View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
November 7, 2022updated 08 Nov 2022 9:26am

‘Woeful’ Department for Education criticised after children’s data used by betting companies

Data watchdog warns DfE after information on 28m children was used by a company verifying age on gambling sites

By Claudia Glover

The Department for Education (DfE) has been reprimanded after it allowed data from 28 million UK schoolchildren to be used by an age verification company to check if users of gambling sites were over 18. Data watchdog the Information Commissioner’s Office (ICO) says this “unlawful” sharing of data was in contravention of data protection law and could have landed the department with a £10m penalty.

Department for Education admonished by the ICO for failing to terminate access to database of 28 million children. (Photo by Monkey Business Images/Shutterstock)

An ICO reprimand issued yesterday criticised the DfE for poor due diligence on how data is being shared, culminating in, “the prolonged misuse of the personal information of up to 28 million children” by Trust Systems Software (UK), a company trading as Trustopia.

Department for Education data protection processes ‘woeful’

The DfE only escaped a fine of up to £10m because of new processes put in place to ensure government departments were not paying money back into government coffers.

Information commissioner John Edwards said: “No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the department was unaware there was even a problem until a national newspaper informed them.

“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.”

Edwards added: “This was a serious breach of the law, and one that would have warranted a £10m fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”

How did Trustopia get DfE data?

The incident occurred when Trustopia assumed the trading name of Edududes, an educational training company which had access to the Learning Records Service database (LRS), which is used by education providers to check personal information of candidates for funding awards.

Trustopia notified the DfE that the company no longer needed access to the database, but this access was not terminated. The database was subsequently used by Trustopia, a screening company, as data for the age verification services it offers to organisations including GB group, which helps gambling companies ensure online users are over 18.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

Trustopia had access to the LRS database between September 2018 and January 2020, an ICO investigation found. It carried out searches on 22,000 learners for age verification purposes.

“This data sharing meant the information was not being used for its original purpose. This is against data protection law,” the ICO report says.

The ICO has conducted a simultaneous investigation into Trustopia but has been unable to take any action as the company has since been liquidated. The cache of information used has been destroyed, the watchdog said.

This is the second time in recent months that the DfE has been questioned over its collection and use of data. In September it announced it would be collecting and aggregating attendance data from schools across the UK. Though the government claims this is to help improve attendance records, campaigners have questioned the length of time the data will be kept on record, and questioned how it will be shared with third parties.

The DfE explained to Tech Monitor in a statement: “In January 2020 we became aware that a third party that was granted access to the Learner Record Service for legitimate business was misusing its permission. Since then, we have worked closely with the ICO to ensure our oversight of access to data has improved, ensuring that this could not happen again.

“We take the security of data we hold extremely seriously. We will publish a full response to this letter by the end of the year, setting out detailed progress in respect of all the actions identified,” they said.

Read more: Don’t buy unproven emotional AI technology, ICO warns

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU