DFE Misuses Children’s Data for Gambling
The Department for Education has been reprimanded after allowing gambling firms access to confidential children’s data. An investigation carried out by the Information Commissioner’s Office uncovered a serious data breach, as the information of up to 28 million children was not used for its original purposes.
The government department failed to prevent unauthorized access to the data of 28 million children. ©Sergei Star/Pexels
Misuse of Data
The Information Commissioner’s Office has reprimanded the Department for Education after it was found to have seriously breached data protection laws. Betting firms were allowed to use the information of up to 28 million children on a student database for age-verification checks.
The ICO has described the case as a prolonged misuse of sensitive information, as it was not used for its intended purpose. Its investigation found that due to poor due diligence at the Department for Education, a database of pupils’ learning records was used by Trust Systems Software UK Ltd.
The company, which trades as Trustopia, is an employment screening firm. It allowed data in the learning record service database to be used by gambling operators to check that those opening online gambling accounts were over the age of eighteen.
The Department for Education granted Trustopia access to the database when it advised that it was the new trading name for Edudes Ltd, which had previously been a training provider. In truth, Trustopia was a screening company and used the database for age verification purposes. It offered this service to businesses including GB Group, which assisted gambling operators in checking the ages of their users. Amongst the operators GB Group worked with were Betfair and 32Red.
Trustopia had access to the LRS database from September 2018 to January 2020. During this time, it conducted searches on 22,000 learners as part of its age verification checks. The Department for Education has verified that Trustopia has never provided government-funded education training.
According to the ICO, the sharing of this data was against data protection law, as the information of young people was not being used for its original purpose. The Department for Education has responsibility over the information contained in the LRS database, which records pupils’ qualifications that can be accessed by education providers.
£10 Million Fine Avoided
In a statement published by the ICO, it said that it had issued a reprimand to the Department for Education and outlined clear measures that it must undertake to improve its data protection practices. Commenting on the incident, UK Information Commissioner John Edwards made it clear that the Department for Education was guilty of a serious data breach. Edwards stated:
“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.”
Continuing, Edwards said that the general public has a right to expect that central government departments treat our data with respect and security. This is particularly important when it comes to the personal information of minors. As such, the government department failed in its obligations to use and share children’s data lawfully, transparently and fairly.
The department also failed to prevent unauthorized access to the data, ensure its necessary oversight and stop information from being accessed for purposes incompatible with the provision of educational services. As a serious breach of the law, Edwards added that it would have warranted a £10 million fine.
However, the ICO has taken the decision in this case to not issue a fine. It explained that a financial penalty would have had minimal impact, as they money would have been returned to the government. Nevertheless, the ICO is keen to make point of how serious the Department for Education’s errors were, and how urgently they must be rectified.
Earlier this year, the UK Information Commissioner announced a new approach towards the public sector, aimed at reducing the impact of fines on the public. Had this trial not been set out in June, the Department for Education would have been met with the hefty fine.
Department for Education Audited
The ICO’s investigation was launched after it received a report from the Department for Education about the unauthorized access to its LRS database. The government department was first made aware of the breach when it was exposed by a national newspaper.
The database contains the personal information of up to 28 million children and young people aged fourteen and over. Information in the database includes the full name, date of birth and gender of individuals, as well as their learning and training achievements. Voluntary fields also detail email addresses and nationality. The database holds on to that information for 66 years.
At the time that the breach took place, 12,600 organizations had access to the LRS database. These largely consisted of schools, colleges and higher education institutions. These organizations are permitted to use the data to check the students’ academic qualifications and assess whether they may be eligible for funding.
Since the incident took place, the government department has withdrawn database access from 2,600 organizations. It has also reinforced its registration process. The ICO has noted that the Department for Education now regularly checks for excessive searches on the database and deregisters organizations that don’t use it anymore.
The ICO stated that the incident coincided with an assessment notice and a compulsory audit of the Department for Education. The department agreed to include enquiries relating to the database with the audit. It has been cooperating with the ICO since the audit, which took place in 2020, and is continuing to take steps to improve its data protection practices.
At the same time, the ICO carried out an investigation into Trustopia. The company stated that it no longer had access to the database and had deleted its cache of data held in temporary files. Trustopia was dissolved before the ICO’s investigation could be completed, preventing it from being able to take regulatory action.
