The DofE allowed employee screening firm Trustopia to access the pupils’ learnings records. The company then shared the data with a verification services business, GB Group, which partners with betting companies to ensure that customers are 18 or over when they open their account. This meant that the data was not being used for its original purpose – in violation of data protection laws.
“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable,” said UK Information Commissioner John Edwards. “Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.”
Trustopia was dissolved before the conclusion of the ICO investigation, meaning that enforcement action against it was not available.
“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.”
Edwards warned that the failure was serious enough to warrant a large financial penalty – but did not impose it in this set of circumstances.
“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”
In October 2021, the ICO voiced its support for efforts to develop a single customer view, that would allow gaming businesses to collaborate and share data on individuals customer spend.