Studen Loan Company in the UK enters into enforceable undertaking after data breaches

May 29, 2014 |

Enforceable undertakings are now an option available to the Privacy Commissioner as a result of his own motion investigation or in response to complaint.  Those powers are found at section 33E of the Privacy Act 1988.  It provides:

33E  Commissioner may accept undertakings

             (1)  The Commissioner may accept any of the following undertakings:

                     (a)  a written undertaking given by an entity that the entity will, in order to comply with this Act, take specified action;

                     (b)  a written undertaking given by an entity that the entity will, in order to comply with this Act, refrain from taking specified action;

                     (c)  a written undertaking given by an entity that the entity will take specified action directed towards ensuring that the entity does not do an act, or engage in a practice, in the future that interferes with the privacy of an individual.

             (2)  The undertaking must be expressed to be an undertaking under this section.

             (3)  The entity may withdraw or vary the undertaking at any time, but only with the consent of the Commissioner.

             (4)  The Commissioner may, by written notice given to the entity, cancel the undertaking.

             (5)  The Commissioner may publish the undertaking on the Commissioner’s website.

Enforceable undertakings have been a fixture of consumer protection proceedings at both the State and Federal levels in Australia. The Australian Securities & Investment Commission can accept undertakings under sections 93AA or 93A of the Australian Securities and Investments Commission Act 2001.  It is likely that the Federal Court will look to that body of cases relating to undertakings and enforcement action for breaches of enforceable undertakings in the event of a breach of an enforceable undertaking under the Privacy Act 1988.  But it is important to note that privacy law, particularly that grounded in statute, is  discrete and distinctive.  Many practitioners whose involvement in the area is sporadic (and some whose involvement is more) tend to cobble together principles from other areas of law onto privacy related matters.  That leads to strange arguments, not a few logical inconsistencies and the appearance of a round legal argument being rammed into a statutory square hole on a fairly regular basis.  A better way of approaching matters when looking for precedents is to look to how overseas regulators in the common law jurisdiction primarily approach enforceable undertakings and take action for breaches or civil penalty proceedings as well as Australian precedent.  In particular the UK Information Commissioner’s Office and the Federal Trade Commission.  They are both developing a significant body of law dealing with many of the issues the Australian authorities will need to deal with if enforcement actions are taken here.  The legislation in each jurisdiction differs but the principles are analogous, broadly having their genesis from the same international instruments, guidelines and, in the European contexts, Directives. With time one would hope the body of law in the privacy field will develop independently without having to wear uncomfortably fitting principles taken from other areas and modified more because of convenience than appropriateness.

In that context it is relevant to to note that on 27 May 2014 the UK Information Commissioner announced that he had criticised the Student Loans Company for a number of data breaches which resulted in Student Loans entering into an undertaking.

The announcement from the Commissioner is found here and provides:

The Information Commissioner’s Office (ICO) has criticised the Student Loans Company Limited after a series of data breaches involving customers’ records.

The business reported several incidents where information held about customers, including medical details and a psychological assessment, had been sent to the wrong people.

An ICO investigation found that not enough checks were carried out when documents were being scanned to add to customer accounts, and more sensitive documents actually received fewer checks. 

ICO Head of Enforcement, Stephen Eckersley, said:

“For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies. Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after.

“Our investigation showed that wasn’t happening. We’ve spoken with the company and made clear that changes need to be made, and a formal undertaking is now in place.”

The Student Loans Company Ltd has signed an undertaking committing the organisation to ensure proper checks are carried out before correspondence is sent out, as well making staff better aware of its data protection policy.

The undertaking is found here and relevantly provides:

I, Mick Laverty, Chief Executive, of Student Loan Company Limited for and on behalf of Student Loans Company Limited hereby acknowledge the details set out below and undertake to comply with the terms of the following Undertaking:

  1. Student Loans Company  Limited is  the data controller as defined in section 1(1) of the Data Protection Act 1998 (the ‘Act’), in respect of the processing of personal data carried out by Student Loans Company Limited and is referred to in this Undertaking as the ‘data controller’. Section 4(4) of the Act provides that, subject to section 27(1) of the Act, it is the duty of a data controller to comply with the data protection principles in relation to all personal data in respect of which it is a data controller.
  2. The Information Commissioner (the ‘Commissioner’) was provided with a report on the 29 August 2012 which stated that medical details of a customer, containing sensitive personal data, had been sent to an external organisation in error. The Commissioner received another report on the 04 October 2012 that a further two incidents had occurred, one in which a psychological assessment of a customer, containing sensitive personal data, was disclosed to a third party in error and a second in which two items of correspondence were sent to an incorrect address.
  3. Following investigation it was established that in the  first reported incident the medical evidence had been incorrectly scanned onto another customer’s account. It was also found that whilst checking procedures were in place at the time of the incident, in the particular department processing the documents, items containing sensitive personal  data were subject to fewer checks than those containing less sensitive data. Fewer checks were in place as the data  controller wished to limit the number of individuals who could access sensitive personal data of this kind.

It was also established that several previous incidents of a similar nature had been reported to the Commissioner and that despite previous intervention incidents continue to occur.
The Commissioner has considered the data controller’s compliance with the provisions of the Act in the light of this matter. The relevant provision of the Act is the Seventh Data Protection Principle. This Principle is set out in Schedule 1 Part I to the Act. The Commissioner has also considered the fact that some of the data compromised in this incident consisted of information as to the physical or mental health or condition of the data subjects. Personal data containing such information is defined as ‘sensitive personal data’ under section 2[(e)] of the Act.
Following consideration of the remedial action that has been taken by the data controller, it is agreed that in consideration of the Commissioner not exercising his powers to serve an Enforcement Notice under section 40 of the Act, the data controller undertakes as follows

 The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act, and in particular that:

 (1)               Appropriate procedures are in place to ensure that adequate checks are carried out on correspondence, particularly that containing sensitive personal data, prior to it being sent out;

(2)               The policy covering the storage and use of personal data is to be made available to all relevant staff, and the location and contents of this policy are to be clearly communicated to those staff. Regular monitoring of staff awareness of this policy should be undertaken. The data controller should report on its progress in this area no later than September 2014;

(3)               The  data  controller  shall  implement  such  other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

One Response to “Studen Loan Company in the UK enters into enforceable undertaking after data breaches”

  1. Studen Loan Company in the UK enters into enforceable undertaking after data breaches | Australian Law Blogs

    […] Studen Loan Company in the UK enters into enforceable undertaking after data breaches […]

Leave a Reply