The Department of Education (DfE) has been found liable for an “unacceptable” breach of data protection laws regarding betting companies using information about children in a student database to verify age.

The Information Commissioner’s Office (ICO) said there had been a ‘prolonged misuse’ of student information in a database containing details of up to 28 million students. The department failed to prevent ‘unauthorized access to children’s data’ from September 2018 to January 2020. UK Information Commissioner John Edwards said: ‘A database of child records student learning used to help gaming companies is unacceptable Our investigation revealed that the processes put in place by the DfE were dismal.

Details of the children were in the Learning Records Service (LRS) database, which contains information on young people from the age of 14. It is used by schools and higher education institutions to record a student’s learning and training achievements. It is managed by the Education and Skills Funding Agency, an executive part of the DfE.

A filtering company, Trust Systems Software UK, trading as Trustopia, gained access to the database and used it for age verification. It offered the service to companies such as GB Group, one of the country’s leading data intelligence firms, which helped gambling companies confirm that customers were 18 or older.

It has enabled betting companies to increase the number of young customers through fast and efficient age checks against the student database. The checks did not involve the disclosure of data, but violated data protection laws because the information was not used for its original purpose. The ICO said: “Trustopia accessed the LRS database from September 2018 to January 2020 and searched 22,000 learners for age verification purposes.

“The DfE confirmed that Trustopia had never provided government-funded educational training. By granting access to the LRS database to Trustopia, the DfE failed in its obligations to use and share children’s data in a fair, legal and transparent way. It also failed to prevent unauthorized access to children’s data. The ICO issued a reprimand to the DfE, but not a fine, in a revised regulatory approach aimed at reducing the effect of fines on utilities. Otherwise, he would have been fined over £10million. The ICO said Trust Systems Software UK was dissolved before it completed its investigation, so no regulatory action was available.

In February 2020, a mandatory ICO audit at the DfE revealed failures in the handling of personal data. It identified a lack of appropriate controls “to provide assurance that all personal data processing activities are carried out in accordance with legislative requirements”. A total of 139 recommendations for improvement were found, with more than 60% categorized as urgent or high priority.

Jen Persson, director of advocacy group Defend Digital Me, said the “lightweight” app had proven ineffective at the DfE. She said: ‘Ministers act as if the rules only apply to other people.

A DfE spokesperson said: “In January 2020 we learned that a third party who had been granted access to the [learning records service] for legitimate business was abusing his permission. Since then, we have worked closely with the ICO to ensure that our data access monitoring has improved.

GB Group said it conducted a review of its age verification processes and found no data protection breaches.