The ICO has issued a reprimand to the UK Department for Education (DfE) on how it allowed a database of 28 million children to be used by a company that provided an age verification service to gambling account providers.
The ICO investigation found that the DfE had granted access to the database, after being informed that the company was a training provider.
In the ICO statement John Edwards, UK Information Commissioner, said:
No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.
We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.
This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/11/department-for-education-warned-after-gambling-companies-benefit-from-learning-records-database/
It is interesting that the full £10 million fine would have been made, were the DfE not a public body, and this is another example of the pragmatic approach being taken with regard to fining public bodies. I do wonder if this will reduce the seriousness of the offence in some people’s eyes, though.
So what can we learn?
- You can only use personal data for the purposes that we disclose at the time of collecting or obtaining the data
- You are responsible for the due diligence on all organisations that you allow access to personal data
If you would like to talk about how you can ensure that your data protection policies and procedures are fit for purpose, and how to make this as cost effective as possible, you are welcome to get in touch in any of the normal ways, use https://zorva.info/about-us/contact-us/ or by booking a 20-minute insight call at https://zorva.info/free-insight-call/ (for TinoPai members, but it’s free to join, and you get lots of other benefits including free live and on-demand webinars).