In the wake of the mishandling of student data and non-compliance with the GDPR requirements, UK’s Information Commissioner’s Office (ICO) prosecuted the Department of Education (DfE) for violating Article 5(1)(a) and Article 5(1)(f) leading to the misuse of data of over 28 million students.
The mismanagement of student data
The Department of Education is in charge of the learning records service (LRS), the portal that is managed by the Education and skills-finding agency. It contains student records of children over 14 years from educational organizations. As per reports, the DfE allowed a third party to access this portal to cross-check data for their reference. The third party in question was a gambling company that used the records of 28 million students to verify the age of visitors using their gambling accounts. Trust Systems Software UK Ltd, trading as Trustopia, an employment screening firm, unlawfully accessed the said data to ensure its visitors were over 18 yrs.
This resulted in reprimanding the Department of Education for the breach of GDPR Article 5 (1)(a), which stands for lawfulness, fairness, and transparency, and Article 5 (1)(f), standing for integrity and confidentiality.
The ICO, the data protection regulators of the United Kingdom, initially considered a monetary penalty of £10,030,000 UK sterling in keeping with the ICO’s regulatory action policy (RAP). Later it dismissed the fine because of a revision by the commissioner to the public sector. A reprimand was later mentioned to be issued in accordance with Article 58 of the General Data Protection Regulation (GDPR).
Speaking about the data breach, the information commissioner John Edwards said that the department came to know about the data breach when a newspaper alerted them. He further stated, “We all have an absolute right to expect that our central government departments treat the data they hold on to us with the utmost respect and security. Even more so when it comes to the information of 28 million children,” according to the ICO website.
About the decision not to impose a fine, Edwards confirmed that the money would be returned to the government. However, this should not detract them from admitting the severe nature of the data breach. Trustopia no longer has access to the database the regulators maintained after concluding their investigations.