Body

The UK’s data watchdog wants to hand the Department for Education (DfE) a £10m fine for allowing the personal information of up to 28m children and young people from the age of 14 to be used to benefit gambling companies.

Revelations of the database being used by gambling firms came to light in a report in the Sunday Times in 2020, which said data intelligence firm GB Group (GBG), one of the country's leading age verification providers, had a "confidential contract" through another company to access the Learning Records Service (LRS) database — a list of personal data for all UK students.

A DfE spokesperson said after it became aware that a third party was granted access to the LRS in 2020 it has “worked closely with the ICO to ensure our oversight of access to data has improved, ensuring that this could not happen again”.

“We take the security of data we hold extremely seriously. We will publish a full response to this letter by the end of the year, setting out detailed progress in respect of all the actions identified,” the DfE told VIXIO GamblingCompliance.

The Information Commissioner’s Office (ICO) wrote a letter to the DfE on November 2 informing it of its reprimand and advising that it only avoided a fine for several General Data Protection Regulation (GDPR) breaches as a result of a two-year trial of a revised approach to public sector enforcement announced in June 2022.

The government department would have been fined £10m if it had been a private company, the ICO said.

John Edwards, UK information commissioner, said “no-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable”.

“Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the department was unaware there was even a problem until a national newspaper informed them,” Edwards said.

Edwards called the instance a “serious breach of the law” and added just because the ICO did not issue a fine, it should “not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing” by the DfE.

Details of the investigation were made public on November 6.

The investigation uncovered the DfE’s “poor due diligence” in allowing a database of pupils’ learning records to be used by Trust Systems Software UK Ltd (trading as Trustopia), an employment screening firm, to check whether people opening online gambling accounts were 18.

The ICO advised the DfE in 2020 to halt Trustopia’s access; however, it began accessing the LSR again under the name Edududes Ltd.

This sensitive data was used by companies, including GBG, to help gambling companies confirm customers were over 18.

“This data sharing meant the information was not being used for its original purpose. This is against data protection law,” according to the ICO.

A spokesperson for GBG said it was aware that the ICO has issued its report into the historic use of data between the DfE and Trustopia.

“GBG is not and has never been under investigation by the ICO or any other regulator or government body in relation to this. GBG proactively completed an internal review in early 2020 on becoming aware of this issue and did not discover any non-compliance with applicable data protection laws as a result,” GBG told VIXIO.

An investigation was also launched by the ICO into Trustopia; however, the company was dissolved before it could be concluded, meaning it avoided any regulatory action.

The LSR database records include full name, data of birth and gender, with optional fields for email address and nationality. It also records a person’s learning and training achievements. The data is kept for 66 years, according to the ICO.

Since the investigation, the DfE has removed access to the LRS from 2,600 organisations.