The Information Commissioner’s Office (ICO) has issued a reprimand to the UK Department for Education (DfE) after poor due diligence and prolonged misuse of personal information of up to 28 million children. The investigation began after the ICO received a data breach report from the DfE about unauthorised access to the learning records service database (LRS). The DfE itself had only become aware of this breach after the publication of an expose in a UK national Sunday newspaper.
The LRS database, which stored personal information of up to 28 million children and young people from the age of 14, included their full name, date of birth, and gender, with optional fields for email address and nationality. It also held a person’s learning and training achievements.
Gambling company access
ICO’s investigation found that Trust Systems Software UK Ltd (an employment screening firm trading as Trustopia) had access to the LRS database, and could use this data to check whether people opening online gambling accounts were 18 or over. The ICO also found that the DfE continued to grant Trustopia access to the records when the company advised the Department that it was the new trading name for Edududes Ltd, which had been a training provider.
John Edwards, UK Information Commissioner, said: “No one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.”
“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.”
Data misuse
At the time of the breach, 12,600 organizations had access to the LRS database, including schools, colleges, higher education institutions, and other education providers. Trustopia had access to the database from September 2018 to January 2020, and carried out searches on 22,000 learners for age verification purposes during that time. The DfE also confirmed that Trustopia never provided any government-funded educational training.
By granting LRS database access to Trustopia, the Department for Education failed in its obligations to use and share children’s data fairly, lawfully and transparently. The DfE also failed to prevent unauthorised access to the records, having proper oversight of the data or stop the data being used for reasons other than educational services. All of this was contrary to data protection laws in place during that time.
£10m fine not levied
In June 2022 the ICO announced a new approach for working more effectively with the public sector. The primary aim of this approach was the reduction of the impact of fines on public sector entities along with better engagement and the sharing of good practice. If this new approach had not been in place, the DfE would have been issued with a fine of over £10m ($11.7m).
“This was a serious breach of the law, and one that would have warranted a £10m fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education,” said Edwards.
Since the incident, the DfE has removed access rights to the database from 2,600 organizations and has strengthened the registration process. The Department is conducting regular checks for excessive searches on the database and proactively de-registering organizations that no longer use the service. It is also actively engaged with the ICO in order to improve its data practises.
The ICO also investigated Trustopia. However, by the time the investigation was launched the company could confirm that it no longer had access to the database and that the cache of data it held had been deleted. The company was dissolved before the investigation was concluded and so no additional regulatory action was taken.
DfE’s GDPR failures
The investigation found that the DfE did not comply with the following requirements of the GDPR:
2 Article 5 (1)(a): ‘lawfulness, fairness and transparency’
The DfE failed to protect against the unauthorised processing by third parties of data held on the LRS database for reasons other than the provision of educational services. Data subjects were unaware of the processing and could not object or otherwise withdraw from this processing therefore the DfE failed to process the data fairly and lawfully in accordance with Article 5 (1)(a).
Article 5 (1)(f): ‘integrity and confidentiality’
“The DfE failed to have appropriate oversight to protect against unauthorised processing of personal data held on the LRS database and has also failed to ensure its confidentiality in accordance with article 5 (1)(f).”
Source: ico.org.uk/media/action-weve-taken/4022280/dfe-reprimand-20221102.pdf