- The DfE allowed a screening company to use the LRS database for age verification
- UK gambling operators use the database to verify whether customers are of legal age
- The DfE was formally reprimanded by the ICO but escaped a £10M fine
The Department for Education (DfE) has been reprimanded for breaching data protection laws which had resulted in gambling companies gaining access to children’s information for age-verification checks.
According to the Information Commissioner’s Office (ICO), there was prolonged misuse of student data on the learning records service (LRS) which the DfE has overall responsibility for.
Student Records Illegally Accessed by Gambling Operators
The LRS database holds academic records of UK students. It is being operated by the Education and Skills Funding Agency, which is part of the DfE. The database can only be accessed by education providers in the country, but the ICO found that it had been illegally accessed by gambling operators to help them determine whether new customers creating online gambling accounts were aged 18.
That happened because the DfE wrongly granted LRS access to “Trustopia”, a screening firm that offered age-verification services to companies, such as the GB Group, a leading data intelligence firm that helps gambling operators verify whether customers are of legal age. The LRS database contains personal details of up to 28 million pupils and children from the age of 14.
Trustopia was dissolved before the ICO carried out its investigation. The DfE also confirmed that the company never provided any educational training. The misuse of information went on for more than a year, from September 2018 to January 2020. During that period, Trustopia conducted searches on 22,000 students for age verification.
The ICO said the unauthorized access constitutes a breach of data protection laws as information was not used for its original purpose. The UK’s data watchdog issued a reprimand to the DfE for the “serious breach of law”, but decided not to impose a massive fine which could have amounted to £10 million as it would have a “minimal effect” given that the money would have been returned to the government.
However, UK Information Commissioner John Edwards said that must not detract from the fact that the DfE committed a serious violation and should address the mistakes they made. Edwards said the LRS database being used to help gambling firms combat gambling issues was “unacceptable”, and what made it worse was that the DfE was unaware of the problem until a Sunday newspaper made an exposé about it.
Since the breach was uncovered, the DfE has taken steps to ensure children’s information and records are protected. It has since barred around 2,600 organizations from accessing the LRS database.