The Department for Education has been reprimanded by the UK’s information watchdog for a “woeful” data breach that helped gambling companies use information from children’s learning records.
The ”serious breach of the law” would have warranted a £10 million fine, information commissioner John Edwards said today.
However, the Information Commissioner’s Office (ICO) decided to withhold the fine as the money would simply have been returned to central government.
The DfE has overall responsibility for the learning records database, which contains up to 28 million pupils’ qualifications from the age of 14 as well as their full name, date of birth and gender, with optional fields for email address and nationality - information that is kept for 66 years.
The ICO found that the DfE continued to grant a firm, trading as Trustopia, access to the database after it told the department it had changed its name from Edududes Ltd, which had been a training provider.
Trustopia was in fact a screening company and used the database for age verification, a service it offered to companies including GB Group, which helped gambling companies confirm customers were over 18.
This data-sharing meant the information was not being used for its original purpose, which is against data protection law.
Mr Edwards said: “No one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful.
“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.”
The DfE was unaware of the problem until it was alerted by a national newspaper, he added.
The ICO found that Trustopia had access to the database from September 2018 to January 2020 and that it had carried out searches on 22,000 learners for age verification purposes.
At the time of the breach, 12,600 organisations had access to the LRS database, including schools, colleges, higher-education institutions and other education providers.
This is so that organisations can verify the academic qualifications of potential students, or check if they are eligible for funding.
Since the incident, the DfE has removed access to the database for 2,600 organisations and strengthened its registration process, the ICO said.
The DfE also regularly checks for excessive searches on the database and proactively de-registers organisations that no longer use it.
The ICO has set out clear measures for the DfE to improve its data protection practices so that children’s data is properly looked after.
The ICO said it had also conducted an investigation into Trustopia, during which the company said it no longer has access to the database and it had deleted the cache of data held in temporary files. But the regulator said that Trustopia was dissolved before the investigation concluded and therefore regulatory action was not available.
The DfE has been contacted for comment.
