Schools

DfE reprimanded after pupil data used by gambling firms

Department criticised over 'serious breach' of data protection law, but avoids £10m fine from information watchdog

Department criticised over 'serious breach' of data protection law, but avoids £10m fine from information watchdog

The Department for Education has been reprimanded over a “serious breach” of data protection law which allowed a firm providing age-verification for gambling companies access to the personal information of millions of young people.

But the department has avoided a fine of over £10 million from the information watchdog, despite a warning over “woeful” data protection practices.

An Information Commissioner’s Office investigation into data shared from the learning record service (LRS) found “prolonged misuse of the personal information of up to 28 million children”.

The LRS holds data on pupils and learners over 14 for 66 years, and is only supposed to be accessed for education purposes.

But the Sunday Times revealed in 2020 that employment screening firm Trustopia had used the data to provide age verification serves to the GB Group, to help gambling companies confirm customers were over 18.

The ICO launched its investigation after it was notified by the DfE, which only became aware of the breach because of the national news story.

Screening firm looked up 22k learners

According to the watchdog, Trustopia had access to the LRS database for over a year from September 2018 to January 2020, and carried out searches on 22,000 learners.

The ICO ruled today that the data was shared “without appropriate control or oversight”, and that the DfE “failed to protect against the unauthorised processing by third parties of data held on the LRS database for reasons other than the provision of educational services”.

Data subjects were also “unaware of the processing and could not object or otherwise withdraw from this processing”. The DfE “failed to process personal data fairly, lawfully and transparently”, breaching the general data protection regulations (GDPR).

“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable,” said information commissioner John Edwards.

“Our investigation found that the processes put in place by the Department for Education were woeful.”

DfE dodges £10m fine for data failures

The ICO said it “considered” issuing a fine of just over £10 million, which would have been “effective, proportionate and dissuasive”.

However, due to a “revised approach” by the ICO to public sector organisations, the watchdog settled for a formal reprimand.

“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case,” said Edwards. But he chose “not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal”.

“But that should not detract from how serious the errors we have highlighted were.”

The DfE had continued to grant Trustopia access to the database after it advised officials it was the new trading name for Edududes Ltd, which had been a training provider.

But Trustopia “was in fact a screening company and used the database for age verification, a service they offered to companies including GB Group, which helped gambling companies confirm customers were over 18”.

“This data sharing meant the information was not being used for its original purpose. This is against data protection law.”

Access revoked for a fifth of organisations

The ICO said that at the time of the breach, 12,600 organisations had access to the LRS database, “including schools, colleges, higher education institutions, and other education providers”.

These organisations get access so they can “verify a number of functions including the academic qualifications of potential students or check if they are eligible for funding”.

Since the incident, the DfE has removed access from 2,600 organisations.

It follows a damning audit of the DfE’s broader data processing activities by the ICO in 2020, which also found the DfE broke data protection laws in how it handled pupil data.

The DfE still hasn’t met its pledge to publish the full audit report, and now also faces potential legal action from data privacy campaign group Defend Digital Me over the way it handles data.

A department spokesperson said: “In January 2020 we became aware that a third party that was granted access to the learner record service for legitimate business was misusing its permission.

“Since then, we have worked closely with the ICO to ensure our oversight of access to data has improved, ensuring that this could not happen again.

“We take the security of data we hold extremely seriously. We will publish a full response to this letter by the end of the year, setting out detailed progress in respect of all the actions identified.”

No regulation for dissolved firm Trustopia

The ICO said today that it had conducted a simultaneous investigation into Trustopia, “during which the company confirmed it no longer had access to the database and the cache of data held in temporary files had been deleted”.

The firm has since been dissolved, meaning regulatory action was “not available”.

It comes after Schools Week’s sister paper FE Week revealed in 2020 that Trustopia co-founder Ronan Smith had previously run a private provider called Edudo, which was investigated by the Education and Skills Funding Agency in 2017.

The agency subsequently terminated the firm’s contracts, which were used to deliver courses funded through advanced learner loans.

Smith then transferred Edudo’s assets to a new company called Learning Republic and went bust. Hundreds of learners were subsequently left thousands of pounds in debt with no qualifications to show for it.

Smith was approached for comment, as was the GB Group.

Latest education roles from

Employability Tutor

Employability Tutor

Capital City College Group

Grounds Person/Arboriculture Instructor

Grounds Person/Arboriculture Instructor

Capel Manor College

Apprentice Gardener

Apprentice Gardener

Capel Manor College

Curriculum Director – Higher Education

Curriculum Director – Higher Education

Shrewsbury Colleges Group

Communications Officer Mat Cover

Communications Officer Mat Cover

Reach Academy Feltham

Director of Business Studies

Director of Business Studies

Reach Academy Feltham

Sponsored posts

Sponsored post

Cutting-edge technology allows students to hold virtual conversations with Holocaust survivors.

Testimony 360, the new programme from the Holocaust Educational Trust uses innovative technology to bring the people and places...

SWAdvertorial
Sponsored post

ASDAN’s digital future: Developing a dynamic, learner-led curriculum to empower learners with diverse needs.

ASDAN’s new CEO, Melissa Farnham, outlines a dynamic future for the charity and awarding organisation aligned to the government’s...

SWAdvertorial
Sponsored post

Safeguarding in schools: staying on top of school monitoring in the new academic year

With the rise in bullying, vaping, and security threats, each school must act to create a secure environment that...

SWAdvertorial
Sponsored post

The September Snapshot: What Back-to-School Questions Should School Leaders Ask Staff?

The start of a new school year is the perfect time to set a clear direction, establish expectations, and...

Victoria

More from this theme

Schools

Council crackdown after school spa day gifts

An internal audit found 'irregularities involving inappropriate use of school funds'

Samantha Booth
Schools

Children’s commissioner orders compulsory survey of schools

Dame Rachel de Souza uses statutory powers to ask schools about their provision and barriers to supporting pupils

Freddie Whittaker
Schools

Paris Olympics 2024: Where did GB medallists go to school?

Privately-educated athletes remain 'significantly over-represented'

Jack Dyson
Schools

‘Children are our future and it’s for them that Tim dedicated his life’ 

Hundreds gather to remember the late Sir Tim Brighouse

Samantha Booth

Your thoughts

Leave a Reply

Your email address will not be published. Required fields are marked *

One comment

  1. Reginald Bowler

    Data leaks, misuse of data and linking of data sets leading to privacy and other concerns can only increase.

    Have a look at the Joseph Rowntree Reform Trust’s “Database State – Full Report”. It’s quite old (23 Mar 2009), but I am quite sure things will have got worse since it was published.