DfE granted screening firm access to 28m learner records

The founder of a firm at the centre of a major education data breach involving betting companies was subject to a previous government investigation.

Questions have now been asked as to why the firm, which offers screening checks, was allowed access to a database with the records of 28 million young people, meant only for vetted education training providers.

Unions have slammed the Department for Education’s due diligence processes, with one calling for an “urgent investigation looking at the criteria the DfE uses to grant access to the data”.

“DfE has failed these young people by not performing the relevant due diligence”

According to a DfE list, more than 12,000 organisations have successfully applied to have access to the Learning Records Service (LRS).

Earlier this week, an inquiry was launched by the ESFA after the Sunday Times reported that the LRS had been accessed by data intelligence firm GB Group – whose clients include 32Red and Betfair among other gambling companies.

The data contains names, ages and addresses of young people aged 14 and over in schools and colleges across England, Wales and Northern Ireland.

Privacy rules state that young people’s personal information should only be accessed through the LRS by organisations “specifically linked to your education and training”.

The DfE suspended access to the system this week in order to carry out the “necessary checks to ensure data security”. It reopened on Thursday.

According to the department, the “education training provider” which “wrongly provided access” to the LRS was Trustopia, a firm co-founded by Ronan Smith in August 2018.

The department said the company had access to the LRS because they registered with a UK Provider Reference Number (UKPRN) on the UK Register of Learning Providers (UKRLP) as an apprenticeship provider.

Trustopia is not on the government’s approved register of apprenticeship providers and can therefore not deliver apprenticeships in any capacity.

Its “nature of business”, according to Companies house, is “other information technology service activities”.

Smith declined to comment on the breach when approached by FE Week, but did confirm Trustopia is not a training provider, nor has it ever been.

It is understood that the firm has worked with education providers in the past.

A previous investigation by FE Week exposed how any company can gain a UKPRN within 24 hours, simply by providing their limited company number.

And a UKRLP spokesperson said at the time: “It is up to stakeholders who use the UKPRNs to ensure that they carry out the necessary due diligence appropriate to their scope when engaging with providers.”

Once a company has a UKPRN, it then needs to fill in a three-page application form to access the LRS.

The service is designed to help training providers verify their potential student’s previous educational achievements and their eligibility for additional funding.

The DfE would not say why Trustopia was given access to the LRS, or what it used the service for.

A spokesperson would say only that “a full investigation is under way and we will share any further information with you in due course.”

Prior to co-founding Trustopia, Smith ran a private provider called Edudo, which was investigated by the ESFA in 2017. The agency subsequently terminated the firm’s contracts, which were used to deliver courses funded through advanced learner loans.

Smith then transferred Edudo’s assets to a new company called Learning Republic and went bust. Hundreds of learners were subsequently left thousands of pounds in debt with no qualifications to show for it.

An FE Week investigation last year found that some of these learners, most of whom were Polish construction workers, had claimed they never started the course with Edudo – or even realised they had signed up for one.

Smith declared as bankrupt in November 2019.

Juliana Mohamad Noor, the vice president for further education at the National Union of Students, said her union is “shocked that this level of personal data of students was readily available without adequate checks on who can access it”.

The DfE has “failed these young people by not performing the relevant due diligence assessment of Trustopia and its owner,” she added.

“We are calling for a full and thorough investigation of this case to ensure that no more harm is done to the students involved.”

“We are calling for a full and thorough investigation of this case”

Kevin Courtney, joint general secretary of the NEU, said: “Parents will be rightly concerned about this data breach.

“There needs to be an urgent investigation looking at the criteria the DfE uses to grant access to the data and the identities of organisations which already have access.

“Given the hugely sensitive nature of this data it is also vital that there are rigorous checks on any organisations which are granted access.”

According to the Sunday Times report, GB Group used the LRS for age and identity verification services for its clients.

The DfE this week referred the breach to data regulators the Information Commissioner’s Office. An ICO spokesperson confirmed it has “received a report” from the DfE and “will be making enquiries”.

A DfE spokesperson said Trustopia “broke their agreement with us” with regards to the LRS.

“This was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them. We will be taking the strongest possible action,” they added.

A GB Group spokesperson said: “We can confirm that we use the Learning Records Service dataset via a third party. We take claims of this nature very seriously and, depending on the results of our review, we will take appropriate action.”

Trustopia did not respond to requests for comment.