The Department for Education has been reprimanded over a “serious breach” of data protection law which allowed a firm providing age-verification for gambling companies access to the personal information of millions of young people.
But the department has avoided a fine of over £10 million from the information watchdog, despite a warning over “woeful” data protection practices.
An Information Commissioner’s Office investigation into data shared from the learning record service (LRS) found “prolonged misuse of the personal information of up to 28 million children”.
The LRS holds data on pupils and learners over 14 for 66 years, and is only supposed to be accessed for education purposes.
But the Sunday Times revealed in 2020 that employment screening firm Trustopia had used the data to provide age verification serves to the GB Group, to help gambling companies confirm customers were over 18.
The ICO launched its investigation after it was notified by the DfE, which only became aware of the breach because of the national news story.
Screening firm looked up 22k learners
According to the watchdog, Trustopia had access to the LRS database for over a year from September 2018 to January 2020, and carried out searches on 22,000 learners.
The ICO ruled today that the data was shared “without appropriate control or oversight”, and that the DfE “failed to protect against the unauthorised processing by third parties of data held on the LRS database for reasons other than the provision of educational services”.
Data subjects were also “unaware of the processing and could not object or otherwise withdraw from this processing”. The DfE “failed to process personal data fairly, lawfully and transparently”, breaching the general data protection regulations (GDPR).
“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable,” said information commissioner John Edwards.
“Our investigation found that the processes put in place by the Department for Education were woeful.”
DfE dodges £10m fine for data failures
The ICO said it “considered” issuing a fine of just over £10 million, which would have been “effective, proportionate and dissuasive”.
However, due to a “revised approach” by the ICO to public sector organisations, the watchdog settled for a formal reprimand.
“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case,” said Edwards. But he chose “not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal”.
“But that should not detract from how serious the errors we have highlighted were.”
The DfE had continued to grant Trustopia access to the database after it advised officials it was the new trading name for Edududes Ltd, which had been a training provider.
But Trustopia “was in fact a screening company and used the database for age verification, a service they offered to companies including GB Group, which helped gambling companies confirm customers were over 18”.
“This data sharing meant the information was not being used for its original purpose. This is against data protection law.”
Access revoked for a fifth of organisations
The ICO said that at the time of the breach, 12,600 organisations had access to the LRS database, “including schools, colleges, higher education institutions, and other education providers”.
These organisations get access so they can “verify a number of functions including the academic qualifications of potential students or check if they are eligible for funding”.
Since the incident, the DfE has removed access from 2,600 organisations.
It follows a damning audit of the DfE’s broader data processing activities by the ICO in 2020, which also found the DfE broke data protection laws in how it handled pupil data.
The DfE still hasn’t met its pledge to publish the full audit report, and now also faces potential legal action from data privacy campaign group Defend Digital Me over the way it handles data.
A department spokesperson said: “In January 2020 we became aware that a third party that was granted access to the learner record service for legitimate business was misusing its permission.
“Since then, we have worked closely with the ICO to ensure our oversight of access to data has improved, ensuring that this could not happen again.
“We take the security of data we hold extremely seriously. We will publish a full response to this letter by the end of the year, setting out detailed progress in respect of all the actions identified.”
No regulation for dissolved firm Trustopia
The ICO said today that it had conducted a simultaneous investigation into Trustopia, “during which the company confirmed it no longer had access to the database and the cache of data held in temporary files had been deleted”.
The firm has since been dissolved, meaning regulatory action was “not available”.
It comes after Schools Week’s sister paper FE Week revealed in 2020 that Trustopia co-founder Ronan Smith had previously run a private provider called Edudo, which was investigated by the Education and Skills Funding Agency in 2017.
The agency subsequently terminated the firm’s contracts, which were used to deliver courses funded through advanced learner loans.
Smith then transferred Edudo’s assets to a new company called Learning Republic and went bust. Hundreds of learners were subsequently left thousands of pounds in debt with no qualifications to show for it.
Smith was approached for comment, as was the GB Group.
Data leaks, misuse of data and linking of data sets leading to privacy and other concerns can only increase.
Have a look at the Joseph Rowntree Reform Trust’s “Database State – Full Report”. It’s quite old (23 Mar 2009), but I am quite sure things will have got worse since it was published.