The UK government is facing urgent questions after it was revealed that betting companies were given access to a Department for Education (DfE) database containing personal information on 28 million children.
Known as the Learning Record Service, the database stores information on students in England, Wales and North Ireland choosing to take post-14 qualifications like GCSEs.
However, according to a report in The Sunday Times, a data intelligence firm known as GB Group was able to sign an agreement with a third-party company to access the data. GB Group’s clients include gambling firms such as Betfair and 32Red, which apparently used the data for age and ID verification on their websites.
The third-party, Trust Systems Software (Trustopia), denies providing database access to GB Group. Both GB Group and the DfE are investigating the reports, with the latter having reportedly disabled access to the data trove and informed privacy watchdog the ICO.
“This was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them. We will be taking the strongest possible action,” a spokesperson told the paper.
The children’s commissioner for England, Anne Longfield, reportedly said she was “very shocked to learn that data has been handed over in this way.”
Although the information used by the betting firms appears to have been limited, given it covers a huge number of children, the incident could well lead to a significant GDPR investigation by the ICO.
“This is not just a security breach, but a breach of trust, where there is an expectation of fair, lawful and transparent uses of the data by everyone who has access to it — which in this case has not happened,” argued KnowBe4 security awareness advocate, Javvad Malik.
“In all of this, the responsibility sits squarely with the Department for Education, which has collected vast amounts of children's data for nearly a decade with apparently little oversight.”
infosecurity Group / Author Phil Muncaster