UK’s Department for Education Gave Student Data to Gambling Industry

Posted on: November 7, 2022, 06:24h. 

Last updated on: November 9, 2022, 01:22h.

The UK’s Department for Education (DfE) violated privacy laws so egregiously that it could have been shut down if it were a private company. It allowed a third-party data company to access the private information of teenagers that was then distributed to the gambling industry.

Department for Education
A sign for the Department of Education adorns the government agency’s office. A data company allegedly shared information about students as young as 14 with gambling-related companies. (Image: European Pressphoto Agency)

For years, the UK’s primary keeper of education records shared data with Edududes, Ltd., a training company. That company transitioned to serve the gambling industry, but the DfE continued to give it access to the data.

The Information Commissioner’s Office (ICO) accuses the government department of a “serious” breach. Under any other circumstance, that would be worth £10 million (US$11.45 million). Since the DfE would have to pay the fine with government money, there isn’t much sense in trying to collect.

The DfE is responsible for maintaining the educational records of students. It contains information about the qualifications of as many as 28 million kids as young as 14.

Illegal Breach of Policy and Privacy

The ICO discovered that the department continued granting access to Edududes after it informed the department it had changed its name to Trustopia. The latter, now out of business, was actually a screening company that used the database to verify age.

It offered its services to companies like ID verification firm GB Group. It also helped gambling companies confirm that their customers were over 18. Since Trustopia wasn’t using the information in the manner for which Edududes had been approved, it violated data protection laws.

It wasn’t until a newspaper reported the activity chain that the DfE realized what was happening. The ICO discovered that Trustopia had access to the database between September 2018 and January 2020. During that time, it conducted searches on 22K pupils to verify their ages.

Nearly 12,600 organizations had access to the databases at the time of the breach, including schools, colleges, and higher education institutions.

Since the news broke, the DfE has removed 2,600 organizations from its database. It also streamlined the registration process to protect individuals’ privacy better. It now conducts regular checks for excessive searches and removes entities that no longer access the database.

Too Late for Accountability

Although the ICO won’t fine the DfE, it has ordered some changes. ICO also investigated Trustopia but learned that the company no longer had access to the database, according to its statement. Trustopia said it deleted temporary files containing data. But how it used the information before destroying it will never be known.

The regulator stated that Trustopia had been dismantled before the investigation was concluded. As a result, no regulatory action against it was possible.

Privacy in any commercial or government setting has been at the forefront of consumer protection laws for years in the European Union (EU). The creation of the General Data Protection Regulation (GDPR) was an attempt to offer the highest level of protection possible.

After its exit from the EU, the UK announced that it wants to establish its own version of the GDPR. It has begun that process even as it tries to figure out who’s in command.