Schools

DfE reprimanded after pupil data used by gambling firms

Department criticised over 'serious breach' of data protection law, but avoids £10m fine from information watchdog

Department criticised over 'serious breach' of data protection law, but avoids £10m fine from information watchdog

The Department for Education has been reprimanded over a “serious breach” of data protection law which allowed a firm providing age-verification for gambling companies access to the personal information of millions of young people.

But the department has avoided a fine of over £10 million from the information watchdog, despite a warning over “woeful” data protection practices.

An Information Commissioner’s Office investigation into data shared from the learning record service (LRS) found “prolonged misuse of the personal information of up to 28 million children”.

The LRS holds data on pupils and learners over 14 for 66 years, and is only supposed to be accessed for education purposes.

But the Sunday Times revealed in 2020 that employment screening firm Trustopia had used the data to provide age verification serves to the GB Group, to help gambling companies confirm customers were over 18.

The ICO launched its investigation after it was notified by the DfE, which only became aware of the breach because of the national news story.

Screening firm looked up 22k learners

According to the watchdog, Trustopia had access to the LRS database for over a year from September 2018 to January 2020, and carried out searches on 22,000 learners.

The ICO ruled today that the data was shared “without appropriate control or oversight”, and that the DfE “failed to protect against the unauthorised processing by third parties of data held on the LRS database for reasons other than the provision of educational services”.

Data subjects were also “unaware of the processing and could not object or otherwise withdraw from this processing”. The DfE “failed to process personal data fairly, lawfully and transparently”, breaching the general data protection regulations (GDPR).

“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable,” said information commissioner John Edwards.

“Our investigation found that the processes put in place by the Department for Education were woeful.”

DfE dodges £10m fine for data failures

The ICO said it “considered” issuing a fine of just over £10 million, which would have been “effective, proportionate and dissuasive”.

However, due to a “revised approach” by the ICO to public sector organisations, the watchdog settled for a formal reprimand.

“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case,” said Edwards. But he chose “not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal”.

“But that should not detract from how serious the errors we have highlighted were.”

The DfE had continued to grant Trustopia access to the database after it advised officials it was the new trading name for Edududes Ltd, which had been a training provider.

But Trustopia “was in fact a screening company and used the database for age verification, a service they offered to companies including GB Group, which helped gambling companies confirm customers were over 18”.

“This data sharing meant the information was not being used for its original purpose. This is against data protection law.”

Access revoked for a fifth of organisations

The ICO said that at the time of the breach, 12,600 organisations had access to the LRS database, “including schools, colleges, higher education institutions, and other education providers”.

These organisations get access so they can “verify a number of functions including the academic qualifications of potential students or check if they are eligible for funding”.

Since the incident, the DfE has removed access from 2,600 organisations.

It follows a damning audit of the DfE’s broader data processing activities by the ICO in 2020, which also found the DfE broke data protection laws in how it handled pupil data.

The DfE still hasn’t met its pledge to publish the full audit report, and now also faces potential legal action from data privacy campaign group Defend Digital Me over the way it handles data.

A department spokesperson said: “In January 2020 we became aware that a third party that was granted access to the learner record service for legitimate business was misusing its permission.

“Since then, we have worked closely with the ICO to ensure our oversight of access to data has improved, ensuring that this could not happen again.

“We take the security of data we hold extremely seriously. We will publish a full response to this letter by the end of the year, setting out detailed progress in respect of all the actions identified.”

No regulation for dissolved firm Trustopia

The ICO said today that it had conducted a simultaneous investigation into Trustopia, “during which the company confirmed it no longer had access to the database and the cache of data held in temporary files had been deleted”.

The firm has since been dissolved, meaning regulatory action was “not available”.

It comes after Schools Week’s sister paper FE Week revealed in 2020 that Trustopia co-founder Ronan Smith had previously run a private provider called Edudo, which was investigated by the Education and Skills Funding Agency in 2017.

The agency subsequently terminated the firm’s contracts, which were used to deliver courses funded through advanced learner loans.

Smith then transferred Edudo’s assets to a new company called Learning Republic and went bust. Hundreds of learners were subsequently left thousands of pounds in debt with no qualifications to show for it.

Smith was approached for comment, as was the GB Group.

Latest education roles from

Head of Physics

Head of Physics

Greensward Academy

Industrial Placement Officer (Part Time)

Industrial Placement Officer (Part Time)

Barnet and Southgate College

Industrial Placement Officer

Industrial Placement Officer

Barnet and Southgate College

ICT 2nd Line Engineer

ICT 2nd Line Engineer

MidKent College

Principal | Deansbrook Junior School

Principal | Deansbrook Junior School

AIM Academies Trust

Tutor of Engineering : Fabrication & Welding

Tutor of Engineering : Fabrication & Welding

York College

Sponsored posts

Sponsored post

Bridging the Skills Gap: Recognising Self-Awareness and Wellbeing

ASDAN renews the six core skills at the heart of its learner-led approach and development of personal effectiveness qualifications.

SWAdvertorial
Sponsored post

Cybersecurity in Education: Building Trust and Integrity

Schools, academies, colleges and, universities in particular, are expected to provide state-of-the-art facilities, blending advanced technology with academic excellence...

SWAdvertorial
Sponsored post

Ensuring Learning Never Stops: Portakabin Supporting Schools Affected by RAAC

In recent months, the discovery of reinforced autoclaved aerated concrete (RAAC) in over 230 schools across England has presented...

SWAdvertorial
Sponsored post

Text-based programming tools for young learners

The Raspberry Pi Foundation’s Code Editor helps make learning text-based programming simple for children aged 9 and up. Learn...

SWAdvertorial

More from this theme

Schools

UK and Ukraine schools to strengthen ties by swapping stories  

New initiative for 50 schools launched as PM Starmer visits school No 219 in Ukraine

Rhi Storer
Schools

Keep Latin funding for six more months, leaders urge Phillipson

Schools involved in the Latin Excellence Programme have written to the education secretary to ask for an extension

Lydia Chantler-Hicks
Schools

RAAC yet to be removed from 90% of crisis-hit schools

Work finished in just 30 RAAC schools, sparking warnings 'thousands of children are studying in inadequate' buildings

Lydia Chantler-Hicks
Schools

11-hour school day pays dividends

A report showed missed homework sanctions were down 12 per cent and stars for good behaviour were up 16...

Lucas Cumiskey

Your thoughts

Leave a Reply

Your email address will not be published. Required fields are marked *

One comment

  1. Reginald Bowler

    Data leaks, misuse of data and linking of data sets leading to privacy and other concerns can only increase.

    Have a look at the Joseph Rowntree Reform Trust’s “Database State – Full Report”. It’s quite old (23 Mar 2009), but I am quite sure things will have got worse since it was published.