DfE data protection ‘tightened significantly’ after massive breach of learner records

About 28 million records of young learners were compromised earlier this year


PA

By Sam Trendall

14 Apr 2020

The Department for Education claims it has implemented much stricter checks and processes following a data breach earlier this year in which the security of 28 million people’s data was compromised.

The department’s Learning Records Service (LRS) is used by registered training and education providers to verify the academic qualifications of potential students.

Earlier this year, it emerged that age and identity verification specialist GB Group – whose clients include a number of gambling firms – had wrongly been allowed access to the database by another screening firm, Trustopia, that was accredited to access LRS. After the breach emerged, the DfE said it would no longer work with Trustopia.

RELATED CONTENT

Since then, the department has implemented various measures to keep a tighter rein on who has access to the data store, according to minister for apprenticeships and skills Gillian Keegan.

Viewing of individual records will be carefully monitored, with checks performed each night to “identify any cases of excessive usage of the LRS, with automatic suspension for those identified”. 

Those wishing to obtain large data sets will also be subject to increased scrutiny.

“All bulk shares of personal data from the department must be independently assessed and reviewed by the department’s Data Sharing Approvals Panel,” Keegan said. “DSAP review each request and only approve the request is within the department’s risk appetite and supports the aims of the department.”

The minister added that the majority of such requests that are granted will come via the Secure Research Service run by the Office for National Statistics, and “will use National Pupil Database de-identified individual level ‘standard extracts’ for each academic year”.

Keegan added: “Access to the service is through one of the five research labs run by the ONS or if the researcher’s location meets ONS security standards and have access to the ONS they may access the data remotely through their own machines.”

In addition to the more rigorous checks on how registered providers are accessing data, “the registration process for access to LRS has been tightened up significantly”, Keegan said.

Applying to join the UK Register of Learning Providers – which must be completed before being considered for access to LRS – now requires firms to provide details of their registration with both the Information Commissioner’s Office and Companies House, as well of evidence of their being a going concern. 

Applicants must also submit details of the qualification-awarding organisations with which they are accredited and an estimate of how many learners they work with each year, as well as ensuring a listed company director has signed an agreement to abide by LRS terms.

Additionally, access will be dependent on firms providing “a detailed description of why they need access”.

Keegan added: “If the purpose is for any reason but to enrol their own students, this will only be granted by exception after a follow-up discussion.”

According to the minister, “the housekeeping tasks to de-register organisations from LRS are being automated”. 

Organisations that have had their access revoked – including those who were excluded following the recent breach – will be required to “to resign the updated agreement and registration form”. 

Following the breach, the DfE reported itself to the ICO. 

An ICO spokesperson said: “The ICO is considering a number of potential compliance concerns associated with data obtained from the Department of Education’s Learning Records Service. We are continuing to investigate."

 

Share this page