The Learner Records Service Data Breach and ICO audit: a connected chronology
In January 2020, the Sunday Times revealed betting firms’ access to school data on 28 million children from the Learner Records Service (LRS). Coincidentally, at the same time, the Information Commissioner’s Office had already begun a compulsory audit process at the Department for Education (DfE), after our 118-page case bundle had been submitted by our legal team in June 2019. Three years on, the LRS case appears to be closed after the November 2022 ICO reprimand of the DfE with five high-level recommendations.
But setting aside the new ICO public sector approach, what about the commercial companies involved? How did the timing and process of the ICO investigation of the LRS data breach allow the company Directors involved to be able to dissolve their relevant companies, without any enforcement action?
And what has changed at the Department after the arguably much larger investigation, the ICO audit? There is still no available information to enable transparent scrutiny of the DfE actions, or ICO requirements for change or how data subjects rights will be met by when, nor of the audit process itself which has to date, not only not been published in full, but both the ICO and the DfE have actively refused to do so.
Here’s the timeline of events, their context before, and the outcomes so far.
2019
June 2019 Our legal team submitted a comprehensive case in a 118-page bundle to the Information Commissioner’s Office about pupil data practices at the Department for Education with a request that the Commissioner commence a thorough investigation into the concerns raised about the DfE’s processing. It also raised issues about the Alternative Provision Census data, in which a new collection had begun in January 2019 for which there was no data protection impact assessment or any communication to families.
October 2019 The ICO wrote to us more broadly on connected issues as part of their work into our detailed case and other prior joint-complaints against the DfE on nationality pupil data processing. They found wide-ranging and serious data protection issues. It backed our defend digital me findings from our 2018 parents’ survey, that parents and pupils don’t know national pupil databases exist. “This investigation has demonstrated that many parents and pupils are either entirely unaware of the school census and the inclusion of that information in the NPD, or are not aware of the nuances within the data collection, such as which data is compulsory and which is optional. This has raised concerns about the adequacy DfE’s privacy notices and their accountability for the provision of such information to individuals regarding the processing of personal data for which they are ultimately data controllers. “
November 2019 The ICO met with key senior-level data protection professionals at the DfE’s offices in London in November 2019 where the possibilities of a consensual audit were discussed.
December 2019
On 19 December 2019, an ICO Assessment Notice was issued to the Department for Education (DfE).
In parallel and unconnected, a company called GB Group plc had published a website article claiming it has “exclusive access to data that can empower businesses to verify and onboard millennials with confidence,”and that “Since using GBG UK Education Data Set within our ID3global product, a major gambling operator saw a 15% uplift to a 2+2 on customer refers, while a digital currency wallet business saw a 9% uplift.” “The identities of consumers aged 23 to 38 are among the hardest to verify…This creates a challenge for anyone trying to verify their identities because their credit history will be much more limited, or perhaps non-existent. Without credit reference data to draw on, businesses are having a hard time verifying millennials’ identities and turning away potentially good customers.“ The page was live at least between December 11, 2019 and Friday January 10, 2020, after which it was amended, and then taken down. It was coincidental timing with the ICO audit already underway.
2020
January 2020 On January 19, 2020, the Sunday Times reported that, “betting companies have been given access to an educational database containing names, ages and addresses of 28 million children and students in one of the biggest breaches of government data.” It went on, “The Sunday Times has established that GB Group, one of the country’s leading data intelligence companies, had a confidential contract through another company to access the Learning Records Service for age and identity verification services it provides to clients, which include 32Red, Betfair and other gambling companies.” According to the Sunday Times, “The DfE said the government had given access to the database to a London employment screening company called Trust Systems Software (UK), which trades under the name Trustopia. It is investigating whether this firm had in turn provided access to GB Group.” “When confronted with the findings of a Sunday Times investigation, the Department for Education (DfE) disabled the database and referred the breach to the Information Commissioner’s Office, which regulates data protection.“
There were many outstanding questions as Nigel Nelson and Jo Phillips asked on the BBC Papers the day the story broke: “This is an absolutely shocking story”. “You would expect it would only be used for educational purposes.” “Do we know whether these people could get data about disabilities or special educational needs?” “12,000 organisations have access to this database.” “Who are these people, and why?”
[Clip: The BBC Papers late night January 18, 2020, Martine Croxall, Nigel Nelson and Jo Phillips.)
February—March 2020 The ICO audit field work was undertaken at DfE Offices in London, Coventry, and Sheffield between 24 February and 4 March. The DfE agreed to extend the scope of the audit to include the sharing of data contained within the Learning Records Service (LRS) database to assist an ICO investigation following the reported [LRS] data breach.
October 7, 2020 The ICO published the high-level Executive Summary of their audit findings (it has to date, never been published in full), stating that “The Commissioner’s Enforcement team ran a broad range investigation in 2019 following complaints from DefendDigitalMe and Liberty and their concerns around the National Pupil Database (NPD)” […] However, due to the risk and scale, and ages of the data subjects, the audit was made compulsory. (The National Pupil Database is another joined up set of databases of over 23 million named records, like the LRS, and there is an overlap of the individuals in both.)
2021
28 January 2021 The DfE published a limited written response to the audit findings, with a promised further update in June 2021. This update omitted any mention of the repurposing personal data for commercial reuse, or Home Office Hostile Environment aims, or police use. Or anything on timing for when it would address the data protection rights of the people in the NPD like Right-to-Object, Subject Access Requests, or even be told their named data is among the 28 million people’s learner records, or the rest of the DfE’s datasets (that include children at risk and highly sensitive records on abuse for example) and to whom it has been given away and for how long.
4 February 2021 Over a year after the news broke about the LRS data breach, a company connected to some of the Trustopia directors, Trust Systems Software Limited, (registration number 631227 in Ireland) was dissolved. The company’s final director had been the director of 17 other Irish companies at the time of its insolvency and shared a director with its UK registered counterpart.
April 2021 The Schools Minister promised Liberal Democrat MP Daisy Cooper in a parliamentary question that an update on the ICO audit would be published in June 2021, and said that the Department had “undertaken to publish an update to the audit in June 2021 and further details….of the full audit report will be contained in this update.” Later, a statement said it was delayed to the end of July 2021. No update was published. We have asked both the ICO and the DfE to publish the full findings with an accountable timeline by when ICO recommendations or demands will be met. A further commitment to an update was made by the end of 2022, and again, nothing was published.
November 2021 The Department for Education and ICO have both refused FOI requests to publish the full audit findings.
2022
24 May 2022 Twenty-eight months after the news story broke, but only six months before the published outcome of the ICO investigation, Trust Systems Software (UK) Limited Company number 11506793 (trading as Trustopia) was dissolved. Its ‘person with significant control’ was Trust Systems Software Group Limited (company number 11933401), and prior to that (dissolved in February 2021) Trust Systems Software Limited (registration number 631227 in Ireland)).
16 August 2022 Thirty-one months after the news story broke, but just 3 months before the published outcome of the ICO investigation, the same Trust Systems Software Group Limited (company number 11933401) was dissolved. The termination of the appointment of one director had been filed electronically on January 20, 2020 (the day the Sunday Times news story broke) but according to the Companies House filing was dated effective as of 29 November 2019. Two of the Trustopia Directors had remained Directors of this ‘parent’ company, according to the register at Companies House, until the company was dissolved on August 16, 2022.
November 6, 2022 Nearly 3 years (34 months) after the Learner Records Service breach was exposed in the press on January 20, 2020, the ICO announced it had reprimanded the DfE over the incident. “The Information Commissioner’s Office (ICO) has issued a reprimand to the Department for Education (DfE) following the prolonged misuse of the personal information of up to 28 million children. An ICO investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trust Systems Software UK Ltd (trading as Trustopia), an employment screening firm, to check whether people opening online gambling accounts were 18.”“The DfE confirmed that Trustopia has never provided any government-funded educational training. By granting LRS database access to Trustopia, the DfE failed in its obligations to use and share children’s data fairly, lawfully and transparently. It also failed to prevent unauthorised access to children’s data, have proper oversight of the data or stop the data being used for reasons not compatible with the provision of educational services.” Recommendations to the DfE included improving transparency and enabling people to exercise their data rights, that the DfE should review all security processes regularly, updating internal staff information and data protection training, and ensuring a risk assessment is done properly prior to new data processing. But that the ICO would not issue the £10 million fine to the public body that it might have.
December 2022 The Department for Education appears to have been advised not to pursue breach of contract pending the ICO investigation. (See Parliamentary Question UIN 113179, tabled on 19 December 2022)
2023
October 2023
Three years after the ICO published a summary of its audit, the DfE published a response to the audit and the formal reprimand. We have stored a copy here. There has been no change that we can see in the failure the audit identified to inform the data subjects (children and 15 million adults who had left school before the 2012 change of law to commercially re-use pupil records) that their data held in either the Learners Record Service or National Pupil Database or anywhere else controlled by the DfE are no longer only retained in schools or meet the failures found in the 2020 audit, namely:
“The DfE are not providing sufficient privacy information to data subjects as required by Articles 12, 13 and 14 of the GDPR. There is also some confusion within the DfE and its Executive Agencies about when they are a controller, joint controller or processor and whether as a controller this is at the point of collection or as a recipient of personal data. Equally there is no certainty whether organisations who receive data from the DfE are acting as controllers or processors on their behalf. As a result, there is no clarity as to what information is required to be provided. The DfE are reliant on third parties to provide privacy information on their behalf however, this often results in insufficient information being provided and in some cases none at all which means that the DfE are not fulfilling the first principle of the GDPR, outlined in Article S(l)(a), that data shall be processed lawfully, fairly and in a transparent manner.”
There is no communication suitable for older children and nothing for parents on how to exercise rights to object, correct records that are incorrect, or restrict processing. There is still no opt in or out to any commercial re-use, even those that have been approved by the DfE, never mind where it could be breached and go after its distribution. The DfE still hand out identifying pupil data to third parties about which people themselves have no idea, including an ever growing number of today’s MPs.
Outcomes to date
The Department for Education enabled gambling companies to gain information from learners’ records, and yet 28 million plus people’s identifying records (some of whom were children at the time of collection) –including a sizeable overlap with those in the National Pupil Database–carry on being given away, a decade after it began, three years after this exposure of the abuse of trust of millions of people and parents who entrust it to state education systems only for educational purposes, without any Ministerial accountability.
At defend digital me, we believe such hands-off enforcement for the public sector isn’t enough here. And it’s not about a financial penalty, the ICO need not fine the public sector to enforce the law. The Regulator’s findings identified that the people in the database could not object or withdraw from the processing and that the DfE is failing to uphold their rights. The ICO could therefore have chosen to protect the rights of 9 million children in school immediately, by using its powers to demand the DfE and its thousands of third-party data recipients stop processing until they are compliant. It could use the GDPR 58(2)(f) to impose a temporary or definitive limitation on all of the non-compliant practices, and/or order the DfE to communicate the personal data breach to the data subjects. We welcome the remarks that the DfE should improve, but this reprimand, despite finding practice “woeful” seems to have done little to meet the first of the ICO25 four strategic objectives, safeguarding and empowering people. In its (lack of) monetary penalty approach, the ICO offers no meaningful alternative form of enforcement to secure accountability appropriate to the scale of the breach, and no redress for us, the people affected. Although the ICO claims that this approach is highly effective since the public nor civil society can see what was agreed on by them behind the scenes, there is no evidence for it.
Little has appeared to change. In fact, in 2022 the DfE has continued to appear to demonstrate disregard for the importance of data protection law and has gone ahead with new intrusive projects, without involving the ICO despite claiming to the school sector in February 2022 that the ICO had been consulted on the real-time daily attendance tracking at the national level for every child in school today. Lack of prior consultation and timely DPIAs were among the 2020 audit findings. The ICO engaged in lengthy communications with the DfE about this after we complained, including asking the DfE to stop processing which the DfE refused (see the last 10 pages of the bundle). To date, the DfE appears to have ignored the ICO recommendations made in March 2022.
But back to the LRS breach and the commercial company. The ICO reprimand to the DfE suggests the company carried out unlawful activity.
“Trustopia was in fact a screening company and used the database for age verification, a service they offered to companies including GB Group, which helped gambling companies confirm customers were over 18. This data sharing meant the information was not being used for its original purpose. This is against data protection law.”
“The ICO conducted a simultaneous investigation into Trustopia, during which the company confirmed it no longer had access to the database and the cache of data held in temporary files had been deleted. Trustopia was dissolved before the ICO investigation concluded, therefore regulatory action was not available.”
There are unsettled questions here about the efficacy of regulation and enforcement of the law. How is it that the company owners declared the businesses insolvent only relatively recently before the outcomes of the ICO investigation were announced? This seems a highly unsatisfactory outcome and raises questions of timing and process. Is this to be expected as the norm, that by dissolving the company its Directors can avoid regulatory pursuit, whether this was deliberate or not?
Furthermore, it appears that previously one of the same Directors of Trustopia may have avoided adequate due diligence by the Department for Education in being granted LRS access since he was known to the Department previously as CEO of Edudo Ltd, a company which went into voluntary insolvency in 2017 having received Skills and Funding Agency Loans. FE Week reported on it in 2017. Is there any process to flag prior significant events known to the Department, and would this have met the criteria to spot it?
The ICO found that Trustopia had access to the LRS database from September 2018 to January 2020 and that it had carried out searches on 22,000 learners for age verification purposes. The company Directors appear to have escaped any real scrutiny of the Trustopia data processing about which the ICO statement said was, ‘against data protection law” and they are able to carry on with their other businesses. It appears there are no consequences for actions about which, “regulatory action was not available,” but the ICO statement is suggestive it would have been taken had the companies not been dissolved. Importantly, this lack of outcome means there is no meaningful dissuasive action to discourage other companies from doing similar in future.
The rights of the children and adult learners involved are still, as far as we know, not upheld and there is no route for redress.
Is this really how adequate enforcement action is supposed to work?
References
Background on the Learning Records Service
There were 28,423,345 individuals’ records in the Learning Records Service, according to numbers published by the DfE as of 01/10/2019. The DfE privacy notice for the LRS claims that: “The LRS is accessible by organisations under agreement with the DfE (England). Your personal information is only accessed through the LRS by organisations specifically linked to your education and training, including those organisations specified in Regulations made under section 537A of the Education Act.” But since the majority of people have not heard of the LRS, like the broadcasters in the BBC Papers clip above, they don’t know to look for a privacy notice and so know nothing about it.
ICO Audit (2019-20)
Defenddigitalme key audit findings in a blog (one year after publication, October 2021). https://defenddigitalme.org/2021/10/07/the-ico-audit-of-the-department-for-education-one-year-on/
LRS 2020 breach
Our detailed 2020 response to the LRS breach (gambling companies access) at the time, including 12 specific questions and concerns https://defenddigitalme.org/2020/01/19/comment-on-sunday-times-story-gbg-use-of-national-learner-records. The LRS issues Unique Learner Numbers (ULN) and creates Personal Learning Records across England, Wales, and Northern Ireland, and is operated by the Department for Education (DfE) in England.
LRS Objection and opt out
In the past, everyone used to be able to object to the use of the Learner Record but the DfE appears to have withdrawn it — defend digital me wants every child and family whose data this is, to be able to choose if they agree with its reuse. DfE must restore this opt-out process, and create a route to honour the GDPR right to object with opt-in for commercial re-use to protect privacy by-design-and-default. https://defenddigitalme.org/wp-content/uploads/2018/04/FS07_Factsheet_for_learners__PLR_and_ULN___v3.pdf
Research on what children and parents want — no commercial re-use of pupil records
Research by Professor Sonia Livingstone and Kruakae Pothong (LSE, 2022) shows pupils do not want their school records used by commercial companies https://digitalfuturescommission.org.uk/blog/what-do-children-think-of-edtech-or-know-of-its-data-sharing-read-our-survey-findings/ Our survey of parents in 2018 commissioned via Survation found over 69% had never heard of the National Pupil Database and did not know their children’s data could be passed on by the DfE to companies. https://www.survation.com/1-in-4-parents-dont-know-child-signed-systems-using-personal-data/
What’s next for this case?
The National Pupil Database includes information collected annually at child-level from 23 different data collections. Among others, it includes the Alternative Provision Census. This information includes extremely sensitive information concerning any special educational needs; learning difficulties; social emotional and mental health needs; speech, language and communication needs; physical disability; autistic spectrum disorder; vision impairment; hearing impairment; or other difficulty or disorder. The census also requires the disclosure of matters such as pupils’ pregnancy; mental health or physical health need; permanent exclusion, or the fact that a child has been placed in a young offender institution. We first complained to the ICO and the DfE on this together with a range of supporting organisations, in 2017.
In 2016, in response to our first complaint, the ICO wrongly accepted the DfE position that the Department was not processing personal data. The reply was that, “The DfE confirmed the NPD data is only processed for statistical/research purposes and is never processed to support measures or decisions about particular individuals. It further confirmed the processing does not cause any substantial damage or distress to individuals and that any results of the research/statistics are not made available in a form which identifies data subjects.” In fact, this was not only wrong about DfE releases to commercial third parties, but the DfE had already begun processing individual children’s data by matching names with Home Office records for the purposes of furthering the Hostile Environment and immigration enforcement, in July 2015. In the Autumn of 2016 we exposed this DfE practice and its attempt to cover up the connected purposes of the 2016 expansion of the school census to collect nationality data.
In 2017/18 we submitted complaints to the ICO and the DfE about the Alternative Provision Census expansion together with a range of supporting organisations since highly sensitive new labels were being added to children’s records that would be sent to the National Pupil Database and our research with Local Authorities showed that not one planned to tell families what highly sensitive label would be added at national level as the child’ reason for transfer out of mainstream education into AP, or of their rights, or even allow them to challenge or correct any mistakes — and that the DfE had not carried out any impact assessment prior to starting the processing.
The current ongoing deficiencies include a failure by the DfE to comply with the transparency and notification obligations required by the UK General Data Protection Regulation and Data Protection Act 2018, and Convention 108. The DfE has failed to provide a Privacy Notice to parents and children that reaches them, including all the 15 million who left school before 2012, setting out what information is collected, why it is collected and what is then done with it. Linked to this, the DfE does not appear to have appropriate procedures and safeguards in place in relation to the handling of this information. This should include mechanisms for enabling the right to restrict or object to the processing of the data, a process for inaccurate data to be corrected, know where it has gone for how long, and adequate safeguards and information in relation to the sharing of identifying data with third parties who have included journalists, charities, think tanks, and commercial businesses; even one that created heat maps for estate agents.
We have therefore instructed solicitors at Leigh Day, and barristers at Monckton Chambers. We have sent the Department a detailed 29-page Letter Before Claim setting out the ways in which we consider that the DfE is behaving unlawfully. In the absence of a satisfactory response that addresses the concerns in early 2023, we anticipate issuing formal Court proceedings by making an application for permission to apply for judicial review.
If you want to help us with the legal costs associated with investigating and bringing this legal claim, including the risks of having to pay the DfE’s legal costs if the challenge is unsuccessful, you can help us here https://www.crowdjustice.com/case/labelslastalifetime/ Thank you to all our supporters so far, who have made the long process to get here possible. We’ve still far to go and we hope you’ll stick with us.