The Department for Education has been issued a reprimand by the UK’s data protection regulator after it was discovered that gambling companies had been permitted access to pupils’ learning records.

The Information Commissioner’s Office has issued the warning following what it called a “prolonged misuse of the personal information of up to 28 million children”.

An inspection found that the DfE had granted Trust Systems Software UK, trading as Trustopia, an employment screening firm, access to the database for age verification purposes in helping gambling companies confirm whether customers were over 18. 

This data sharing, said the ICO, meant the information was not being used for its original purpose, which is against data protection law.

John Edwards, UK Information Commissioner, stated a £10m fine would have been warranted due to the serious nature of the breach, however, any money gained as such “is returned to government, and so the impact would have been minimal,” it was noted.

A reprimand was issued to the DfE setting out clear measures they need to take to improve their data protection practices so children’s data is properly looked after.

The ICO found that the learning records service database has personal information of up to 28 million children and young people from the age of 14. This records full name, data of birth, and gender, with optional fields for email address and nationality, as well as a person’s learning and training achievements. and is kept for 66 years.

At the time of the breach, 12,600 organisations had access to the LRS database, including schools, colleges, higher education institutions, and other education providers.

It was found that Trustopia had access to the LRS database from September 2018 to January 2020 and that searches on 22,000 learners for age verification purposes were undertaken.

“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable,” commented John Edwards, UK Information Commissioner. 

“Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.

“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.

“This was a serious breach of the law, and one that would have warranted a £10m fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal.

“But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”

Following the incident, the DfE has removed access to the LRS database from 2,600 organisations and is also said to have strengthened its registration process.

Furthermore, the investigation into Trustopia confirmed that the firm no longer had access to the database, with the cache of data held in temporary files having been deleted. Due to Trustopia being dissolved before the ICO probe concluded, regulatory action was not available.