Department for Education: Data Protection

(asked on 26th January 2023) - View Source

Question to the Department for Education:

To ask the Secretary of State for Education, with reference to the 2018-2020 LRS Data Breach by Trustopia, what steps her Department has taken since that incident to improve their data protection practices.


Answered by
Nick Gibb Portrait
Nick Gibb
This question was answered on 3rd February 2023

The Department does not use the Learning Records Service (LRS) information for age verification, although it does include dates of birth for identification purposes. The dates of birth on the service was misused by Trustopia to search for individuals that it had already acquired data to confirm the age given to Trustopia matched what was held on the LRS by the department.

UK General Data Protection Regulation (GDPR) states that if a breach is likely to result in a high risk to the rights and freedoms of individuals, the Department must inform those concerned directly and without undue delay. As no additional personal data of pupils past and present was compromised by the breach, whilst the breach itself remained serious, it did not pose a high risk to individuals.

Once aware, the Department took immediate action and referred the incident to the Information Commissioner’s Office (ICO). At the time of the breach, the Department was already working closely with the ICO in relation to the audit already in progress.

Procedures for monitoring unusual activity have been strengthened, along with additional improvements. These improvements include a more robust application process, better in-application audit processes that have been used to monitor and remove users who may not be using the system in accordance with their agreement, and the ability to remove or suspend accounts quickly in the event of possible misuse.

The Department has made significant progress in improving processes and has completed 97% of the ICO recommendations to date, with plans to complete the remaining recommendations by the end of March 2023. All actions relating to the LRS data breach have been completed.

The Department continues to work closely with the ICO. No further controls from the ICO have been placed upon the Department.

The Office of the Data Protection Officer leads on ensuring compliance with Data Protection Legislation for the Department, led by the Departmental Data Protection Officer. The team continues to work with the Department and the ICO to make further improvements in the Department’s data protection practices.

Reticulating Splines