Question to the Department for Education:
To ask the Secretary of State for Education, with reference to the data breach of the Learning Records Service database by the GB Group, what steps he is taking to review the criteria used by his Department to allow external organisations access to sensitive data.
The registration process for access to the Learning Records Service (LRS) has been tightened up significantly:
Extra checks have been put in place by the UK register of Learning Providers (UKRLP) before an organisation can apply to become a registered training provider (a pre-requisite to registering to use the LRS). They must:
The LRS registration form has been updated to include all of the above information, and any organisations who have had their access revoked as part of the recent incident will need to resign the updated agreement/registration form. The registration form also includes a section cleared by commercial lawyers that:
Any organisation that requests a change of details (for example when a school becomes an Academy, or when an ITP changes its registered name), must meet the same criteria as the initial registration process.
The housekeeping tasks to de-register organisations from LRS are being automated.
Nightly checks are being run routinely now to identify any cases of excessive usage of the LRS, with automatic suspension for those identified. The housekeeping tasks to de-register organisations from LRS will be enhanced going forwards using a weekly data feed from UKRLP.
We have put in place the following additional checks when new entrants to the market apply to join the UK Register of Learning Providers (UKRLP):
IDP-Connect will continuously review the current acceptance / rejection process and monitor frequent requests. Those currently registered with the UKRLP will be reviewed against these new criteria.
IDP-Connect and ESFA are now meeting every 2 weeks to review the changes proposed to the UKRLP process and to evaluate progress with respect to the agreed changes.
All bulk shares of personal data from the department must be independently assessed and reviewed by the department’s Data Sharing Approvals Panel (DSAP). Most requests for data that are granted will be through the Office of National Statistics (ONS) Secure Research Service and will use National Pupil Database (NPD) de-identified individual level ‘standard extracts’ for each academic year.The ONS Secure Research Service (SRS) allows researchers they have accredited under the Digital Economy Act or approved through the ONS Approved Researcher scheme to access secure de-identified data in line with the industry standard “5 Safes. The Five Safes are Safe People, Safe Projects, Safe Settings, Safe Outputs and Safe Data.
Access to the service is through 1 of the 5 research labs run by the ONS or if the researcher’s location meets ONS security standards and have access to the ONS they may access the data remotely through their own machines.
DSAP review each request and only approve the request is within the department’s risk appetite and supports the aims of the department.