The Information Commissioner’s Office (ICO) has criticised the Student Loans Company Limited after a series of data breaches involving customers’ records.
The business reported several incidents where information held about customers, including medical details and a psychological assessment, had been sent to the wrong people.
An ICO investigation found that not enough checks were carried out when documents were being scanned to add to customer accounts, and more sensitive documents actually received fewer checks.
ICO Head of Enforcement, Stephen Eckersley, said:
‘For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies. Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after.
‘Our investigation showed that wasn’t happening. We’ve spoken with the company and made clear that changes need to be made, and a formal undertaking is now in place.’
The Student Loans Company Ltd has signed an undertaking committing the organisation to ensure proper checks are carried out before correspondence is sent out, as well making staff better aware of its data protection policy.
The SLC was established in 1989 and is owned by It is owned by the UK Government’s Department for Business, Innovation and Skills (85%), the Scottish Government (5%), the Welsh Government (5%) and the Northern Ireland Executive (5%).
SLC spokesperson said:
‘These data breaches took place in 2012 and we apologise to the three customers whose medical details were disclosed to the wrong recipients.
‘Our investigations found that these data breaches were caused by human error when we were manually assessing the eligibility of students applying for Disabled Students’ Allowance (DSA). Those customers whose details were disclosed were advised of this.
‘When we realised our mistake, we immediately contacted the person or organisation the information had been sent to, to apologise for our mistake and to make sure the details were deleted. We also reported the breaches to the Information Commissioner’s Office and will continue to keep them updated.
‘SLC takes our responsibilities seriously to protect customer data under the Data Protection Act. We have put in place additional quality checks and are confident these will prevent this from happening again. We are also investing significantly in new technology and systems to improve our service to customers.”