Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Department for Education reprimanded over ‘woeful’ betting firms data breach

The Information Commissioner’s Office said the DfE had allowed gambling firms access to a database of children’s learning records.

Martyn Landi
Sunday 06 November 2022 00:01 GMT
A child using a laptop computer (PA)
A child using a laptop computer (PA) (PA Wire)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The Department for Education (DfE) has been reprimanded by the UK’s data protection watchdog after it allowed gambling companies to access a database of children’s learning records.

The Information Commissioner’s Office (ICO) said the DfE’s poor due diligence allowed the database of pupils’ learning records meant for use by education providers to be accessed by a firm to check whether those opening online gambling accounts were 18.

An investigation by the data protection regulator found that a database of pupils’ learning records was used by Trust Systems Software UK Ltd, trading as Trustopia, an employment screening firm, to check whether people opening online gambling accounts were 18.

The ICO said that as the information was not being used for its original purpose, it was therefore against data protection law.

Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the department was unaware there was even a problem until a national newspaper informed them

Information Commissioner John Edwards

The database contains personal information of up to 28 million children and young people from the age of 14, including their full name, date of birth and gender, as well as a record of their learning and training achievements – data which is kept for 66 years.

Information Commissioner John Edwards said the case was so severe that it would warrant a fine of over £10 million.

But under a trial approach towards the public sector introduced earlier this year, the fine is not being issued in order to prevent the public being adversely affected by a major loss of funds to a public sector body.

“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable,” Mr Edwards said.

“Our investigation found that the processes put in place by the Department for Education were woeful.

We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children

Information Commissioner John Edwards

Data was being misused, and the department was unaware there was even a problem until a national newspaper informed them.

“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.

“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case.

“I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”

Since the incident, the DfE has removed access to the database from 2,600 organisations and has strengthened its registration process, the ICO said.

The ICO said it had also conducted an investigation into Trustopia, during which the company said it no longer has access to the database and it had deleted the cache of data held in temporary files.

But Trustopia was dissolved before the ICO investigation concluded and therefore regulatory action was not available, the regulator said.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in