The site, still available to training providers in Scotland, is in breach of UK data protection laws which require personal information to be adequately secured, lawyers said this week.
Computer Weekly has established that the Web site, designed and maintained by outsourcing company Capita, can give training providers access to the personal details of students registered for ILAs who have yet to sign up with a training provider.
By accidentally or deliberately mis-typing 10-digit account numbers, registered training providers could gain access to the names, addresses and training records of students who have yet to start training.
The alarm was raised this week by one training provider that had concerns about the security of the system. After a few attempts, company officials demonstrated that they could stumble on students' personal details by mis-typing their own account numbers.
"This sounds like a classic breach of the 7th data protection principle which requires adequate technical and other security to be in place," said Catherine Hamilton, data protection specialist at London law firm DLA. "It does not look like the site has met that requirement."
Under UK privacy laws, the Government should have stipulated that Capita complies with data protection security principles in its contract. The Government closed the ILA Web site to training companies in England in December following mounting concerns that fraudsters had been using weaknesses in the system to claim money for courses they did not provide.
The site's security was independently reviewed and changes made before reopening to Scottish firms, the Scottish Executive said.
Capita insists it complied with its obligations under the Data Protection Act.