The UK’s Department for Education (DfE) violated privacy laws so egregiously that, if it were a private company, could have shut it down. It allowed a third-party data company to access private information of teenagers that it distributed to the gambling industry.
For years, the UK’s primary keeper of education records shared data with Edududes, Ltd., a training company. That company transitioned to serve the gambling industry, but the DfE continued to give it access to the data.
The Information Commissioner’s Office (ICO) accuses the government department of a “serious” breach that would, under any other circumstance, be worth £10 million (US$11.45 million). However, since the DfE would have to pay the fine with government money, there isn’t much sense in trying to collect.
Illegal Breach of Policy and Privacy
The DfE is responsible for maintaining the educational records of students. It contains information about the qualifications of as many as 28 million kids as young as 14 years old.
The ICO discovered that the department continued granting access to Edududes after it informed the department it had changed its name to Trustopia. The latter, now out of business, was actually a screening company that used the database to verify age.
It offered its services to companies like ID verification company GB Group. It also helped gambling companies confirm that their customers were over 18. However, since Trustopia wasn’t using the information in the manner for which Edududes had been approved, this violates data protection laws.
It wasn’t until a newspaper reported the chain of activity that the DfE realized what was going on. The ICO discovered that Trustopia had had access to the database between September 2018 and January 2020. It had also conducted searches on 22,000 pupils to verify their age.
12,600 organizations had access to databases at the time of the breach. This included schools, colleges and higher education institutions, as well as other education providers.
Since the news broke, the DfE has removed 2,600 organizations from its database. It also streamlined the registration process in order to better protect individuals’ privacy. It now conducts regular checks for excessive searches and removes entities that no longer access the database.
Too Late For Accountability
Although the ICO won’t fine the DfE, it has ordered some changes. In addition, it also investigated Trustopia, but learned that the company, according to its statement, no longer had access to the database. It added that it had deleted temporary files containing data, but how it used the information before destroying it will never be known.
The regulator stated that Trustopia had been dismantled before the investigation was concluded. As a result, no regulatory action against it was possible.
Privacy in any commercial or government setting has been at the forefront of consumer protection laws in the European Union (EU) for years. The creation of the General Data Protection Regulation (GDPR) was an attempt at offering the highest level of protection possible.
The UK, after its exit from the EU, announced that it wants to establish its own version of the GDPR. It has begun that process, even as it tries to figure out who’s in command, although the major breach at the DfE is a clear indication that even the best-laid plans are useless if there’s a lack of compliance.
The post UK’s Department for Education Gave up Student Data To Gambling Industry appeared first on Casino.org.