‘Woeful’ DfE Blamed As Betting Firms Gain Access To Children’s Data
The Department for Education (DfE) has been held accountable for an "unacceptable" violation of data protection laws after betting companies used information on a student database for age-verification checks. The Information Commissioner’s Office (ICO) stated that there had been "lengthy misuse" of pupil information on the database, which contains the details of up to 28 million students. According to the ICO, from September 2018 until January 2020, the department did not prevent "unauthorized access to the children’s data." John Edwards, the UK’s information commissioner, stated that "It is unacceptable for a database of students’ learning records to be utilized to aid gambling businesses. Our investigation found that the DfE’s procedures were poor."
The student information was on the learning records service (LRS), which contains data on young people as young as 14, and is used by schools and higher education institutions to record student learning and training achievements. The Education and Skills Funding Agency, an executive part of the DfE, operates it. Trust Systems Software UK, trading as Trustopia, a screening firm that had access to the database, utilized it for age verification and offered the service to firms like GB Group, one of the UK’s leading data intelligence companies, which aided gambling companies in verifying that their clients were 18 or over.
This enabled betting companies to attract more young consumers by promptly and effectively verifying their age using the student database. Although this did not involve divulging data, it infringed on data protection laws since the information was not being used for its original purpose. Trustopia had access to the LRS database from September 2018 to January 2020 and searched 22,000 students for age verification purposes. The DfE verified that Trustopia had never provided any government-funded educational training. Granting LRS database access to Trustopia, according to the ICO, meant that the DfE failed to utilize and share children’s data equitably, lawfully, and transparently while also failing to prevent unauthorized access to children’s data.
The ICO did not impose a fine on the DfE, opting instead for a reprimand, as a revised regulatory approach aimed to minimize the impact of fines on public services. It would have otherwise imposed a fine of more than £10 million. Trust Systems Software UK dissolved before the ICO’s investigation was complete, so regulatory action was not available. A mandatory ICO audit of the DfE conducted in February 2020 found that the management of personal data was flawed, with a lack of proper controls for ensuring that all personal data processing activities were conducted in accordance with legislative requirements, among other shortcomings.
Jen Persson, director of the advocacy organization Defend Digital Me, stated that "light touch" enforcement had been ineffective at the DfE, with ministers acting as if the rules apply only to other people. A DfE spokesperson claimed that following the department’s discovery that a third party granted access to the learning records service was misusing its permission, the department has worked closely with the ICO to enhance its oversight of data access. GB Group conducted a review of its age verification procedures and did not uncover any data protection breaches.
