A watchdog has reprimanded the Department for Education (DfE) over a business using the personal information of up to 28 million children to check whether people opening online gambling accounts were 18.
The Information Commissioner’s Office (ICO) found that the DfE’s database of pupils’ learning records was used by Trust Systems Software UK Ltd (trading as Trustopia), an employment screening firm.
The DfE has charge of the learning records service database (LRS), which provides a record of pupil’s qualifications that education providers can access. The ICO found the DfE let Trustopia access to the database when it told the Department that it was the new trading name for Edududes Ltd, which had been a training provider.
Trustopia was in fact a screening company and used the database for age verification, a service they offered to companies including GB Group, which helped gambling companies confirm customers were over 18. This sharing meant the information was not being used for its original purpose; against data protection law.
The ICO issued a reprimand rather than any fine as punishment because in June John Edwards, UK Information Commissioner announced a new approach towards the public sector with the aim to reduce the impact of fines on the public. Had this new trial approach not been in place, the DfE would have been issued with a fine of over £10m, the ICO said.
John Edwards said: “No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.
“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.
“This was a serious breach of the law, and one that would have warranted a £10m fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”
The DfE sent a breach report to the ICO – only after an expose in a national Sunday newspaper. The ICO found that Trustopia had access to the LRS database from September 2018 to January 2020 and that it had carried out searches on 22,000 learners for age verification purposes. The DfE confirmed that Trustopia has never provided any government-funded educational training. The DfE has removed access to the LRS database from 2,600 organisations.
The ICO also investigated Trustopia; the company confirmed it no longer had access to the database and the cache of data held in temporary files had been deleted. Trustopia was dissolved before the ICO investigation ended.
Meanwhile the ICO has agreed to reduce the £500,000 Monetary Penalty Notice (MPN), the fine imposed on the Cabinet Office in 2021 after a data breach to £50,000, which the Cabinet Office has agreed to pay.
The UK Information Commissioner issued the fine in November 2021, after a 2019 data breach, when the Cabinet Office published a file on GOV.UK containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list.
