The UK Data Protection Authority has slammed the Department of Education for improperly granting access to identifying information on up to 28 million children, which was used to conduct age verification checks for gambling companies.
The DfE granted an employment screening company operating under the name Trustopia access to a government database of children aged 14 and over, known as the Learning Records Service, in breach of data protection law between 2018 and 2020, the Information Commissioner’s Office said in a statement released on Sunday report fixed .
“Nobody needs convincing that a database of student learning records used to help gambling companies is unacceptable,” said John Edwards, Information Commissioner. He described the department’s data access processes at the time as “deplorable.”
The “serious breach of the law” would have resulted in a £10million fine had the ICO not been reluctant to put pressure on public bodies’ cash flow, Edwards said.
On Sunday it was ten years since then-Education Secretary Michael Gove announced he would allow the DfE to share data for a wider variety of purposes than before. However, according to official audits, the department has fallen short of legal expectations.
In 2020, an ICO audit found that the DfE had failed to comply with data protection regulations when handling the data of millions of children and concluded that there was “no formal proactive oversight” over information governance, privacy and the had risk management. There were 139 recommendations for the department for improvement.
Employment auditing firm Trust Systems Software Limited, a former training provider, used DfE data to sell services, the ICO said on Friday. One of its clients was data intelligence firm GB Group, which used the data to verify that people opening online gambling accounts were 18, the ICO said. The GB group declined to comment.
Since the 2020 incident, the Department of Education has withdrawn access from 2,600 of the 12,600 organizations that had access to the database. The full name, date of birth, gender and educational achievement of children aged 14 and over are recorded, with optional fields for email address and nationality.
While the ICO acknowledged that the DfE had taken steps to address its privacy deficiencies, it urged the department to make further changes to improve its information governance. This included reviewing internal security, training staff and increasing transparency so families understand how their data is being used.
The DfE said the department takes data security “extremely seriously” and has worked closely with the ICO to ensure oversight of data access is enhanced. It will detail progress on the ICO’s recommendations by the end of the year.
But child rights organization Defend Digital Me this month threatened legal action against the DfE, arguing that the department had failed to show it was taking adequate action to comply with the ICO’s demands.
Director Jen Persson said the government has failed to take responsibility for its role in the ruthless commercialization of data.
“Families trust schools to keep our children safe to get an education, but the government has turned a generation of student records into a product without our permission, and without considering the price we could pay for identity theft, the risk using it for extortion, stalking, or giving or selling access to other third parties such as gambling companies,” she said.
Persson also raised concerns about the DfE pushing a new daily attendance tracker. It was launched this year to collect more comprehensive and up-to-date information on when children are in school, although the ICO has raised concerns about its risk assessments.
The DfE said it has “taken all action required under data protection laws in relation to the pilot and has voluntarily partnered with the ICO to . . . Take action to address the limited areas where concerns have been raised”.
Former Trustopia directors could not be reached for comment.