DfE gave gambling firms access to childrens' data

Companies used data on 22,000 children for age verification.

Companies like 32Red and Betfair were able to use the information through their partnership with screening company Trust Systems Software UK

Image:

Companies like 32Red and Betfair were able to use the information through their partnership with screening company Trust Systems Software UK

The UK's Information Commissioner Office (ICO) has rebuked the Department for Education (DfE) for granting gambling companies access to identifying data on millions of children, which they used to conduct age verification checks.

The details were located in the learning records service (LRS) database, which contains the full names, dates of birth, genders and other details for up to 28 million children and young people.

Schools and higher education institutions use the database - run by the Education and Skills Funding Agency, an executive division of the DfE - to track students' progress in learning and training.

According to the ICO, the DfE gave access to the database to a screening company, Trust Systems Software UK, which used it for age verification.

The company, which conducted business under the name Trustopia, provided the service to businesses like data intelligence company GB Group. The firm used the information for age verification on behalf of customers like 32Red, Betfair and other gambling companies.

Trustopia had access to the LRS database from September 2018 to January 2020, and conducted searches on 22,000 children and teenagers to confirm their ages.

Despite the fact that no data was disclosed during the checks, the ICO claimed that the use of the data for purposes other than those intended violated data protection laws.

"Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them," said Information Commissioner John Edwards.

Edwards said that if the DfE had been operating in the private sector, he would have fined it £10 million for a "serious breach of the law". He decided against doing so in this case because the money would simply return to the Government, and thus have "minimal" impact.

"I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education."

Since the ICO's statement, the Department for Education has removed 2,600 of the 22,000 organisations that had access to the database.

It has also strengthened its registration procedure.

The ICO has mandated additional changes for the DfE to enhance its information governance, including staff training, a review of internal security, and increased transparency.

Trustopia went out of business before the inquiry was completed, so the regulator was unable to take any regulatory action against the company.

Computing says:

Edwards' claims about the money returning to government are true, but don't tell the whole story. The net amount of money in the public sector would stay the same, but the DfE would still see a significant hit to its budget, which would serve as a punishment and warning - which is of course the point of a fine.

If public sector firms see this as a precedent, which it undoubtedly is, what incentive do they have to obey data protection laws?