On November 2, 2022, the ICO issued to the UK Department for Education (“DfE”) a formal reprimand following an investigation into the sharing of personal data stored on the Learning Records Service (“LRS”), a database which provides a record of pupils’ qualifications that the DfE has overall responsibility for. The investigation found that the DfE’s poor due diligence meant the LRS database was being used by Trust Systems Software UK Ltd (trading as Trustopia), a third party screening firm, to check whether people opening online gambling accounts were 18. Trustopia was found to have had access from September 2018 to January 2020, during which it performed over 20,000 searches on children whose personal data was in the LRS database.
The investigation was initiated following a breach report submitted by the DfE regarding the unauthorized access to the LRS database, a breach which the DfE only became aware of following an article in the press. At the time of the incident, over 12,000 organizations had access to the LRS database, including schools, colleges, higher education institutions and other education providers, in order for them to verify information such as academic qualifications. The ICO found the DfE failed to comply with several of its obligations, including by not using and sharing children’s data fairly, lawfully and transparently. It also failed to prevent unauthorized access to children’s data, have proper oversight of the data or stop the data being used for reasons not compatible with the provision of educational services.
Following the investigation, the ICO issued the reprimand to the DfE setting out clear measures it needs to act on to improve its data protection practices. For example, it must take steps to improve transparency around the processing of the LRS database so data subjects are aware and can exercise their rights, and it must review all internal security procedures. The reprimand was issued instead of a fine in accordance with the new approach being taken by the ICO towards the public sector which aims to reduce the impact of fines on the public. A fine of £10 million would have been issued to the DfE if the ICO were not trialing this new approach with respect to public sector bodies.