ICO’s new approach to public sector enforcement in action

The Department for Education (“DfE”) has been reprimanded by the ICO over a series of failures to prioritise data security that compromised its ability to comply with the UK’s Data Protection Act 2018 and the UK General Data Protection Regulation, following a lengthy investigation by the regulator into the learning records service (“LRS”) database. The LRS provides a record of pupil’s qualifications for education providers to access and it contains data on 28 million pupils from the age of 14. A screening firm, Trust Systems Software UK, trading as Trustopia, was given access to the database and used it for age verification. It offered the service to companies including GB Group, one of the country’s leading data intelligence firms, which helped gambling companies confirm customers were 18 or over. The ICO confirmed that “Trustopia had access to the LRS database from September 2018 to January 2020 and carried out searches on 22,000 learners for age verification purposes”.

In granting LRS database access to Trustopia, the DfE failed in its obligations to use and share children’s data fairly, lawfully and transparently. It also failed to prevent unauthorised access to children’s data, have proper oversight of the data or stop the data being used for reasons not compatible with the provision of educational services. Commenting on the case, John Edwards, UK Information Commissioner, said that “no-one need[ed] persuading that a database of pupils’ learning records being used to help gambling companies [was] unacceptable” and that the investigation had found that the processes put in place by the DfE were “woeful.”

In light of the “serious breach of the law”, the ICO considered that a fine of £10,030,000 would effective, proportionate and dissuasive for the offending (which would have been the third highest penalty imposed by the regulator to date). Interestingly, the DfE escaped the proposed fine under the Information Commissioner’s new commitment to scale back monetary penalties on public sector organisations. The rationale for the new commitment, which is being trialled over a two-year period, is that levying fines on the public sector does not impact shareholders or directors in the same way that it would in the private sector and effectively punishes the taxpayer, rather than the perpetrators, in a data breach. In relation to the DfE, Edwards stressed that the decision not to issue the fine should not detract from how serious the errors were, nor how urgently they need addressing by the DfE.

Last week the ICO also decided to cut a £500,000 Cabinet Office fine down to just £50,000 as part of the same commitment. Whilst Edwards insists that this policy shift is to ensure that that the ICO remains a “pragmatic, proportionate and effective regulator”, it is difficult to see how successful a reprimand will be in acting as a credible deterrent against future instances of “woeful” misuse of data.