January 31, 2023

Volume XIII, Number 31

Advertisement

January 30, 2023

Subscribe to Latest Legal News and Analysis

The Information Commissioner’s Office Issues UK Department for Education with Formal Reprimand

On  November 2, 2022, the ICO issued to the UK Department for Education (“DfE”) a formal reprimand following an investigation into the sharing of personal data stored on the Learning Records Service (“LRS”), a database which provides a record of pupils’ qualifications that the DfE has overall responsibility for. The investigation found that the DfE’s poor due diligence meant the LRS database was being used by Trust Systems Software UK Ltd (trading as Trustopia), a third party screening firm, to check whether people opening online gambling accounts were 18. Trustopia was found to have had access from September 2018 to January 2020, during which it performed over 20,000 searches on children whose personal data was in the LRS database.

The investigation was initiated following a breach report submitted by the DfE regarding the unauthorized access to the LRS database, a breach which the DfE only became aware of following an article in the press. At the time of the incident, over 12,000 organizations had access to the LRS database, including schools, colleges, higher education institutions and other education providers, in order for them to verify information such as academic qualifications. The ICO found the DfE failed to comply with several of its obligations, including by not using and sharing children’s data fairly, lawfully and transparently. It also failed to prevent unauthorized access to children’s data, have proper oversight of the data or stop the data being used for reasons not compatible with the provision of educational services.

Following the investigation, the ICO issued the reprimand to the DfE setting out clear measures it needs to act on to improve its data protection practices. For example, it must take steps to improve transparency around the processing of the LRS database so data subjects are aware and can exercise their rights, and it must review all internal security procedures. The reprimand was issued instead of a fine in accordance with the new approach being taken by the ICO towards the public sector which aims to reduce the impact of fines on the public. A fine of £10 million would have been issued to the DfE if the ICO were not trialing this new approach with respect to public sector bodies.

Copyright © 2023, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 311
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement