The Department for Education (DfE) has been found responsible for an “unacceptable” breach of data protection laws over betting firms using children’s information on a student database for age-verification checks.
The Information Commissioner’s Office (ICO) said there was “prolonged misuse” of pupil information on a database that holds the details of up to 28 million students. The department failed to prevent “unauthorised access to children’s data” from September 2018 to January 2020. The UK information commissioner, John Edwards, said: “A database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the DfE were woeful.”
The children’s details were on the learning records service (LRS) database, which contains information on young people from the age of 14. It is used by schools and higher education institutions for recording a student’s learning and training achievements. It is operated by the Education and Skills Funding Agency, an executive part of the DfE.
A screening firm, Trust Systems Software UK, trading as Trustopia, was given access to the database and used it for age verification. It offered the service to companies including GB Group, one of the country’s leading data intelligence firms, which helped gambling companies confirm customers were 18 or over.
It enabled betting firms to increase the number of young customers by quick and effective age verification checks against the student database. The checks did not involve divulging data, but broke data protection laws because the information was not being used for its original purpose. The ICO said: “Trustopia had access to the LRS database from September 2018 to January 2020 and carried out searches on 22,000 learners for age verification purposes.
“The DfE confirmed that Trustopia has never provided any government-funded educational training. By granting LRS database access to Trustopia, the DfE failed in its obligations to use and share children’s data fairly, lawfully and transparently. It also failed to prevent unauthorised access to children’s data.” The ICO has issued a reprimand to the DfE, but not a fine, in a revised regulatory approach to reduce the effect of fines on public services. It would have otherwise issued a fine of more than £10m. The ICO said Trust Systems Software UK was dissolved before its investigation was concluded, so regulatory action was not available.
In February 2020, a compulsory ICO audit at the DfE found failures over the management of personal data. It identified a lack of proper controls “to provide assurance that all personal data processing activities are carried out in line with legislative requirements.” A total of 139 recommendations for improvements were found, with more than 60% classified as urgent or high priority.
Jen Persson, director of the advocacy group Defend Digital Me, said “light touch” enforcement had proved ineffective at the DfE. She said: “Ministers are carrying on as if the rules only apply to other people.”
A DfE spokesperson said: “In January 2020 we became aware that a third party that was granted access to the [learning records service] for legitimate business was misusing its permission. Since then, we have worked closely with the ICO to ensure our oversight of access to data has improved.”
GB Group said it had conducted a review of its age verification processes and had not found any data protection breaches.