Data breach firm given access despite DfE probe

The founder of a firm at the centre of a major education data breach involving betting companies was subject to a previous government investigation.

Unions are now demanding an independent investigation over how the Department for Education gave the firm, which offers screening checks, access to the Learning Records Service database.

The LRS contains the names, ages and addresses of 28 million young people aged 14 and over in schools and colleges across the United Kingdom.

Given the hugely sensitive nature of this data it’s vital there are rigorous checks

The Education and Skills Funding Agency launched an investigation this week after the Sunday Times found the LRS had been accessed by data intelligence firm GB Group – whose clients include 32Red and Betfair among other gambling companies.

GB Group used the LRS for age and identity verification services for its clients. But the newspaper claimed one gambling firm had boosted the numbers of young people passing its identity checks by 15 per cent by using the database.

According to the department, the “education training provider” which “wrongly provided access” to the LRS was Trustopia.

But an investigation by sister paper FE Week has found that not only is the firm not registered as a provider – it’s co-founder Ronan Smith was subject to a government investigation in 2017.

His training company later went bust – leaving learners in thousands of pounds of debt.

Urgent probe needed to check DfE criteria

Kevin Courtney, joint general secretary of the NEU, said: “There needs to be an urgent investigation looking at the criteria the DfE uses to grant access to the data and the identities of organisations which already have access.

“Given the hugely sensitive nature of this data it is also vital that there are rigorous checks on any organisations which are granted access.”

Privacy rules state that a young person’s personal information should only be accessed through the LRS by organisations “specifically linked to their education and training”.

The DfE suspended access to the system this week in order to carry out the “necessary checks to ensure data security”. It reopened yesterday (Thursday).

The department said the company had access to the LRS because they registered with a UK Provider Reference Number (UKPRN) on the UK Register of Learning Providers (UKRLP) as an apprenticeship provider.

But our investigation has found Trustopia is not on the government’s approved register of apprenticeship providers. Its “nature of business”, according to Companies house, is “other information technology service activities”.

Smith declined to comment on the breach, but did confirm Trustopia is not a training provider.

Government has ‘failed young people’

A previous investigation by FE Week exposed how any company can gain a UKPRN within 24 hours, simply by providing their limited company number.

A DfE spokesperson would not say why Trustopia was given access to the LRS, or what it used the service for, adding a “full investigation is underway”.

The Information Commissioner’s Officer, the government’s data watchdog, is now “making enquiries”.

Prior to co-founding Trustopia, Smith ran a training company called Edudo. It was investigated by the ESFA in 2017.

The ESFA would not say why, but subsequently terminated the firm’s contracts which were used to deliver courses paid for by a government loan. Smith then transferred Edudo’s assets to a new company called Learning Republic, which went bust.

Hundreds of learners were subsequently left with thousands of pounds in debt – and no qualifications.

The DfE has failed these young people by not performing the relevant due diligence

Smith declared as bankrupt in November 2019.

Juliana Mohamad Noor, from the National Union of Students, said the DfE has “failed these young people by not performing the relevant due diligence” and called for a “full investigation to ensure no more harm is done” to the youngsters involved.

A DfE spokesperson said Trustopia “broke their agreement with us. This was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them. We will be taking the strongest possible action.”

A GB Group spokesperson said they take the claims “very seriously and, depending on the results of our review, we will take appropriate action”.

Trustopia did not respond to requests for comment.

Schools Week reported in November how the department is already facing action over “wide ranging and serious” data protection breaches. The ICO said there were “clear deficiencies in processing of pupils personal data by the DfE”.