Department for Education guilty of ‘woeful’ data control

The Department for Education has swerved a £10m data protection fine despite being found guilty of allowing the prolonged misuse of the personal information of up to 28 million children.

The move follows claims made in The Sunday Times in January 2020, that the Learning Record Service (LRS), a DfE file designed to help schools and colleges verify a student’s academic records and their eligibility for additional funding, was being used by gambling firms to ensure punters were aged 18 or over and legally entitled to gamble.

The newspaper claimed that thousands of firms had access to the file, including Chester-based ID verification and fraud prevention firm GB Group, which had signed a confidential contract through another company to access the database to boost the number of young people gambling online.

At the time, GBG strenuously denied the allegations. However, the publication of an Information Commissioner’s Office investigation into the issue has found that GBG should not have had access to this file although the ICO lays the blame squarely with the DfE.

The ICO found that a company called Trustopia had access to the LRS database from September 2018 to January 2020. Some 12,600 other organisations were also using the LRS database, but most were schools, colleges, higher education institutions, and other education providers.

Even so, the regulator found that Trustopia had carried out searches on 22,000 people on the file for age verification purposes. The DfE confirmed that Trustopia has never provided any government-funded educational training.

The investigation found the DfE continued to grant Trustopia access to the database when it advised the Department that it was the new trading name for Edududes Ltd, which had been a training provider.

Trustopia was in fact a screening company and used the database for age verification, a service they offered to companies including GB Group, which helped gambling companies confirm customers were aged over 18. This data sharing meant the information was not being used for its original purpose, which is against data protection law.

By granting LRS database access to Trustopia, the DfE failed in its obligations to use and share children’s data fairly, lawfully and transparently. It also failed to prevent unauthorised access to children’s data, have proper oversight of the data or stop the data being used for reasons not compatible with the provision of educational services.

Yet, despite being banged to rights, the DfE has escaped with a reprimand rather than a fine under the ICO’s new approach towards the public sector, which aims to reduce the impact of fines on the public.

Information Commissioner John Edwards said: “No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the DfE were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.

“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.

“This was a serious breach of the law, and one that would have warranted a £10m fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the DfE.”

GBG has yet to comment on the ruling.