The Department for Education (DfE) has been reprimanded after it allowed data from 28 million UK schoolchildren to be used by an age verification company to check if users of gambling sites were over 18. Data watchdog the Information Commissioner’s Office (ICO) says this “unlawful” sharing of data was in contravention of data protection law and could have landed the department with a £10m penalty.
An ICO reprimand issued yesterday criticised the DfE for poor due diligence on how data is being shared, culminating in, “the prolonged misuse of the personal information of up to 28 million children” by Trust Systems Software (UK), a company trading as Trustopia.
Department for Education data protection processes ‘woeful’
The DfE only escaped a fine of up to £10m because of new processes put in place to ensure government departments were not paying money back into government coffers.
Information commissioner John Edwards said: “No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the department was unaware there was even a problem until a national newspaper informed them.
“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.”
Edwards added: “This was a serious breach of the law, and one that would have warranted a £10m fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”
How did Trustopia get DfE data?
The incident occurred when Trustopia assumed the trading name of Edududes, an educational training company which had access to the Learning Records Service database (LRS), which is used by education providers to check personal information of candidates for funding awards.
Trustopia notified the DfE that the company no longer needed access to the database, but this access was not terminated. The database was subsequently used by Trustopia, a screening company, as data for the age verification services it offers to organisations including GB group, which helps gambling companies ensure online users are over 18.
Trustopia had access to the LRS database between September 2018 and January 2020, an ICO investigation found. It carried out searches on 22,000 learners for age verification purposes.
“This data sharing meant the information was not being used for its original purpose. This is against data protection law,” the ICO report says.
The ICO has conducted a simultaneous investigation into Trustopia but has been unable to take any action as the company has since been liquidated. The cache of information used has been destroyed, the watchdog said.
This is the second time in recent months that the DfE has been questioned over its collection and use of data. In September it announced it would be collecting and aggregating attendance data from schools across the UK. Though the government claims this is to help improve attendance records, campaigners have questioned the length of time the data will be kept on record, and questioned how it will be shared with third parties.
The DfE explained to Tech Monitor in a statement: “In January 2020 we became aware that a third party that was granted access to the Learner Record Service for legitimate business was misusing its permission. Since then, we have worked closely with the ICO to ensure our oversight of access to data has improved, ensuring that this could not happen again.
“We take the security of data we hold extremely seriously. We will publish a full response to this letter by the end of the year, setting out detailed progress in respect of all the actions identified,” they said.