Fresh controversy was raised this week over the Government's
ill-fated Individual Learning Account (ILA) programme, after it
emerged that confidential personal information could still be
accessed from the Web site used to administer the scheme.
The site, still available to training providers in Scotland, is in
breach of UK data protection laws which require personal
information to be adequately secured, lawyers said this week.
Computer Weekly has established that the Web site, designed and
maintained by outsourcing company Capita, can give training
providers access to the personal details of students registered for
ILAs who have yet to sign up with a training provider.
By accidentally or deliberately mis-typing 10-digit account
numbers, registered training providers could gain access to the
names, addresses and training records of students who have yet to
start training.
The alarm was raised this week by one training provider that had
concerns about the security of the system. After a few attempts,
company officials demonstrated that they could stumble on students'
personal details by mis-typing their own account numbers.
"This sounds like a classic breach of the 7th data protection
principle which requires adequate technical and other security to
be in place," said Catherine Hamilton, data protection specialist
at London law firm DLA. "It does not look like the site has met
that requirement."
Under UK privacy laws, the Government should have stipulated that
Capita complies with data protection security principles in its
contract. The Government closed the ILA Web site to training
companies in England in December following mounting concerns that
fraudsters had been using weaknesses in the system to claim money
for courses they did not provide.
The site's security was independently reviewed and changes made
before reopening to Scottish firms, the Scottish Executive said.
Capita insists it complied with its obligations under the Data
Protection Act.