The Department for Education (DfE) has been reprimanded by the UK’s data protection watchdog after it allowed gambling companies to access a database of children’s learning records.
The Information Commissioner’s Office (ICO) said the DfE’s poor due diligence allowed the database of pupils’ learning records meant for use by education providers to be accessed by a firm to check whether those opening online gambling accounts were 18.
An investigation by the data protection regulator found that a database of pupils’ learning records was used by Trust Systems Software UK Ltd, trading as Trustopia, an employment screening firm, to check whether people opening online gambling accounts were 18.
The ICO said that as the information was not being used for its original purpose, it was therefore against data protection law.
The database contains personal information of up to 28 million children and young people from the age of 14, including their full name, date of birth and gender, as well as a record of their learning and training achievements – data which is kept for 66 years.
Information Commissioner John Edwards said the case was so severe that it would warrant a fine of over £10 million.
But under a trial approach towards the public sector introduced earlier this year, the fine is not being issued in order to prevent the public being adversely affected by a major loss of funds to a public sector body.
“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable,” Mr Edwards said.
“Our investigation found that the processes put in place by the Department for Education were woeful.
“Data was being misused, and the department was unaware there was even a problem until a national newspaper informed them.
“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.
“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case.
“I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”
Since the incident, the DfE has removed access to the database from 2,600 organisations and has strengthened its registration process, the ICO said.
The ICO said it had also conducted an investigation into Trustopia, during which the company said it no longer has access to the database and it had deleted the cache of data held in temporary files.
But Trustopia was dissolved before the ICO investigation concluded and therefore regulatory action was not available, the regulator said.