7th November 2022
DfE Reprimanded After it Allows Gambling Companies to Access Database of Children's Records
Department for Education reprimanded over ‘woeful’ betting firms data breach
The Information Commissioner’s Office (ICO) said the DfE had allowed the database of pupils’ learning records to be accessed by a firm to check whether those opening online gambling accounts were 18. Following an investigation, the ICO revealed that a database of pupils’ learning records was used by Trust Systems Software UK Ltd, trading as Trustopia, an employment screening firm, to confirm the age of people who opened gambling accounts.
As the information was not being used for its original purpose, the ICO has ruled that it contravenes data protection law.
The DfE database contains personal information of up to 28 million children and young people from the age of 14, including their full name, date of birth and gender, as well as a record of their learning and training achievements.
£10 Million fine
Information Commissioner John Edwards said the case was so severe that it would warrant a fine of over £10 million. However, the fine is not being issued in order to prevent the public from being adversely affected by a major loss of funds to a public sector body.
Mr Edwards said; “No one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the department was unaware there was even a problem until a national newspaper informed them. We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children."
Since the incident, the DfE has removed access to the database from 2,600 organisations and has strengthened its registration process.
The ICO said it had also conducted an investigation into Trustopia, during which the company said it no longer has access to the database and it had deleted the cache of data held in temporary files.
But Trustopia was dissolved before the ICO investigation concluded and therefore regulatory action was not available, the regulator said.