All bets off as children’s data is leaked

Child data leak

The way that the Department for Education (DfE) handles sensitive data on children and students needs a thorough independent investigation, experts argue, following revelations that one of its datasets had been used to help betting companies target new customers.

The data scare was flagged in an investigation by The Sunday Times, but IT Pro’s sister title PC Pro revealed it may be the tip of the iceberg amid accusations that the DfE’s systems aren’t fit for purpose. The Sunday Times reported how one of the DfE’s datasets – the 28-million-file strong Learning Records Service (LRS) – had been used by a company called GBG to help betting firms verify ages. In fact, betting companies did not have access to the data, but GBG allegedly worked with another company, called Trustopia, to check the age of people seeking new accounts.

“As we understand it, GBG was not giving the raw data to betting companies, the betting companies would come to GBG with the new client wanting to be ‘onboarded’ and could, apparently in real-time, do the age and identity verification against the dataset that LRS service was offering,” explained Jen Persson, director of Defenddigitalme, a campaign group seeking transparency in education data.

In parliament, David Davies MP called for a thorough inquiry into the companies that had used the data, while ignoring any potential role played by the DfE. For its part, the DfE has passed the blame squarely onto its partner, which is reported to be employment vetting company Trustopia. Trustopia has not responded to requests for more information and, elsewhere, has denied any wrongdoing.

The DfE is equally unrepentant. “We have not shared any data with GBG,” it told PC Pro in a statement. “An education training provider wrongly provided access to this data and broke their agreement with us. This was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them.”

To an extent, the DfE’s position reflects that of Facebook, which blamed app developers such as Cambridge Analytica for misuse of data that Facebook had made available. “I couldn’t find GBG or Trustopia on the LRS list of 12,004 learning providers with access as of January 2020, and that doesn’t include schools,” said Pat Walshe, a data protection expert with Privacy Matters. “It seems to me that the LRS and/or DfE are not ensuring compliance with the various agreements for providers.

“This begs the question of how did GBG and Trustopia get access to data and a service not intended for use by such organisations?”

Persson claims that the real scandal is the DfE sharing data with a digital screening company in the first place, something that goes against LRS’s explicit privacy policy of only sharing data with organisations “specifically linked to your education and training”.

“The important point is that the DfE gave this to an employment screening company called Trustopia and if the DfE is now handing out data that is used against people applying for jobs – and of which they have no knowledge – that is severely worrying. It should stop and there should be a full investigation.”

The Information Commissioner’s Office (ICO) has confirmed receiving a report from the DfE and is investigating, but there is concern that by reporting the incident to the ICO the DfE is deflecting attention. “The DfE shouldn’t be given a pass to be able to push the responsibility and accountability for this off to a company which is an identity screening company,” Persson said. “It actually needs to be part of the investigation.”

More scandals waiting to emerge?

Some experts claim this leak may be the tip of the iceberg, with the DfE sitting on more than 50 datasets similar to the LRS, and which it also shares with various parties without informing parents or children.

The data breach is the second time in a year that DfE’s data giveaway has been under the spotlight, with the department chastised in 2019 for letting the Home Office access files, again not for educational purposes.

“This is the problem with the spiderweb-like set of arrangements at the DfE and its more than 50 datasets,” explained Phil Booth, who works on healthcare data protection campaigns with medConfidential. “We know from research that there are all sorts of access and copies of these datasets, about which most parents and young people would be shocked.”

He added: “The Home Office, for example, felt it could go digging in these databases, which are supposed to be for educational purposes – only it was caught hunting for immigrants through the data of children in schools. Fortunately, that was stopped.”

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.