Information Commissioner's Office
Department for Education warned after gambling companies benefit from learning records database
The Information Commissioner’s Office (ICO) has issued a reprimand to the Department for Education (DfE) following the prolonged misuse of the personal information of up to 28 million children.
An ICO investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trust Systems Software UK Ltd (trading as Trustopia), an employment screening firm, to check whether people opening online gambling accounts were 18.
The DfE has overall responsibility for the learning records service database (LRS), which provides a record of pupil’s qualifications that education providers can access. The ICO found the DfE continued to grant Trustopia access to the database when it advised the Department that it was the new trading name for Edududes Ltd, which had been a training provider.
Trustopia was in fact a screening company and used the database for age verification, a service they offered to companies including GB Group, which helped gambling companies confirm customers were over 18. This data sharing meant the information was not being used for its original purpose. This is against data protection law.
The ICO issued a reprimand to the DfE setting out clear measures they need to action to improve their data protection practices so children’s data is properly looked after.
In June 2022 John Edwards, UK Information Commissioner announced a new approach towards the public sector with the aim to reduce the impact of fines on the public. Had this new trial approach not been in place, the DfE would have been issued with a fine of over £10 million in this specific case.
John Edwards, UK Information Commissioner, recently said:
“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.
“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.
“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”
Details of the incident
The ICO started its investigation after receiving a breach report from the DfE about the unauthorised access to the LRS database. The DfE had only become aware of the breach from an expose in a national Sunday newspaper.
The ICO found that the LRS database has personal information of up to 28 million children and young people from the age of 14. The database records full name, data of birth, and gender, with optional fields for email address and nationality. It also records a person’s learning and training achievements. The data is kept for 66 years.
At the time of the breach, 12,600 organisations had access to the LRS database, including schools, colleges, higher education institutions, and other education providers. This is so organisations can verify a number of functions including the academic qualifications of potential students or check if they are eligible for funding.
The ICO found that Trustopia had access to the LRS database from September 2018 to January 2020 and that it had carried out searches on 22,000 learners for age verification purposes. The DfE confirmed that Trustopia has never provided any government-funded educational training.
By granting LRS database access to Trustopia, the DfE failed in its obligations to use and share children’s data fairly, lawfully and transparently. It also failed to prevent unauthorised access to children’s data, have proper oversight of the data or stop the data being used for reasons not compatible with the provision of educational services.
The ICO acknowledges that since the incident, the DfE has removed access to the LRS database from 2,600 organisations and has strengthened its registration process. The DfE also regularly checks for excessive searches on the database and proactively de-registers organisations that no longer use it.
The timing of the incident coincided with the ICO serving an assessment notice on the DfE and a compulsory audit. The DfE agreed to include enquiries in relation to the LRS with the audit. The DfE has actively engaged with the ICO since the 2020 audit and continues to take significant steps in improving its data protection practices.
The ICO conducted a simultaneous investigation into Trustopia, during which the company confirmed it no longer had access to the database and the cache of data held in temporary files had been deleted. Trustopia was dissolved before the ICO investigation concluded, therefore regulatory action was not available.
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
Update on the ICO’s change of approach to regulating communication service providers03/02/2023 15:10:00
The Information Commissioner’s Office (ICO) published a statement on 20 January 2023 about the obligations of public electronic communications service providers (CSPs) under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (PECR).
New FOI resources to support public authorities03/02/2023 10:25:00
A blog by Deborah Clark, ICO Upstream Regulation Manager
Former RAC employee fined for stealing data of victims of road traffic incidents02/02/2023 12:15:00
A former employee of breakdown services company RAC has plead guilty and been fined for the stealing of data of victims of road traffic accidents.
Using FRT in schools – letter to North Ayrshire Council31/01/2023 12:05:00
We have issued a letter to North Ayrshire Council (NAC) following their use of Facial Recognition Technology (FRT) to manage ‘cashless catering’ in school canteens.
Building better business by responsibly unlocking the value of personal information24/01/2023 12:20:00
Ahead of Data Protection Day, the Information Commissioner’s Office (ICO) is encouraging the UK’s 5,501,000* small-and-medium-sized businesses (SMEs) to check they have the right data protection practices in place to help sustain and develop their businesses.
Change to regulation concerning communication service providers20/01/2023 16:05:00
The Information Commissioner’s Office (ICO) has written to communication service providers (CSPs) about their obligations under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (PECR).
Empowering people to foster trust in tomorrow’s technological advancements20/01/2023 14:05:00
The ICO is encouraging developers to consider privacy at an early stage when implementing new technologies to maintain public trust and confidence.
Blog: Addressing concerns on the use of AI by local authorities19/01/2023 14:10:00
A blog by Stephen Bonner, Deputy Commissioner – Regulatory Supervision