UK government data breach for millions of children ruled unlawful

The UK’s data protection regulator has reprimanded the Department for Education for giving improper access to identifying information on up to 28mn children, which was used to conduct age verification checks for gambling companies.

The DfE gave an employment screening company trading as Trustopia access to a government database on children aged 14 and over known as the Learning Records Service between 2018 and 2020, in breach of data protection law, the Information Commissioner’s Office found in a report published on Sunday.

“No one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable”, said John Edwards, information commissioner. He described the department’s processes concerning data access at the time as “woeful”.

The “serious breach of the law” would have resulted in a £10mn fine were it not for the ICO’s reluctance to put pressure on the cash flow of public sector bodies, Edwards said.

Sunday marks ten years since then-education secretary Michael Gove announced he would allow the DfE to share data for a wider variety of purposes than previously. But the department has since fallen short of legal expectations, according to official audits.

In 2020 an ICO audit found the DfE had failed to comply with data protection rules in handling the data of millions of children, concluding it had “no formal proactive oversight” of information governance, data protection and risk management. It made 139 recommendations for the department to improve.

The employment screening company Trust Systems Software Limited, a former training provider, used DfE data to sell services, the ICO said on Friday. One of its clients was the data intelligence company GB Group, which used the data to check whether people opening online gambling accounts were 18, the ICO said. GB Group declined to comment.

Since the incident in 2020, the education department has revoked access to 2,600 of the 12,600 organisations who had access to the database. It records the full name, date of birth, gender and training achievements of children from the age of 14, with optional fields for email address and nationality.

While the ICO recognised the DfE had acted to address its failings on data protection, it required the department to make further changes to improve its information governance. They included reviewing internal security, training staff, and improving transparency so families understood how their data would be used.

The DfE said the department took data security “extremely seriously” and had worked closely with the ICO to ensure oversight of access to data was improved. It will set out detailed progress on the ICO’s recommendations by the end of the year.

But children’s rights charity Defend Digital Me this month threatened legal action against the DfE, arguing that the department had not shown it was taking appropriate action to meet the ICO’s demands.

Director Jen Persson said the government had “failed to take responsibility for its role in recklessly commercialising” data.

“Families entrust our children’s security to schools to get an education, but the government has turned a generation of learners’ records into a product without our permission, and with no thought for the price we might pay in identity theft, risk of use for blackmail, stalking, or giving or selling access on to further third parties like gambling companies,” she said.

Persson also raised concerns about the DfE pushing ahead with a new daily attendance tracker. It was introduced this year to collect more comprehensive and up-to-date information about when children are in school, despite the ICO voicing concerns about its risk assessments.

The DfE said it had “taken all action required under data protection laws in relation to the pilot, and voluntarily engaged with the ICO to . . . take any action to address the limited areas where concerns were raised”.

Former directors of Trustopia could not be reached for comment.