The Information Commissioner’s Office (ICO) has issued a reprimand to the Department for Education (DfE) following the prolonged misuse of the personal information of up to 28 million children.
An ICO investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trust Systems Software UK (trading as Trustopia), an employment screening firm, to check whether people opening online gambling accounts were 18.
The DfE has overall responsibility for the Learning Records Service database (LRS), which provides a record of a pupils’ qualifications along with name, date of birth and gender, that education providers can access.
The ICO found the DfE continued to grant Trustopia access to the database when it advised the department that it was the new trading name for Edududes, which had been a training provider.
Trustopia was in fact a screening company and used the database for age verification, a service they offered to companies including GB Group, which helped gambling companies confirm customers were over 18. This data sharing meant the information was not being used for its original purpose, which is against data protection law.
Department's failure
The company had access to the LRS database from September 2018 to January 2020 and that it had carried out searches on 22,000 learners for age verification purposes. This amounted to the DfE failing to prevent unauthorised access to children’s data, maintain proper oversight of the data or stop the data being used for reasons not compatible with the provision of educational services.
In addition, the department confirmed that Trustopia has never provided any government funded educational training.
The ICO issued the reprimand to the DfE setting out clear measures it needs to take to improve its data protection practices so children’s data is properly looked after.
The department has now removed access to the LRS database from 2,600 of the 12,600 organisations that were able to use it and has strengthened its registration process.
In June of this year UK Information Commissioner John Edwards announced a new approach towards the public sector to reduce the impact of fines on the public. Had this new trial approach not been in place, the DfE would have been issued with a fine of over £10 million in this specific case.
Unacceptable
Edwards commented: “No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable.
“Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the department was unaware there was even a problem until a national newspaper informed them.
“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.
“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case.
“I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”