ICO criticises Student Loans Company for data breaches

The Information Commissioner's Office (ICO) has criticised the Students Loans Company Limited after several data breaches where customer records were lost.

SC Exclusive: Cyber-security failing to make the grade at university
SC Exclusive: Cyber-security failing to make the grade at university

The Glasgow-based not-for-profit organisation, which works with local authorities across the United Kingdom to provide financial support to college and universities students, has reported numerous incidents in recent months where customer records, such as medical details and psychological assessments, have been sent to the wrong people.

The ICO subsequently investigated the firm's security measures and found that “not enough checks were carried out when documents were being scanned to add to customer accounts". The UK watchdog said that sensitive documents received even fewer checks.

“For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies,” said ICO head of enforcement Stephen Eckersley.

“Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after.

“Our investigation showed that wasn't happening. We've spoken with the company and made clear that changes need to be made, and a formal undertaking is now in place.”

As a result, the Student Loans Company Ltd has signed an undertaking committing the organisation to ensure that proper checks are carried out before correspondence is sent out, as well as making staff better aware of its data protection policy.

Responding to the news, Quocirca founder and analyst Clive Longbottom said that the Student Loans Company's problems most likely stem from poor technology and lack of staff awareness.

“Most of the problems are down to poor process coupled with poorly implemented technology,” he told SCMagazineUK.com. “Staff are not making the right checks as they are scanning in documents, and it seems that too much faith is then being put in databases when data is being sent out. The [company] seems to have accepted that better training of staff is what is required – however, there is also a need for technology that makes it harder to do things wrong.

“A good OCR system should be able to scan documents (particularly medical ones that tend to follow some form) and make sense of them, matching scanned details against details held in a database to ensure that the right records are held with the right person.”

He added that the group's not-for-profit status makes fining “difficult” and said that too many companies are weighing up the possible ICO fines against the risk of a data breach.

“At the moment, too many organisations are weighing up the cost of ICO compliance against the risk of being found out and the likely costs – and finding that they may as well err on the side of saving money,” he said via email. “That, and the capacity for systems integrators to continuously implement poor systems where security is not fully thought through makes ICO breaches far too common.”

The Student Loans Company certainly has a chequered history in this area, as a freedom of information request submitted in January 2012 revealed there to be 16 data protection breaches at the firm over the last five years.

Update: A SLC spokesperson has since responded to SCMagazineUK.com with the following statement.

“These data breaches took place in 2012 and we apologise to the three customers whose medical details were disclosed to the wrong recipients," reads the statement.

“Our investigations found that these data breaches were caused by human error when we were manually assessing the eligibility of students applying for Disabled Students' Allowance (DSA). Those customers whose details were disclosed were advised of this.

"When we realised our mistake, we immediately contacted the person or organisation the information had been sent to, to apologise for our mistake and to make sure the details were deleted. We also reported the breaches to the Information Commissioner's Office and will continue to keep them updated.

“SLC takes our responsibilities seriously to protect customer data under the Data Protection Act. We have put in place additional quality checks and are confident these will prevent this from happening again. We are also investing significantly in new technology and systems to improve our service to customers."

Sign up to our newsletters