kritchanut - stock.adobe.com
The Department for Education (DfE) has been given a reprimand but escaped a £10m regulatory fine for a data breach that saw a database of personal information held on 28 million people misused by a third-party organisation over a “prolonged” period between September 2018 and January 2020.
The Learning Records Service (LRS) database contains the full name, date of birth, gender, and learning and training achievements of 28 million people from the age of 14 upwards, as well as email addresses and nationality in some cases.
It is kept for 66 years – meaning that at the time of the breach it could have contained data on pupils who were at school in the early 1950s – and is used by more than 12,600 organisations, mostly educational providers, to verify various functions such as the academic qualifications of prospective students, or funding eligibility.
The DfE gave access to the LRS to Trust Systems Software UK, which traded as Trustopia, an employment screening firm, which proceeded to use the database to build an age verification service that was offered to online gambling companies to confirm that their customers were aged over 18.
Under data protection law, this constituted a breach because the data was not being used for its original purpose.
“No one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable,” said information commissioner John Edwards. “Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.
“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.”
The Information Commissioner’s Office (ICO) began an investigation after the DfE notified it of unauthorised access to the LRS database, thanks to an exposé in a Sunday newspaper. The investigation found Trustopia had unfettered access to the data from September 2018 to January 2020, in which time it conducted searches on 22,000 learners. The DfE further confirmed that Trustopia had never provided any government-funded educational training.
The ICO said it found that the DfE had continued to grant Trustopia access to the LRS database after the company had advised it that it was the new trading name for a training provider called Edududes.
The ICO ruled that through its actions, the DfE failed in its duty to use and share children’s data “fairly, lawfully and transparently”, failed to prevent unauthorised access to it, failed to have proper oversight of it, and failed to stop it being used for reasons incompatible with educational purposes.
It did, however, acknowledge that the DfE has since strengthened its procedures over who has access to the LRS database, revoking access for more than 2,600 organisations and improving the registration process. It has also now started to conduct checks for “excessive” searches against the data, and is proactively de-registering organisations that are not using it. It said the DfE had proactively engaged with the ICO during an audit, and was improving its overall data protection approach.
Read more about the ICO’s work
- ICO warning highlights risk of ‘systemic bias’ and discrimination associated with organisations using biometric data and technologies for emotion analysis.
- Information commissioner John Edwards warns against complacency as his office issues a multimillion-pound fine to a building company that failed to prevent a ransomware attack.
- Whistleblower calls for NatWest to pay the Information Commissioner’s Office annual data controller fee, as the personal details of 1,600 current and former NatWest customers remain under her bed.
A simultaneous probe of Trustopia found that it no longer had access to the database and had deleted the cache of data it held in temporary files. However, since the organisation was dissolved via compulsory strike-off in May 2022, it has not been possible to hold its directors accountable.
The DfE has escaped a fine of £10m under a new ICO commitment to scale back fines on public sector organisations in particular. The basis for this new arrangement – which is being trialled over a two-year period – is that levying fines on the public sector does not impact shareholders or directors in the same way that it would in the private sector, siphons money away from the provision of public services, and effectively punishes the taxpayer, not the perpetrators, in a data breach.
“This was a serious breach of the law, and one that would have warranted a £10m fine in this specific case,” said Edwards.
“I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”
Last week, the ICO said it was reducing to £50,000 a £500,000 fine imposed on the Cabinet Office relating to the 2019/20 New Year Honours data breach, on the same basis.
This incident saw a file published on the Gov.uk website containing the names and unredacted addresses of 1,000 of the honourees. It was accessed nearly 4,000 times during a period of two hours and 21 minutes, before being taken down.
“The ICO is a pragmatic, proportionate and effective regulator, focusing on making a difference to people’s lives,” said Edwards.
“While I consider the original fine was proportionate in all the circumstances of this case due to the potential impact on the people affected by the breach, I recognise the current economic pressures public bodies are facing, and the fact that, in certain cases, fines may be less critical in achieving deterrence.”