How serious is the Department for Education's gambling industry data breach?

Last weekend the Sunday Times reported that betting companies had been given access to the Department for Education's Learning Records Service database, in what the newspaper described as "one of the biggest breaches of government data":

'Revealed: betting firms use schools data on 28m children'

That article is behind a paywall but the story was also picked up by the Mail, City AM, Schools Week and other outlets.

The Learning Records Service is administered by DfE's Education and Skills Funding Agency and collects data related to schoolchildren and students aged 14 and up who register for educational qualifications or accredited training in England, Wales and Northern Ireland.

ESFA provides secure web services so that registered learning providers and awarding organisations can add, retrieve and update records in the LRS database.

The substance of the Sunday Times claims is that GB Group, a company that specialises in identity management, location intelligence and fraud prevention, had a contract through another company Trust Systems Software, which trades as Trustopia, to access LRS records for the purpose of providing age and identity verification services to clients that included gambling companies.

According to the newspaper "strict privacy rules" mean the LRS database "should only be used for educational purposes."

The Education secretary Gavin Williamson confirmed the basics of the Sunday Times story in an oral statement in the House of Commons on Monday:

"I would like to address the claim in news reports that data from the Department's learner record service has been shared with a commercial data broker. I reassure the House that my Department does not share any data with the commercial data broker in question and, indeed, the data broker has removed its claim that we do so. Instead, an education training organisation, in breach of its agreement with us, wrongly provided information on learners from our learner record service, which we created to support individual learners and increase their future opportunities. It was a completely unacceptable abuse of information, and we have immediately stopped the firm's access and ended our agreements with it. The Department has begun a full investigation, and any provider found to be in breach of its contracts will have its agreements and access immediately removed."

From the above it's apparent there has been some kind of breach of data protection rules. But is this incident as serious as the Sunday Times coverage makes out?

28 million children is an exaggeration

Most of the other media that picked up this story followed the lead of the Sunday Times with headlines giving the impression that personal data related to 28 million schoolchildren had been accessed.

The LRS database currently does contain records for more than 28 million "distinct learners". However that is a cumulative total for all learners recorded since the inception of the database more than ten years ago. The vast majority of those learners are, of course, no longer children.

According to ONS population estimates there are about 2.7 million people aged 14-17 in England, Wales and Northern Ireland – so the upper bound of the number of children whose personal data could possibly be involved in this breach is less than a tenth of the total suggested by the headlines.

The gambling industry is probably in the clear

According to statements from the Betting and Gaming Council and the online casino company 32Red, bettings firms have had no access to data from the Learning Records Service and have only utilised it indirectly to verify the identity and age of customers:

"The only information 32Red has access to is confirmation or rejection that the person requesting to open an account with us is over the age of 18, and not specific details about that person."

New verification rules for licensed remote betting and gaming operators came into effect in May 2019, following a Gambling Commission consultation.

If the industry statements are true this means the number of LRS records used even indirectly by betting firms is limited to the number of learners in the database who also applied to access gambling services in the period since GB Group started to offer their verification service.

Of course there are good reasons why the gambling industry should never have direct access to the LRS database. Matching individuals to their education achievements and institutions would make it easier for betting firms to build profiles of young customers and their inclinations to gamble.

What is GB Group – and has it done anything wrong?

GB Group is a publicly traded UK company based in Chester, with revenue of £143.5m reported for 2018-19.

The company has quite a convoluted history. It was established in 1989 as GB Mailing Systems, which was rolled into GB Information Management in 1996. GB Information Management was acquired by Phonelink in 1999. Phonelink was renamed TelMe.com, and then renamed again to GB Group in 2004.

An interesting but entirely irrelevant fact: one of the businesses that came together to form GB Mailing Systems those many years ago was Border Business Systems, a software firm founded by the mother and step-father of current Health secretary (and noted technophile) Matt Hancock.

GB Group offers an identity verification service called ID3global. Until recently this service was advertised with a key feature: the GBG UK Education Data Set, an "exclusive" and "comprehensive" education dataset with "over 36 million unique records – including 30% of the UK adult 'thin profile' population" and "sourced from recognised education bodies." A blog post on GB Group's website went into considerable detail on the coverage of the dataset.

Earlier this month GB Group republished the post, removing much of the detail and replacing it with a more sober description that talked about matching data via "secure and encrypted API connections". In that version the GBG UK Education Data Set merely "verifies against attainment data from the Learning Records Service." As of this week the post is gone entirely.

We can infer from the Education secretary's statement that this use of LRS data by GB Group was not approved by ESFA or DfE. The big question is whether GB Group was supplied data from the LRS in bulk, or merely ran individual checks against the database via one of the LRS web services – either with its own LRS account or through access facilitated by the "education training organisation" that DfE says breached its agreement.

Even allowing for ignorance or indifference to data protection rules, the fact that GB Group was openly promoting its use of learner records suggests it was probably only running checks against the LRS database and thought it had the necessary agreements in place to do so.

This supports the theory that GB Group's contact with the service was through an intermediary. Such an arrangement could protect GB Group against action from the Information Commissioner's Office for breach of data protection rules, though that may depend on whether the intermediary facilitated access as a data controller in its own right or as a processor on behalf of GB Group.

Okay so what about Trustopia?

According to the Sunday Times, GB Group had a contract with Trustopia to "get access to" the LRS for the verification services it provided to clients. Trustopia reportedly denies it gave GB Group access, though it's not clear whether that is a blanket denial of involvement or depends on the semantics of what "access" involves.

Trustopia is the trading name of Trust Systems Software (UK), which is owned by Trust Systems Software Group. These are private companies incorporated in 2018 and 2019 respectively, so they haven't yet filed public accounts and it's difficult to tell how much business they do.

Trustopia is described in the press articles as an "employment screening" firm and its website indicates that it provides technology for that purpose.

There's no clear evidence that Trustopia is an "education training organisation" in the conventional sense. However DfE has said nothing to correct the assumption that Trustopia is the organisation that the Education secretary says breached its agreement. Trustopia is one of dozens of software firms listed in the UK Register of Learning Providers. FE Week reports that Trustopia is registered in the UKRLP as an apprenticeship provider, though the company is not on ESFA's separate register of apprenticeship training providers.

A brochure on the Trustopia website says the company's "default baseline ID Process service reference" searches in real-time against data from "Acuant Corp; Jade (a unique TRUSTOPIA UK Data set containing 34m unique education records); Equifax, GB Group, GDC, Veriphy and others".

This hints at a reciprocal business relationship with GB Group. The "Jade" dataset sounds rather like the GBG UK Education Data Set.

Further material describing the Jade Service has recently been removed from the Trustopia website. However one possibility is that GB Group's UK Education Data Set is a white-labelled version of Trustopia's Jade dataset.

Trustopia has also recently removed from its website material about the company itself, and about its leadership team.

Companies House records show that Trustopia is mainly owned by Irish business tycoon Andrew Collins. Collins is the husband of English retail entrepreneur and Celebrity Big Brother contestant Luisa Zissman.

FE Week reports that Trustopia co-founder Ronan Smith previously ran a company called Edudo that was investigated by ESFA in 2017. Companies House records show that Smith resigned as a director of Trust Systems Software Group in November 2019, though his termination of appointment was only filed with Companies House this week.

Should Trustopia have had access to the LRS database?

Assuming that Trustopia is the "education training organisation" that DfE says breached its agreement, whether the company's access to the LRS database was legitimate in the first place depends on the purposes for which it said it wanted to access LRS records.

I don't think we can automatically rule out the idea that employment screening services are within scope as a permissable use of LRS access. The understanding of the Sunday Times that the LRS database should only be used for educational purposes is too narrow.

Unlike the National Pupil Database, the Learning Records Service is not covered by specific regulations. The prescribed purposes for sharing of pupil information more generally are set out in regulations made under powers in section 537A of the Education Act 1996.

Those regulations allow sharing of individual pupil information for the purpose of promoting the "education or well-being" of children, including conducting research or analysis, producing statistics, and "providing information, advice or guidance". The permitted purposes in the LRS learning provider agreement go further and include providing information, advice and guidance for "career progression" and "employment opportunities".

It's also debatable whether making identity and age verification checks against the LRS database is actually use of "pupil information" in any meaningful sense. That purpose does not require any of the data fields that relate to education or training i.e. information about the individual as a pupil or learner.

What are the potential consequences of this apparent data breach?

The seriousness of any breach of data protection law by GB Group or Trustopia will probably depend on how much data was shared, the methods by which it was shared, whether either party understood they were doing anything against the rules, and whether there was any misrepresentation in the arrangements for access to the Learning Records Service. The public information available at the moment isn't sufficient to judge most of those factors, or to verify the Sunday Times claims.

If the misuse of LRS access was limited only to verification checks for individuals who wanted to access online gambling services, it is difficult to see any significant harm to the privacy rights or interests of those individuals. That will reduce the potential for penalties from the ICO. But if there is evidence that either company deliberately disregarded data protection rules, or were cavalier about compliance, because they were keen to generate a profit, the ICO may decide to make an example of them.

Notwithstanding comments from David Davis MP, I doubt the Government will be in a position to sue Trustopia for "breach of practice". If Trustopia's access to the LRS database was based on ESFA's standard learning provider agreement, that is not a robust contract and does not seem to create financial liabilities between the parties.

Presumably whatever contract GB Group has with Trustopia will have liability clauses but any commercial settlement between the two companies, as a result of this apparent data breach, is unlikely to be made public.

Is use of LRS records for verification checks in the gambling industry wrong in principle?

Although it appears the Department for Education has not authorised use of the LRS database for the purpose of verifying identity and age of gambling industry customers, it is not clear that any law prevents it from doing so.

The privacy notice that ESFA provides for use by learning providers tells learners that their personal information "is only accessed through the LRS by organisations specifically linked to your education and training". By itself this would not be sufficient to comply with learners' right to be informed if their data was processed for the further purpose of verification checks unrelated to education or training.

However that requirement only arises when the personal data is actually processed for that purpose, and could be covered by a privacy notice from the relevant betting firm. For example 32Red's privacy notice covers collection of data "received from our business partners and from other organisations, such as specialist companies providing verification services".

It would be interesting to know whether the Gambling Commission, before it introduced the new rules for verifying customers' age and identity details "quickly and robustly", had any discussions with the industry about how betting firms proposed to carry out those checks. The Gambling Commission received 13 written submissions from third-party identity verification providers in response to its public consultation on the rules – so it may well have been aware of the data sources the industry proposed to use. [Update: see Addendum below.]

Ethically, is there any fundamental reason why verification services should not be able to access LRS records for the limited purpose of checks that betting firms are legally required to make – assuming that in all cases that access is with the knowledge and authorisation of the individual customer?

The arrangements described in the Sunday Times article are obviously not consistent with data protection law. However it seems to me there is a more transparent and compliant approach available.

Yes, better verification checks will make it easier for the gambling industry to "onboard" younger customers. But that's true regardless of the data sources involved. In fact isn't that just an example in support of the argument often made by economic centrists that government regulation is good for business?

Addendum (20 February 2020)

After I wrote the above post, the Betting And Gaming Council released a statement that described the media reports as "categorically untrue" and explained the gambling industry's use of the LRS data as follows:

"All betting companies are legally required to verify the age of people who wish to join to ensure that they are over the age of 18.

"Some of our members have used GB Group to assist with age verification checks. This involves our members providing GB Group with the name, address and date of birth of the individual who has applied to open an account. GB Group then matches the information against data from multiple databases, via secure and encrypted API connections.

"A simple 'Match' or 'No Match' is returned to our member company, which confirms or not if the applicant has provided true information on their application. This therefore confirms or otherwise that the applicant is over the age of 18."

The Gambling Commission has confirmed that GB Group was not one of the 13 third-party identity verification providers that provided written responses to its 2018 consultation on 'Proposals to strengthen age and identity verification for online gambling'. It therefore seems unlikely that the Gambling Commission was aware of plans to use the Learning Records Service data as a source for checks.

The 13 providers that responded to the consultation were: Dominode, Age Check Certification Scheme, Jumio, Aristotle Integrity, W2 Global Data, TruNarrative Limited, Yoti, Soda Software Labs Ltd (t/a Hello Soda), Experian, beBettor Limited, Little Wheel, AgeChecked, and TransUnion.

You can read their responses in an Excel workbook provided by the Gambling Commission following my FOI request.