Department spared £10m fine despite ‘serious breach of the law’
The UK’s data-protection watchdog has formally reprimanded the Department for Education for granting unlawful access to millions of children’s information that was then used for gambling age-verification checks.
The department has narrowly avoided a £10m fine after it wrongly gave an employment screening firm access to a database of 28 million pupils’ qualifications, in what the Information Commissioner’s Office called a “serious breach of the law”.
An ICO investigation uncovered “prolonged misuse” of data from the Learning Records Service, which records the full name, data of birth, gender and learning achievements of people aged 14 upwards, with optional fields for email address and nationality.
Education providers are allowed access to the database, but DfE continued to give one former training provider access for well over a year after it changed its trading name and business.
Trustopia, an employment screening firm previously known as Edududes Ltd, had access to the LRS database from September 2018 to January 2020, the ICO found. DfE confirmed that Trustopia has never run any government-funded educational training.
In that time, Trustopia searched for 22,000 learners’ details to carry out age-verification checks on behalf of companies including GB Group, which helped gambling companies confirm customers were over 18. Because the data was not being used for its original purpose, this was unlawful, the ICO said.
Information commissioner John Edwards said the breach would have warranted a £10m fine, which he had decided against issuing because the money would have been returned to government and therefore had a “minimal effect”.
The decision aligns with a new approach to dealing with the public sector that Edwards set out in June. Had the ICO not been trialling this new approach, which aims to be collaborative and reduce the impact of fines on the public, DfE would have been fined, the regulator said.
But he said the decision “should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education”.
“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the department was unaware there was even a problem until a national newspaper informed them,” he said.
DfE reported itself to the ICO after a Sunday Times exposé revealed GB Group gained access to pupils’ data through Trustopia in early 2020.
By giving Trustopia access to the LRS, DfE failed in its obligations to use and share children’s data fairly, lawfully and transparently, the ICO said. It also failed to prevent unauthorised access to children’s data, have proper oversight of the data or stop the data being used for reasons not compatible with the provision of educational services.
“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children,” Edwards said.
The ICO carried out a simultaneous investigation into Trustopia, but did not take regulatory action as the company was dissolved before the probe ended. Trustopia confirmed it no longer had access to the database and had deleted any data held in temporary files.
Since the breach, DfE has strengthened its registration process for LRS and revoked 2,600 organisations’ access to the database.
The ICO said that the department is taking “significant steps” to improve its data-protection practices and has “actively engaged” with the regulator since a compulsory audit in 2020 that coincided with the Trustopia incident.
The audit found the department was not prioritising data protection, which was impacting its ability to comply with data-protection laws.
The decision not to punish the DfE financially comes just a few days after a £500,000 fine that was previously levied on the Cabinet Office for the 2020 New Year honours data breach was reduced by 90%. The ICO attributed this reduction partly to its recognition of the “current economic pressure” on government, as well as to its new approach to the public sector, which focuses on trying to raise standards – rather than impose penalties.
Although less punitive financially, the regulator has indicated that the new ethos is likely to result in more public reprimands. This was exemplified by a recent announcement in which two government departments, three local councils, and a police force were scolded for failing to meet their obligations in responding to subject-access requests.