The data protection watchdog in the UK has rebuked the country’s Department for Education (DfE) over the provision of “improper access” to information for the identification of up to 28 million children. The controversial data was used for conducting age verification checks for gambling operators.
Reportedly, the DfE provided Trustopia, an employment-screening firm, with access to a government database for individuals aged 14 and over, called “Learning Record Service” in the period from 2018 to 2020. However, the Information Commissioner’s Office (ICO) announced that the provision of such identifying information violated data protection legislation.
John Edwards, the information commissioner, described as unacceptable the provision of British pupils’ learning records to gambling operators. He further revealed that the transgression, which he called a “serious breach of the law” would have resulted in a monetary penalty worth £10 million, if the ICO were not reluctant to put additional pressure on the cash flow generated by public sector bodies.
Ten years ago, on November 6th, the then-education secretary Michael Gove announced his decision to permit the Department for Education to share data for multiple purposes it had never allowed by the time. However, according to official audits, the department has failed to meet the legal expectations that were originally unveiled.
An ICO audit that dates back to 2020, found that the DfE had not managed to stay in line with UK data protection laws when it comes to handling the data of millions of underage individuals to third parties. The investigation concluded that the Department had not been proactive in ensuring formal oversight of information governance, risk management and data protection. At the time, the country’s Information Commissioner’s Office made a total of 139 recommendations for the DfE.
Gambling Operators Could Have Taken Advantage of the Sensitive Information, Charity Claims
The ICO reported that the former training provider Trust Systems Software Limited used data provided by the DfE to sell services. The body’s audit found that the data intelligence company GB Group was one of its clients. It used the data to check whether individuals who opened accounts with online gambling operators were 18.
Since the incident in 2020 occurred, the British Department for Education has officially cancelled access to 2,600 of the 12,600 organisations that had been given access to the aforementioned government database. The database in question contains the full name, date of birth, gender and training achievements of British children from the age of 14 and above. Optional fields containing children’s nationality and email address were also present.
The Information Commissioner’s Office found that the Education Department had actually taken actions to address its data protection failures. However, the body ordered the DfE to make further changes in order to improve its information governance, such as training its staff, reviewing internal security, and improving transparency. The Department commented on the recommendations, saying that it took data security extremely seriously and shared that it had collaborated with the ICO to make sure there was an improvement in its oversight of access to sensitive data. It is set to unveil its detailed progress on the recommendations made by the ICO by the end of 2022.
However, despite the promises made by the DfE, earlier in November, Defend Digital Me – a local charity organisation defending children’s rights – said it could file a lawsuit against the Department, arguing that the governmental body had not demonstrated that it was taking appropriate measures to meet the demands unveiled by the ICO. The director of the charity, Jen Persson, criticised the Department for its failure to take responsibility for its role in improperly providing sensitive data to third parties, including gambling companies, that could have taken advantage of the identification information in the database and targeted their services to underage individuals.
- Author