The Information Commissioner's Office (ICO) has issued an official reprimand to the Department for Education (DfE) for providing inappropriate access to up to 28 million student's personal data to conduct age verification checks for gambling companies. The DfE authorised third-party access to the Learning Records Service (LRS) database to Trust Systems Software UK Ltd (Trustopia) without the necessary controls or oversight between 2018 and 2020. Information Commissioner John Edwards said: "the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them." The ICO considered this to be a serious breach of data protection law, which would have "warranted a £10 million fine in this specific case."
In June, the ICO adopted a new approach to public sector enforcement. The significant change is that the ICO will now use its discretion to reduce the monetary penalty amount or apply a different regulatory action, such as warnings, reprimands and enforcement notices. Monetary penalties will now only be issued for more serious violations.
Additional commentary in The Guardian and Financial Times (£).
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.