The ICO has issued a reprimand to the UK Department for Education, relating to the misuse of personal information of children.
Following an investigation into the use of a database of pupils’ learning records by Trust Systems Software UK Limited, the ICO believes this to be a case of poor diligence on the part of the Department for Education. The verification company, which was trading as Trustopia, used the database of pupil records to screen whether people opening online gambling accounts were 18. The use of this database for age verification meant that the information was not being used for its original purpose, which was a violation of data protection law. This misuse was prolonged and is estimated to have affected up to 28 million children. The ICO has issued a reprimand to the Department for Education as a result, and set out clear actionable measures to be taken to improve their data protection practices so children’s data is properly protected. There was also an investigation into the verification company, which now no longer has access to the database, and has since been dissolved.
The ICO investigation was initiated after the UK Department for Education reported a data breach detailing unauthorised access to the database of learning records.
The Department for Education became aware of the breach through a newspaper report and filed a breach report with the ICO. At the time of this breach there were over 12,000 organisations with access to this database, including Trustopia, which the ICO revealed has had access from September 2018 to January 2020 and has carried out 22,000 searches for age verification purposes within that time frame. Many of the other organisations included schools, colleges, higher education institutions, and other education providers. The main purpose for access to these records is verifying academic qualifications and eligibility for funding. However, according to the Information Commissioner, a database of pupils’ learning records being used to help gambling companies is unacceptable. The ICO found the processes put in place by the Department for Education insufficient.
The Department for Education has since taken steps to improve its data protection practices.
Since the 2020 audit which revealed the faults in the policies and practices of the UK Department for Education, which made their database more susceptible to misuse, the ICO has made recommendations to improve the security of such databases. While a fine was not issued, due to the fact that any money paid would simply be returning to the government, the ICO has highlighted the gravity of errors of this nature, and urged the Department for Education to have these errors addressed urgently. The ICO has acknowledged that since the incident, the Department for Education has revoked access to the database from 2,600 organisations and strengthened its registration process. The Department for Education has also resolved to do regular checks for excessive searches on the database and proactively de-register organisations that no longer use it.