The way that the Department for Education (DfE) handles sensitive data on children and students needs a thorough independent investigation, experts argue, following revelations that one of its datasets had been used to help betting companies target new customers.
The data scare was flagged in an investigation by The Sunday Times, but IT Pro’s sister title PC Pro revealed it may be the tip of the iceberg amid accusations that the DfE’s systems aren’t fit for purpose. The Sunday Times reported how one of the DfE’s datasets – the 28-million-file strong Learning Records Service (LRS) – had been used by a company called GBG to help betting firms verify ages. In fact, betting companies did not have access to the data, but GBG allegedly worked with another company, called Trustopia, to check the age of people seeking new accounts.
“As we understand it, GBG was not giving the raw data to betting companies, the betting companies would come to GBG with the new client wanting to be ‘onboarded’ and could, apparently in real-time, do the age and identity verification against the dataset that LRS service was offering,” explained Jen Persson, director of Defenddigitalme, a campaign group seeking transparency in education data.
In parliament, David Davies MP called for a thorough inquiry into the companies that had used the data, while ignoring any potential role played by the DfE. For its part, the DfE has passed the blame squarely onto its partner, which is reported to be employment vetting company Trustopia. Trustopia has not responded to requests for more information and, elsewhere, has denied any wrongdoing.
The DfE is equally unrepentant. “We have not shared any data with GBG,” it told PC Pro in a statement. “An education training provider wrongly provided access to this data and broke their agreement with us. This was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them.”
To an extent, the DfE’s position reflects that of Facebook, which blamed app developers such as Cambridge Analytica for misuse of data that Facebook had made available. “I couldn’t find GBG or Trustopia on the LRS list of 12,004 learning providers with access as of January 2020, and that doesn’t include schools,” said Pat Walshe, a data protection expert with Privacy Matters. “It seems to me that the LRS and/or DfE are not ensuring compliance with the various agreements for providers.
General Data Protection Regulation (GDPR) GDPR for small businesses: What it means for you What is the Information Commissioner’s Office (ICO)? Liberty claims government data-sharing deals lead to rights violations
“This begs the question of how did GBG and Trustopia get access to data and a service not intended for use by such organisations?”
Persson claims that the real scandal is the DfE sharing data with a digital screening company in the first place, something that goes against LRS’s explicit privacy policy of only sharing data with organisations “specifically linked to your education and training”.
“The important point is that the DfE gave this to an employment screening company called Trustopia and if the DfE is now handing out data that is used against people applying for jobs – and of which they have no knowledge – that is severely worrying. It should stop and there should be a full investigation.”
The Information Commissioner’s Office (ICO) has confirmed receiving a report from the DfE and is investigating, but there is concern that by reporting the incident to the ICO the DfE is deflecting attention. “The DfE shouldn’t be given a pass to be able to push the responsibility and accountability for this off to a company which is an identity screening company,” Persson said. “It actually needs to be part of the investigation.”
More scandals waiting to emerge?
Some experts claim this leak may be the tip of the iceberg, with the DfE sitting on more than 50 datasets similar to the LRS, and which it also shares with various parties without informing parents or children.
The data breach is the second time in a year that DfE’s data giveaway has been under the spotlight, with the department chastised in 2019 for letting the Home Office access files, again not for educational purposes.
“This is the problem with the spiderweb-like set of arrangements at the DfE and its more than 50 datasets,” explained Phil Booth, who works on healthcare data protection campaigns with medConfidential. “We know from research that there are all sorts of access and copies of these datasets, about which most parents and young people would be shocked.”
He added: “The Home Office, for example, felt it could go digging in these databases, which are supposed to be for educational purposes – only it was caught hunting for immigrants through the data of children in schools. Fortunately, that was stopped.”
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
PyPI attack: Targeting of repository 'shows no sign of stopping'News Greater collaboration and understanding of attackers’ tactics is key to mitigating open source security threats
-
Capita's handling of cyber attack shows companies still fail at breach reportingAnalysis Capita initially told customers there was “no evidence” of data having been compromised in the March cyber attack
-
Malware being pushed to businesses by search engines remains a pervasive threatNews High-profile malvertising campaigns in recent months have surged
-
There's only one way to avoid credential stuffing attacksOpinion PayPal accounts were breached last year due to a credential stuffing attack, but can PayPal avoid taking responsibility?
-
Five things to consider before choosing an MFA solutionIn-depth Because we all should move on from using “password” as a password
-
Cyber security suffers from a communication problemNews Negative language around ‘human failures’ is eroding trust between security teams and broader business functions - it has to stop
-
Does LastPass really deserve a last chance?Opinion After several disastrous security incidents and a communications breakdown, it’s time to leave LastPass for pastures new
-
What is the spell-jacking vulnerability and how can your business avoid exposing data?
In-depth Spell-jacking vulnerabilities are threatening to unwittingly leak data to third parties, undermining any drive to protect privacy
