Department for Education warned after gambling companies benefit from learning records database

The Information Commissioner's Office has issued a reprimand to the Department for Education for breaching the UK General Data Protection Regulation (GDPR) following the misuse of the personal information of up to 28 million children.

The information watchdog said that the Government department avoided a fine of £10 million for the breach following the implementation of a new fine-averse policy for public bodies in June of last year.

The investigation found that "poor due diligence" meant a database of pupils' learning records was ultimately used by an employment screening firm to check whether people opening online gambling accounts were 18.

The DfE has overall responsibility for the learning records service database (LRS), which provides a record of a pupil's qualifications that education providers can access.

The circumstances meant that the DfE did not comply with the requirements of Article 5 (1)(a) ('lawfulness, fairness and transparency') and Article 5 (1)(f) ('integrity and confidentiality') of the UK GDPR.

The reprimand letter states that the DfE breached Article 5 (1)(a) because it "failed to protect against the unauthorised processing by third parties of data held on the LRS database for reasons other than the provision of educational services. Data subjects were unaware of the processing and could not object or otherwise withdraw from this processing therefore the DfE failed to process the data fairly and lawfully".

It adds that contrary to Article 5 (1)(f), the DfE "failed to have appropriate oversight to protect against unauthorised processing of personal data held on the LRS database and has also failed to ensure its confidentiality".

John Edwards, UK Information Commissioner, said the investigation found that the processes put in place by the DfE "were woeful".

"Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them", he continued.

In the wake of the investigation and its findings, the DfE has permanently revoked the third party's access to the LRS database.

It has also been told to implement the following five measures to improve its compliance with UK GDPR:

1. The DfE must take steps to improve transparency around the processing of the LRS database so 'Data Subjects' are aware and are able to exercise their Data Subject rights in order to satisfy the requirements of Article 5 (1)(a) of the UK GDPR.
2. The DfE should continue to review all internal security procedures on a regular basis to identify any additional preventative measures that can be implemented.
3. The DfE should ensure all relevant staff are made aware of any changes to processes as a result of this incident by effective communication and by providing clear guidance.
4. In order to improve compliance with article 36 of the UK GDPR - Prior consultation and article 35 of the UK GDPR – Data Protection Impact Assessment (DPIA), when processing personal data that is likely to result in a high risk to individuals, the DfE should complete a thorough and detailed Data Protection Impact Assessment (DPIA), which adequately assesses the risk posed by that processing.
5. The DfE should continue to ensure sufficient data protection training is provided to all staff.

Mr Edwards added: "This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education."

Commenting on the reprimand, a spokesperson for the Department for Education said: "In January 2020 we became aware that a third party that was granted access to the Learner Record Service for legitimate business was misusing its permission. Since then, we have worked closely with the ICO to ensure our oversight of access to data has improved, ensuring that this could not happen again.

"We take the security of data we hold extremely seriously. We will publish a full response to this letter by the end of the year, setting out detailed progress in respect of all the actions identified."

Adam Carey