The Department of Education (DfE) has been found responsible for an “unacceptable” breach of data protection laws by gambling companies that use children’s information in a student database for age checks.
The Information Commissioner’s Office (ICO) said there had been “long-term misuse” of student information in a database containing the details of up to 28 million students. The department failed to prevent “unauthorized access to children’s data” from September 2018 to January 2020. UK Information Commissioner John Edwards said: “A database of student learning data used to help gambling businesses is unacceptable. Our investigation found that the processes instituted by the DfE were pitiful.”
The children’s data were included in the Learning Records Service (LRS) database, which contains information on young people from 14 years of age. This database is used by schools and higher education institutions to record a student’s learning and training performance. It is administered by the Education and Skills Funding Agency, an executive branch of the DfE.
A screening company, Trust Systems Software UK, trading as Trustopia, accessed the database and used it for age verification. It provided the service to companies, including GB Group, one of the country’s leading data intelligence agencies, which helped gambling companies confirm that customers were 18 years of age or older.
It enabled gambling companies to increase the number of young customers through fast and effective age checks against the student database. The audits did not disclose any data, but violated data protection laws because the information was not used for its original purpose. The ICO said: “Trustopia had access to the LRS database from September 2018 to January 2020 and conducted searches of 22,000 students for age verification purposes.
“The DfE confirmed that Trustopia has never provided any government funded training. By granting the LRS database access to Trustopia, the DfE has breached its obligations to use and share children’s data fairly, lawfully and transparently. Nor could it prevent unauthorized access to children’s data.” The ICO has reprimanded the DfE, but not a fine, in a revised regulatory approach to reduce the impact of fines on public services. It would otherwise have been fined more than £10 million. The ICO said Trust Systems Software UK was disbanded before the investigation was completed, so regulatory action was not available.
In February 2020, a mandatory ICO audit at the DfE found errors in the management of personal data. It identified a lack of proper controls “to provide assurance that all personal data processing activities are carried out in accordance with legal requirements.” A total of 139 recommendations for improvements were found, of which more than 60% were classified as urgent or high priority.
Jen Persson, director of the advocacy group Defend Digital Me, said “light touch” enforcement had not proved effective at the DfE. She said: “Ministers act as if the rules only apply to other people.”
A DfE spokesperson said: “In January 2020, we were informed that a third party gaining access to the [learning records service] abused his consent for legitimate business. Since then, we have worked closely with the ICO to ensure that our oversight of data access has improved.”
GB Group said it had reviewed its age verification processes and found no data breaches.