Children’s Data Was Used by Gambling Companies in the UK

The Department for Education (DfE) in the UK was warned by the Information Commissioner’s Office (ICO), the country’s independent regulator for data protection and information rights, over misusing the personal information of nearly 30 million children.

ICO Reprimands DfE

On Sunday, the ICO issued a reprimand against the DfE, saying that the DfE misused the personal information of up to 28 million children. The ICO said that the DfE allowed a company called Trust Systems Software UK Ltd, trading as Trustopia, to access the learning records service database (LRS). The screening firm used the access to the LRS to check whether individuals who opened gambling accounts were 18.

“Trustopia was in fact a screening company and used the database for age verification, a service they offered to companies including GB Group, which helped gambling companies confirm customers were over 18,“

reads a statement released by the Information Commissioner’s Office

Leveraging the database, Trustopia was able to help gambling companies confirm whether some customers of gambling operators were old enough. Such age verification services Trustopia offered to GB Group, according to the ICO. In its latest announcement, the ICO warned that this was a breach of the data protection law, considering that the LRS data wasn’t used for its original purpose.

“This data sharing meant the information was not being used for its original purpose. This is against data protection law,“

added the ICO

Misuse of Pupils’ Data

The latest announcement comes after the ICO conducted an investigation that was prompted by a breach report filed by the DfE. However, the DfE understood about the misuse of data after a report from a national Sunday newspaper.

The probe found that data such as full name, date of birth, gender, as well as optional fields including email address and nationality, belonging to up to 28 million children, starting from the age of 14 was accessed without proper authorization. According to the ICO, between September 2018 and January 2020, Trustopia had access to the LRS database. Within that period, the firm screened the data of 22,000 children for age verification purposes.

The LRS database is kept for 66 years, and it is used primarily by schools, colleges or other educational institutions. This enables educational structures to “verify a number of functions including the academic qualifications of potential students or check if they are eligible for funding,” the ICO explained.

Using Children’s Data to Help Gambling Companies Is Unacceptable

John Edwards, UK Information Commissioner, said about the latest incident that gambling companies using children’s data is unacceptable. Moreover, he deemed the DfE’s processes “woeful” and said that the DfE wasn’t aware of the data breach until they were informed by a newspaper.

“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable.“

John Edwards, UK Information Commissioner

Edwards acknowledged that this was a significant breach of the data protection law and explained that usually, the penalty in such cases is a £10 million ($11.5 million) fine. He pointed out that the fine wasn’t imposed as “any money paid in fines is returned to government, and so the impact would have been minimal.” Still, the ICO’s reprimand urged the DfE to take meaningful action and protect the data they are in charge of.