Question to the Department for Education:

To ask the Secretary of State for Education, with reference to the data breach of the Learning Records Service database by the GB Group, what steps he is taking to review the criteria used by his Department to allow external organisations access to sensitive data.

The registration process for access to the Learning Records Service (LRS) has been tightened up significantly:

Extra checks have been put in place by the UK register of Learning Providers (UKRLP) before an organisation can apply to become a registered training provider (a pre-requisite to registering to use the LRS). They must:

• provide their Companies House number and be a listed as a registered & active company on the CH website, their ICO registration number and an active UKPRN number.
• provide details of the Awarding Organisation (AO) that they are accredited with (which will be confirmed independently by ESFA), the approximate volumes of learners that they expect to register per annum and a detailed description of why they need access. If the the purpose for any reason but to enrol their own students this will only be granted by exception after a follow up discussion.
• submit an LRS agreement that is signed by one of the company directors listed on the Companies House website.

The LRS registration form has been updated to include all of the above information, and any organisations who have had their access revoked as part of the recent incident will need to resign the updated agreement/registration form. The registration form also includes a section cleared by commercial lawyers that:

• states DFE's right of recourse against licensees to LRS and that we will restrict the rights of licensees with regard to the sublicensing of access to LRS.
• includes text acknowledging/outlining other sanctions.

Any organisation that requests a change of details (for example when a school becomes an Academy, or when an ITP changes its registered name), must meet the same criteria as the initial registration process.

The housekeeping tasks to de-register organisations from LRS are being automated.

Nightly checks are being run routinely now to identify any cases of excessive usage of the LRS, with automatic suspension for those identified. The housekeeping tasks to de-register organisations from LRS will be enhanced going forwards using a weekly data feed from UKRLP.

We have put in place the following additional checks when new entrants to the market apply to join the UK Register of Learning Providers (UKRLP):

• Each applicant must register with the ICO and include their ICO number in their UKRLP application.
• UKRLP will check each applicant’s website(s) and review their line of business (including the description of their business on Companies House).
• Each new applicant must give a reason for registering with the UKRLP.

IDP-Connect will continuously review the current acceptance / rejection process and monitor frequent requests. Those currently registered with the UKRLP will be reviewed against these new criteria.

IDP-Connect and ESFA are now meeting every 2 weeks to review the changes proposed to the UKRLP process and to evaluate progress with respect to the agreed changes.

All bulk shares of personal data from the department must be independently assessed and reviewed by the department’s Data Sharing Approvals Panel (DSAP). Most requests for data that are granted will be through the Office of National Statistics (ONS) Secure Research Service and will use National Pupil Database (NPD) de-identified individual level ‘standard extracts’ for each academic year.The ONS Secure Research Service (SRS) allows researchers they have accredited under the Digital Economy Act or approved through the ONS Approved Researcher scheme to access secure de-identified data in line with the industry standard “5 Safes. The Five Safes are Safe People, Safe Projects, Safe Settings, Safe Outputs and Safe Data.

Access to the service is through 1 of the 5 research labs run by the ONS or if the researcher’s location meets ONS security standards and have access to the ONS they may access the data remotely through their own machines.

DSAP review each request and only approve the request is within the department’s risk appetite and supports the aims of the department.