Student Loans Company criticised by ICO for data breaches

Sensitive data accidentally sent to third parties

The Student Loans Company has been criticised by the Information Commissioner's Office (ICO) for a series of data breaches relating to customer records.

After being alerted by the Student Loans Company that personal information about customers had been sent to the wrong people, an investigation was launched by the ICO.

Sensitive data accidentally sent to a number of third parties included medical details and psychological assessments, the ICO said.

The investigation revealed that not enough checks were put in place before documents were scanned and added to customer accounts, and more sensitive documents received even fewer checks.

"For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies," said ICO Head of Enforcement, Stephen Eckersley.

"Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after.

"Our investigation showed that wasn't happening. We've spoken with the company and made clear that changes need to be made, and a formal undertaking is now in place."

The Student Loans Company has now signed an undertaking committing to improving checks before correspondence is sent out, as well as making staff more aware of its data protection policy.

"These data breaches took place in 2012 and we apologise to the three customers whose medical details were disclosed to the wrong recipients," a spokesperson for the company said in an email statement.

"When we realised our mistake, we immediately contacted the person or organisation the information had been sent to, to apologise for our mistake and to make sure the details were deleted. We also reported the breaches to the Information Commissioner's Office and will continue to keep them updated.

"SLC takes our responsibilities seriously to protect customer data under the Data Protection Act. We have put in place additional quality checks and are confident these will prevent this from happening again. We are also investing significantly in new technology and systems to improve our service to customers."

"Our investigations found that these data breaches were caused by human error when we were manually assessing the eligibility of students applying for Disabled Students' Allowance (DSA). Those customers whose details were disclosed were advised of this.

Student Loans Company CEO, Mike Laverty, recently spoke to ComputerworldUK about the £50 million IT investment it has made to improve services, following criticism from MPs.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritysoftware

More about ICO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matthew Finnegan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts