Comment on Sunday Times story: Betting Firms use Schools Data
National Pupil Database / January 19, 2020
Tuesday February 11th: Today we received a response to our letter to The Secretary of State for Education, Gavin Williamson, on the LRS breach. It is not very enlightening, nor is there any information regards the enquiry, or their progress on leaving ‘no stone unturned.’ The recent use of the LRS by a data broker, was unauthorised and not sanctioned by the Department for Education. The third party had their access “terminated immediately.” Was that before or after the Sunday Times contacted you Minister, and for how long had the gambling clients of GBG been accessing the database? What audit and oversight procedures are in place, and why did they fail? None of our questions have yet been answered.
Monday Jan 20th updated: Watch David Davis and The Secretary of State for Education, Gavin Williamson, make statements in education questions.
On Sunday January 19, 2020, the Sunday Times reported that, “betting companies have been given access to an educational database containing names, ages and addresses of 28 million children and students in one of the biggest breaches of government data.”
It went on, “The Sunday Times has established that GB Group, one of the country’s leading data intelligence companies, had a confidential contract through another company to access the Learning Records Service for age and identity verification services it provides to clients, which include 32Red, Betfair and other gambling companies.”
“The DfE said the arrangement with betting firms was not approved by officials and that a third party data company was being investigated over providing unauthorised access. In a further twist, DfE officials revealed that about 12,000 organisations had access to the Learning Records Service.”
According to the Sunday Times, “The DfE said the government had given access to the database to a London employment screening company called Trust Systems Software (UK), which trades under the name Trustopia. It is investigating whether this firm had in turn provided access to GB Group.”
“When confronted with the findings of a Sunday Times investigation, the Department for Education (DfE) disabled the database and referred the breach to the Information Commissioner’s Office, which regulates data protection.“
There are many outstanding questions as Nigel Nelson and Jo Phillips asked on the BBC Papers the day the story broke: “This is an absolutely shocking story”. “You would expect it would only be used for educational purposes.” “Do we know whether these people could get data about disabilities or special educational needs?” “12,000 organisations have access to this database.” “Who are these people, and why?”
[Clip: BBC Papers January 18, 2020, Martine Croxall, Nigel Nelson and Jo Phillips.)
Take action if you have concerns
If you are concerned about your own, or your children’s data, we suggest you take action and exercise your rights under data protection law to object and cease processing.
The ICO already wrote to us in October 2019, that as part of their work into our complaint against the DfE national pupil data processing, they found wide ranging and serious data protection issues. That backed our findings from our 2018 parents’ survey, that parents and pupils don’t know national pupil databases exist.
“This investigation has demonstrated that many parents and pupils are either entirely unaware of the school census and the inclusion of that information in the NPD, or are not aware of the nuances within the data collection, such as which data is compulsory and which is optional. This has raised concerns about the adequacy DfE’s privacy notices and their accountability for the provision of such information to individuals regarding the processing of personal data for which they are ultimately data controllers. “
We welcome the commitment by the Secretary of State for a full investigation
The Times also reported that Gavin Williamson, has ordered his department to “leave no stone unturned” in its investigation. We welcome this and will be happy to support him, the Department, and others to do so. We support the call from the former Chair of the DCMS committee, Damien Collins for an enquiry.
A system-wide audit is required of this and all education datasets; collection, distribution, access and processing; as done in 2014 in the NHS to ensure no more surprises.
While this particular misuse appears to be onwards abuse of approved data distribution, the focus must be on Department accountability and systemic processes. These data are collected for learners’ education and nothing else. People don’t know they are in these national databases at all, and it is not what they reasonably expect. The fact the the DfE gave approved access for employment screening at all, before misuse, is a scandal.
Cumulative changes to laws by successive governments up to and including the 2013 changes have enabled the release of individual and named data. We suggest the practice and legislation should be reviewed across the board, including by DCMS Select Committee and the Parliamentary Joint Human Rights Committee for breach of privacy. Vast scope expansion of data items collected since 2002, and to justify their distribution in 2012, has enabled identifiable, personal confidential data about millions of individuals to be released in ways few would reasonably expect.
New law is required to create a rights’ respecting environment in education in England, and level up protections across the UK.
Questions that now need asked of DfE include:
On the Learners Record Service (LRS)
- Why personal confidential data collected for the purposes of education, and under educational purposes in the Education Act 1996 (para 537) are being used for employment screening and what other uses are there?
- Who are these 12,000 LRS users, and how many companies and other third parties have access to or can process learner data, and for what purposes?
- Why are these re-uses not published, for example in the national transparency register of 3rd party data reuse that includes LRS data among the national pupil data of around 350 releases, each of millions of records, each year?
- What oversight and transparency is there of the data access requests and approvals process?
- When will audit be done of this and all education data; collection, distribution, access and processing; as done in NHS data 2014, to ensure no more surprises?
On all education data across the Department
- Why does the Department not adequately track and audit any onward use?
- The Department for Education has distributed millions of children’s identifying data, as well as access to it, thousands of times, since 2012. Such end user misuse was inevitable. The breach of #privacy and misuse of collection purposes sits squarely with the Department for Education — when will policy change to make all access safe settings to approved [trained] researchers only ?
- Why the Department cannot tell a family if their child’s data has gone to which third parties, because, “does not maintain records of the number of children included in historic data extracts“, despite the requirement under data protection law, and why it fails to meet its obligations on Subject Access Requests.
- When will former pupils who provided their personal data before 2010 for the purposes of their own education and who are now older than 19 be informed of the new broader uses of their individual personal data by third parties since 2011?
- Which other government departments have access to learner data and why?
- What costs are incurred to the state of third party reuse of administrative data, across all learning data, not only the National Pupil Database?
- What the Department will do to fix its failings as found by the ICO in 2019, to inform families which data are collected in the school census and of their rights?
We will add to these as more information becomes available. For more general background on national pupil data see our FAQs.
Update January 20, 2020:
We note that the reportedly approved, employment screening firm at the centre of the story that the DfE claims ‘wrongly provided access to this data and broke their agreement’, but which has denied wrongdoing, has taken down its company leadership page since the story broke.
The Sunday Times reported that,
“Ronan Smith, founder of Trustopia, said the firm “placed the highest possible premium” on the correct, lawful and fair handling of data. It denied providing access to the Learning Record Service to GB Group.
The DfE described Trustopia as “an education training provider”. It said: “[The firm] wrongly provided access to this data and broke their agreement with us. This was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them. We will be taking the strongest possible action.”
Background on GB Group plc use
On Wednesday December 11, 2019, GB Group plc published a website article claiming it has “exclusive access to data that can empower businesses to verify and onboard millennials with confidence,” meaning this ‘middle-man’ company used access to school records to check identities in order to get their new customers onboard, in this specific case for gambling companies, and that “Since using GBG UK Education Data Set within our ID3global product, a major gambling operator saw a 15% uplift to a 2+2 on customer refers, while a digital currency wallet business saw a 9% uplift. “
It was live between December 11, 2019 and Friday January 10, 2020, after which it was amended. We re-publish both versions verbatim, below.
Published: Wednesday December 11, 2019
Millennials are taking longer to reach the ‘traditional’ markers of adulthood, such as buying their first house or car. Some are opting out altogether. As a result, conventional identity verification methods are falling short. GBG’s new, exclusive educational reference data makes it easier to verify and onboard these younger customers.
The identities of consumers aged 23 to 38 are among the hardest to verify. They came of age throughout the financial crash of 2008 and the years of recession and downturn that followed. They entered a tougher job market than their forbearers and face a much more expensive property market.
As such, they’re not necessarily doing things like buying property or borrowing money. This creates a challenge for anyone trying to verify their identities because their credit history will be much more limited, or perhaps non-existent.
Without credit reference data to draw on, businesses are having a hard time verifying millennials’ identities and turning away potentially good customers.
But GBG now has exclusive access to data that can empower businesses to verify and onboard millennials with confidence.
Comprehensive and compliant
The GBG UK Education Data Set is managed and maintained by the UK Government across a number of departments, including the Department for Education and Skills.
It is the most comprehensive education data set available, with over 36 million unique records – including 30% of the UK adult ‘thin profile’ population – and is sourced from recognised education bodies. It includes:
- School entrants in England, Wales, and Northern Ireland at point of entry
- Any GCSE, BTEC and/or A-Level Entrants not captured at entry
- All adults (16 years+) at point of registration for any *Public learning route (with any School, College, Employer, Learning Organisation, Awarding Body, Recognised Professional Body)
- All persons successful in a Home Office immigration process
The data set covers: - Over 32,000 schools (20,000+ primary schools, 4,000+ secondary schools, 2,000+independent schools, 1,200+ special schools, 350+ pupil referral units)
- All vocational, further and higher education institutions 4000+ educational organisations (3000+ vocational education providers, 300+ FE colleges (including sixth form, land based, engineering and specialist providers) and 160+ HE universities)
The GDPR-compliant data is accessible in real-time, refreshed nightly and updated in-line with annual exam results and other key moments in time.
How does it work?
Since 2006, individual Identity and learning achievement data has been recorded against a single unique UK government identifier the ULN.
At age 16 the ULN is stored alongside individual’s national insurance number. It is used to support UCAS applications, upon registration for any learning programme and when seeking to access public funds including job seekers allowances and universal credit.
How effective is it?
Since using GBG UK Education Data Set within our ID3global product, a major gambling operator saw a 15% uplift to a 2+2 on customer refers, while a digital currency wallet business saw a 9% uplift.
GBG General Manager Global Identity Verification Nigel Clark said: “Businesses are already using GBG UK Education Data Set to boost their onboarding rates for younger customers. We’ve seen big successes in terms of onboarding uplifts.
“Traditionally, when we’re using different data sets, the younger demographic may not get matched as well because they might not have so much active credit, or they might not be on the electoral roll, or they might have just come out of student accommodation and there might not be much data available on them. Where that’s the case, organisations who take advantage of this data will be able to easily and confidently overcome that challenge.”
Learn more about verifying millennials with ID3global and GBG UK Education Data Set here.”
The original article content was changed this week. The new content was shorter, still with the publication date of December 11, 2019.
“Published: Wednesday December 11, 2019
Millennials are taking longer to reach the ‘traditional’ markers of adulthood, such as buying their first house or car. Some are opting out altogether. As a result, the identities of consumers aged 23 to 38 are among the hardest to verify.
They came of age throughout the financial crash of 2008 and the years of recession and downturn that followed. They entered a tougher job market than their forbearers and face a much more expensive property market.
As such, they’re not necessarily doing things like buying property or borrowing money, meaning their credit history will be much more limited, or perhaps non-existent.
Without credit reference data to draw on, businesses are having a hard time verifying millennials’ identities and turning away potentially good customers.
But with the GBG UK Education Data Set, businesses can conduct crucial identity verification checks on new customers to comply with identification regulations and prevent consumers accessing services they don’t qualify for, i.e. underage individuals, as well as prevent fraud. They can verify and onboard millennials with confidence.
Comprehensive and compliant
For companies that use a technology platform like GBG to provide identity verification checks, the process is simple, safe and secure. When a consumer enters their information on a website to register for a service, GBG’s technology matches it against data from multiple databases, via secure and encrypted API connections.
A simple ‘Match’ or ‘No Match’ is returned to the company, so they can determine if an account should be opened. The check is conducted when a consumer, accessing a site and registering for a service, asks for it.
The GBG UK Education Data Set verifies against attainment data from the Learning Records Service. This means GBG can validate the information provided by the consumer, to help businesses onboard people who are who they say they are and prevent underage individuals accessing services, as well as prevent fraud.
How effective is it?
Some key regulations have come into force in recent years, in a positive move towards a safer online world. For example, the UK Gambling Commission introduced a new licence condition that requires operators to verify the name, address and date of birth of their customers before allowing them to gamble. Prior to this, there was a window of 72 hours in which an online gambling operator had to complete age verification checks. When we consider that last year the UK Gambling Commission reported that a significantly high number of children are classified as having a gambling problem, the changes are a positive and socially responsible move for the UK gambling industry.
Meeting regulations should be a seamless task for the consumer, and never at the detriment of complying with data and privacy laws. For more information on how GBG can help you verify the identity of your customers, comply with regulations and prevent consumers accessing services not open to them, click here.“
#end of GB Group plc quoted content#
Background on the Learning Records Service
There were 28,423,345 individual’s records in the Learning Records Service, according to numbers published by the DfE as of 01/10/2019.
The DfE privacy notice for the LRS claims that : “The LRS is accessible by organisations under agreement with the DfE (England). Your personal information is only accessed through the LRS by organisations specifically linked to your education and training, including those organisations specified in Regulations made under section 537A of the Education Act.”
Data Protection and legislation
- Education laws that permit data collection and distribution, including the primary legislation, Section 537A of the Education Act 1996 that governs the principles for the provision of information about individual pupils.
- New data protection laws under the UK Data Protection Act 2018 and GDPR became enforceable from May 2018.
- UK Act http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted/data.htm
- GDPR: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en