DfE warned after gambling companies benefit from learning records data

The Information Commissioner’s Office has issued a reprimand to the Department for Education following the prolonged misuse of the personal information of up to 28 million children.

An ICO investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trust Systems Software UK (trading as Trustopia), an employment screening firm, to check whether people opening online gambling accounts were 18.

The DfE has overall responsibility for the learning records service database, which provides a record of pupil’s qualifications that education providers can access. The ICO found the DfE continued to grant Trustopia access to the database when it advised the department that it was the new trading name for Edududes Ltd, which had been a training provider.

Trustopia was in fact a screening company and used the database for age verification, a service they offered to companies including GB Group, which helped gambling companies confirm customers were over 18. This data sharing meant the information was not being used for its original purpose and therefore against data protection law.

The ICO issued a reprimand to the DfE setting out clear measures they need to action to improve their data protection practices so children’s data is properly looked after. John Edwards, UK Information Commissioner, said: “No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the DfE were woeful. Data was being misused, and the department was unaware there was even a problem until a national newspaper informed them.

“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.”

In June 2022, the Information Commissioner announced a new approach towards the public sector with the aim to reduce the impact of fines on the public. Had this new trial approach not been in place, the DfE would have been issued with a fine of over £10m in this specific case.

“This was a serious breach of the law, and one that would have warranted a £10m fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the DfE.”

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.