IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

All bets off as children’s data is leaked

Department of Education data leak to betting firms may be start of wider scandal

The way that the Department for Education (DfE) handles sensitive data on children and students needs a thorough independent investigation, experts argue, following revelations that one of its datasets had been used to help betting companies target new customers.

The data scare was flagged in an investigation by The Sunday Times, but IT Pro’s sister title PC Pro revealed it may be the tip of the iceberg amid accusations that the DfE’s systems aren’t fit for purpose. The Sunday Times reported how one of the DfE’s datasets – the 28-million-file strong Learning Records Service (LRS) – had been used by a company called GBG to help betting firms verify ages. In fact, betting companies did not have access to the data, but GBG allegedly worked with another company, called Trustopia, to check the age of people seeking new accounts.

“As we understand it, GBG was not giving the raw data to betting companies, the betting companies would come to GBG with the new client wanting to be ‘onboarded’ and could, apparently in real-time, do the age and identity verification against the dataset that LRS service was offering,” explained Jen Persson, director of Defenddigitalme, a campaign group seeking transparency in education data.

In parliament, David Davies MP called for a thorough inquiry into the companies that had used the data, while ignoring any potential role played by the DfE. For its part, the DfE has passed the blame squarely onto its partner, which is reported to be employment vetting company Trustopia. Trustopia has not responded to requests for more information and, elsewhere, has denied any wrongdoing.

The DfE is equally unrepentant. “We have not shared any data with GBG,” it told PC Pro in a statement. “An education training provider wrongly provided access to this data and broke their agreement with us. This was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them.”

To an extent, the DfE’s position reflects that of Facebook, which blamed app developers such as Cambridge Analytica for misuse of data that Facebook had made available. “I couldn’t find GBG or Trustopia on the LRS list of 12,004 learning providers with access as of January 2020, and that doesn’t include schools,” said Pat Walshe, a data protection expert with Privacy Matters. “It seems to me that the LRS and/or DfE are not ensuring compliance with the various agreements for providers. 

“This begs the question of how did GBG and Trustopia get access to data and a service not intended for use by such organisations?” 

Persson claims that the real scandal is the DfE sharing data with a digital screening company in the first place, something that goes against LRS’s explicit privacy policy of only sharing data with organisations “specifically linked to your education and training”.

“The important point is that the DfE gave this to an employment screening company called Trustopia and if the DfE is now handing out data that is used against people applying for jobs – and of which they have no knowledge – that is severely worrying. It should stop and there should be a full investigation.” 

The Information Commissioner’s Office (ICO) has confirmed receiving a report from the DfE and is investigating, but there is concern that by reporting the incident to the ICO the DfE is deflecting attention. “The DfE shouldn’t be given a pass to be able to push the responsibility and accountability for this off to a company which is an identity screening company,” Persson said. “It actually needs to be part of the investigation.”

More scandals waiting to emerge?

Some experts claim this leak may be the tip of the iceberg, with the DfE sitting on more than 50 datasets similar to the LRS, and which it also shares with various parties without informing parents or children.

The data breach is the second time in a year that DfE’s data giveaway has been under the spotlight, with the department chastised in 2019 for letting the Home Office access files, again not for educational purposes.

“This is the problem with the spiderweb-like set of arrangements at the DfE and its more than 50 datasets,” explained Phil Booth, who works on healthcare data protection campaigns with medConfidential. “We know from research that there are all sorts of access and copies of these datasets, about which most parents and young people would be shocked.” 

He added: “The Home Office, for example, felt it could go digging in these databases, which are supposed to be for educational purposes – only it was caught hunting for immigrants through the data of children in schools. Fortunately, that was stopped.” 

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
What we can learn from the supercomputer revolution

What we can learn from the supercomputer revolution

1 Dec 2022
What medium and large enterprises can learn from supercomputing

What medium and large enterprises can learn from supercomputing

6 Dec 2022