November 27, 2022
General Data Protection Regulation (GDPR) , Geo Focus: The United Kingdom , Geo-Specific Office Reprimands Department, Says Fine Would Have Been Over 10 Million Pounds Akshaya Asokan (asokan_akshaya) • November 7, 2022     The U.K. data watchdog reprimanded a government agency for allowing the unauthorized use of a database containing school records of teenagers…

General Data Protection Regulation (GDPR) , Geo Focus: The United Kingdom , Geo-Specific

Office Reprimands Department, Says Fine Would Have Been Over 10 Million Pounds Akshaya Asokan (asokan_akshaya) • November 7, 2022    

The U.K. data watchdog reprimanded a government agency for allowing the unauthorized use of a database containing school records of teenagers by a firm verifying the age of online gamblers.

See Also: OnDemand | API Protection – The Strategy of Protecting Your APIs

The Information Commissioner’s Office says the Department for Education violated the data protection law when it allowed screening company Trustopia to use the database for age verification purposes.

An investigation provoked by revelations over Trustopia’s access published by The Sunday Times in 2020 revealed that the department had granted 12,600 organizations access to the national Learning Records Service database. That number is now shorter by 2,600 and no longer includes Trustopia, the ICO announced Sunday.

The Learning Records Service contains students’ unique 10-digit numbers and tracks the learning records and qualifications of students from the age of 14. It holds the personal information of up to 28 million children and young people.

The reprimand does not include a fine, given a policy instituted in June excusing government agencies from monetary penalties on the grounds that fines create reduced services for citizens.

Without that policy in place, a fine of slightly more than 10 million pounds would have been appropriate, said Information Commissioner John Edwards.

The office says the Department for Education has strengthened the registration process for accessing the Learning Records Service but could do more to improve its transparency.

A departmental spokesperson said in a statement that it worked closely with the commissioner’s office to ensure that misuse of the database doesn’t reoccur. “We take the security of data we hold extremely seriously,” the spokesperson said, vowing a fuller response in the coming months.

In 2020, then-Secretary of State for Education Gavin Williamson told Parliament that the incident occurred because “an education training organisation, in breach of its agreement with us, wrongly provided information on learners.”

The commissioner’s office said Trustopia dissolved during the course of the investigation, so regulatory action against it isn’t possible.

Source