Is your data use compatible with what you collected it for?

November 2022

Have the ways you use people's data strayed too far from the original purpose(s)?

An ICO reprimand issued to a Government department serves as a welcome reminder to be careful about what we’re using data for, who we’re sharing it with, and what they might use it for.

Is what we’re doing transparent, fair and reasonable? Are the tasks we now use data for still in line with what we originally collected it for?

In this public sector case, the ICO has chosen not to issue a fine, but rather a warning with a requirement to implement specific measures. Commercial businesses are unlikely to face the same leniency.

What went wrong?

The Department for Education (DfE) received a reprimand from the ICO after it came to light a database containing the learning records of up to 28 million children had been used to check whether people who opened online gambling accounts were aged 18 or over.

The ICO investigation criticised the DfE for failing to protect young people’s data from unauthorised processing by third parties, whose purposes were found to be incompatible with the original purposes the data was collected for.

The DfE has overall responsibility for the Learning Records Service (LRS) database, which provides a record of pupil’s qualifications for education providers to access. Its main purpose is to enable schools, colleges, higher education and other education providers to verify data for educational purposes – such as the academic qualifications of potential students, or check if they are eligible for funding. LRS is only supposed to be used for education purposes.

But the DfE also allowed access to LRS to Trust Systems Software UK Ltd (trading as Trustopia), an employment screening firm. They in turn offered their services commercially to other companies, including GB Group, which used it to help betting companies screen new online gambling customers to confirm they were 18 or over.

Trustopia had access to the LRS database from September 2018 to January 2020, carrying out searches involving 22,000 learners.

This incident followed an audit of the DfE’s data activities by the ICO in 2020, which also found the DfE broke data protection laws in how it handled pupil data.

What were the failings?

The ICO found against the DfE in two respects:

  1. It failed in its obligations (as data controller) to use and share children’s data fairly, lawfully and transparently. Individuals were unaware of what was happening and could not object or withdraw from the processing. DfE failed to have appropriate oversight to protect against unauthorised processing of personal data held on the LRS database.
  2. It was also found to have failed to ensure confidentiality by failing to prevent unauthorised access to children’s data. The DfE’s lack of oversight and appropriate controls to protect the data enabled it to be used for other purposes, which were not compatible with the provision of educational services.

In its reprimand the ICO set out clear measure the DfE need to action to improve data protection practices and make sure children’s learning records are properly protected.

Since the incident, the DfE has confirmed they have permanently removed Trustopia’s access to the data. In fact, they have removed access from 2,600 organisations.

A spokesperson for DfE said the department takes the security of data we hold “extremely seriously” and confirmed it will publish a full response to the ICO by the end of 2022 giving “detailed progress in respect of all the actions identified”.

Why wasn’t there a massive fine?

In keeping with the ICO’s Regulatory Action Policy, they considered issuing a fine of £10 million. This is the amount considered to be ‘effective, proportionate and dissuasive’. However, the Information Commissioner has chosen not to issue a fine in this case, in line with its revised approach to public sector enforcement, announced in June 2022.

Some may find this surprising, so let’s dig deeper. John Edwards, UK Information Commissioner, said:

“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.

“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.

“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”

So Govt Departments can break the law and not be fined?

Well on the face of it, in the case of data protection, yes! Mr Edwards has confirmed the ICO are trialling a new approach to public sector enforcement which will see more public reprimands without fines, in all but the most serious cases.

In return, the ICO has received a commitment from the Cabinet Office and DCMS to create a cross-Whitehall senior leadership group, to encourage compliance with high data protection standards.

Hmmm… how do we feel about this?

I totally understand issuing a fine to the DfE is, ultimately, a fine against public funds for education. Which means our children could potentially be the ones who would suffer if a hefty fine was imposed. Nobody wins here.

But on the flipside, could this approach significantly weaken the deterrent? Will public sector employees feel motivated enough to go take appropriate steps to comply with data protection laws when there’s little risk of being fined?

After all, the private sector will continue to be fined as appropriate when they’re found to have violated the data laws.

What do you think? We’d love to hear your thoughts at info@dpnetwork.org.uk

A timely reminder?

This case serves as a helpful reminder that we need to take care the personal data we collect and hold as an organisation is not used for purposes which are incompatible with the original purposes.

Due diligence is especially important when the data is shared with other organisations, who might use it for their own purposes.

We must always be clear and transparent about how we use people’s data so they have an opportunity to exercise their right to object, and indeed any other privacy rights.

Ask yourself this key question; ‘Is your data use compatible with what you collected it for?’