DfE scolded after breach enabled ‘prolonged misuse of 28 million children’s personal data’

Written by Beckie Smith on 8 November 2022 in News
News

Department spared £10m fine despite ‘serious breach of the law’

Credit: Pxhere

The UK’s data-protection watchdog has formally reprimanded the Department for Education for granting unlawful access to millions of children’s information that was then used for gambling age-verification checks.

The department has narrowly avoided a £10m fine after it wrongly gave an employment screening firm access to a database of 28 million pupils’ qualifications, in what the Information Commissioner’s Office called a “serious breach of the law”.

An ICO investigation uncovered “prolonged misuse” of data from the Learning Records Service, which records the full name, data of birth, gender and learning achievements of people aged 14 upwards, with optional fields for email address and nationality.

Education providers are allowed access to the database, but DfE continued to give one former training provider access for well over a year after it changed its trading name and business.

Trustopia, an employment screening firm previously known as Edududes Ltd, had access to the LRS database from September 2018 to January 2020, the ICO found. DfE confirmed that Trustopia has never run any government-funded educational training.

In that time, Trustopia searched for 22,000 learners’ details to carry out age-verification checks on behalf of companies including GB Group, which helped gambling companies confirm customers were over 18. Because the data was not being used for its original purpose, this was unlawful, the ICO said.

Information commissioner John Edwards said the breach would have warranted a £10m fine, which he had decided against issuing because the money would have been returned to government and therefore had a “minimal effect”.

The decision aligns with a new approach to dealing with the public sector that Edwards set out in June. Had the ICO not been trialling this new approach, which aims to be collaborative and reduce the impact of fines on the public, DfE would have been fined, the regulator said.


Related content


But he said the decision “should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education”.

“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the department was unaware there was even a problem until a national newspaper informed them,” he said.

DfE reported itself to the ICO after a Sunday Times exposé revealed GB Group gained access to pupils' data through Trustopia in early 2020.

By giving Trustopia access to the LRS, DfE failed in its obligations to use and share children’s data fairly, lawfully and transparently, the ICO said. It also failed to prevent unauthorised access to children’s data, have proper oversight of the data or stop the data being used for reasons not compatible with the provision of educational services.

“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children,” Edwards said.

The ICO carried out a simultaneous investigation into Trustopia, but did not take regulatory action as the company was dissolved before the probe ended. Trustopia confirmed it no longer had access to the database and had deleted any data held in temporary files. 

Since the breach, DfE has strengthened its registration process for LRS and revoked 2,600 organisations’ access to the database.

The ICO said that the department is taking “significant steps” to improve its data-protection practices and has “actively engaged” with the regulator since a compulsory audit in 2020 that coincided with the Trustopia incident.

The audit found the department was not prioritising data protection, which was impacting its ability to comply with data-protection laws.

The decision not to punish the DfE financially comes just a few days after a £500,000 fine that was previously levied on the Cabinet Office for the 2020 New Year honours data breach was reduced by 90%. The ICO attributed this reduction partly to its recognition of the “current economic pressure” on government, as well as to its new approach to the public sector, which focuses on trying to raise standards – rather than impose penalties.

Although less punitive financially, the regulator has indicated that the new ethos is likely to result in more public reprimands. This was exemplified by a recent announcement in which two government departments,  three local councils, and a police force were scolded for failing to meet their obligations in responding to subject-access requests.

 

About the author

Beckie Smith is deputy editor for PublicTechnology sister publication Civil Service World, where a version of this story first appeared. She tweets as @beckie__smith.

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

EXCL: Cabinet Office alerted to data breach – and fails to respond for 10 days
25 November 2022

Personal details of civil servant and supplier exposed by inadequately redacted document, discovered by PublicTechnology

Scottish guidelines on police use of biometrics take effect
17 November 2022

Move to introduce code of practice for the likes of facial recognition and fingerprints is believed to be a world first

Cabinet Office fine over honours data breach slashed by 90% as ICO considers ‘current economic pressure’
3 November 2022

Regulator says that, while the original £500k penalty was proportionate, the reduced punishment signals changing approach to public sector

National Situation Centre taps mobile network data for ‘insights on behaviours of millions of people’
2 November 2022

Cabinet Office-based facility signs £800k deal with mobile network operator