The
Department for Education (DfE) has been given a reprimand but escaped a £10m regulatory fine for a
data breach that saw a database of personal information held on 28 million people misused by a third-party organisation over a “prolonged” period between September 2018 and January 2020.
The Learning Records Service (LRS) database contains the full name, date of birth, gender, and learning and training achievements of 28 million people from the age of 14 upwards, as well as email addresses and nationality in some cases.
It is kept for 66 years – meaning that at the time of the breach it could have contained data on pupils who were at school in the early 1950s – and is used by more than 12,600 organisations, mostly educational providers, to verify various functions such as the academic qualifications of prospective students, or funding eligibility.
The DfE gave access to the LRS to Trust Systems Software UK, which traded as Trustopia, an employment screening firm, which proceeded to use the database to build an age verification service that was offered to online gambling companies to confirm that their customers were aged over 18.....
