data. The student loan company knew the issues and they didn’t follow it through." ®

Bootnote

If you're wondering why on Earth Blighty's Student Loans Company has medical records to lose, consider that disabled undergraduates have to provide evidence of their conditions to apply for support grants.

Intelligent flash storage arrays

More from The Register

next story
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.