The Student Loans Company has agreed to tighten up its procedures for handling data after several gaffes resulted in personal documents and information being disclosed to unauthorised third-parties.
The company, which is responsible for controlling the payment of loans and tuition fees to millions of students and universities across the UK, suffered three data breaches.
Details came to light after the Information Commissioner's Office (ICO) decided to speak out, having determined the company's customer data was not receiving the care and attention it deserved.
Students are obliged to provide personal information to the loans company, and they are right to expect that information to be properly looked after.
The ICO said it first received a report in August 2012 about the way the Student Loans Company handles data. This related to an incident where the medical details of one of its customers were sent in error to an external organisation.
Two further incidents were reported to the ICO in October of the same year. The first occurred when a customer's psychological assessment was disclosed to a third party, while the second involved two documents being sent to an incorrect address.
"Following investigation it was established that in the first reported incident the medical evidence had been incorrectly scanned onto another customer's account," the ICO's undertaking against the Student Loans Company states.
"It was also found while checking procedures were in place at the time of the incident, in the particular department processing the documents, items containing sensitive personal data were subject to fewer checks that those containing less sensitive data."
As a result, the Student Loans Company has been ordered to improve the way it handles people's personal data and ensure that all relevant staff are educated on this point.
It will also need to report to the ICO about the progress it's made in this area by September 2014.
Stephen Eckersley, head of enforcement at the ICO, said the nature of what the company does means the data security of its customers should be paramount.
"Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after," he said.
"Our investigation showed that wasn't happening. We've spoken with the company and made clear that changes need to be made, and a formal undertaking is now in place."
IT Pro contacted the Student Loans Company for comment on this matter, who responded with the following statement: "Our investigations found that these data breaches were caused by human error when we were manually assessing the eligibility of students applying for Disabled Students' Allowance (DSA). Those customers whose details were disclosed were advised of this.
"When we realised our mistake, we immediately contacted the person or organisation the information had been sent to, to apologise for our mistake and to make sure the details were deleted. We also reported the breaches to the Information Commissioner's Office and will continue to keep them updated.
"SLC takes our responsibilities seriously to protect customer data under the Data Protection Act. We have put in place additional quality checks and are confident these will prevent this from happening again. We are also investing significantly in new technology and systems to improve our service to customers," it concluded.
