ICO: Department for Education Should Have Been Fined £10m

The UK’s Department for Education (DfE) has narrowly avoided a multimillion-pound fine after being found responsible for critical data protection failings, according to the country’s regulator.

The Information Commissioner’s Office (ICO) has formally reprimanded the department after due diligence failings related to the learning records service database (LRS), which provides a record of pupil’s qualifications for education providers to access.

The LRS, which contains data on 28 million pupils from the age of 14, was used by Trust Systems Software UK (trading as Trustopia).

Although it claimed to be the new trading name for training provider Edududes, Trustopia is actually a screening firm that sells its services to gambling companies, among other clients. They used the database to check whether people opening online gambling accounts were 18, according to the ICO.

“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable,” said information commissioner, John Edwards.

“Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the department was unaware there was even a problem until a national newspaper informed them.”

The LRS is said to store the full names, dates of birth and gender of pupils, with optional fields for email address and nationality. It does so for 66 years.

Trustopia had access to the LRS from September 2018 to January 2020 and carried out age verification searches on 22,000 pupils during that time, the ICO revealed.

The regulator said the department failed in its obligations to use and share children’s data fairly, lawfully and transparently. It also failed to prevent unauthorized access to children’s data, have proper oversight of the data or stop the data being used for reasons not compatible with the provision of educational services.

However, the ICO refrained from imposing a fine under a new policy which has seen it work with erring public sector organizations in more constructive ways.

“This was a serious breach of the law, and one that would have warranted a £10m fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal,” said Edwards.

“But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”

Last week the ICO decided to cut a £500,000 Cabinet Office fine down to just £50,000 as part of the same policy.

What’s Hot on Infosecurity Magazine?