GBG on the naughty step



Eek, a sudden 30p plunge from GBG this morning to 690p, on adverse reports in the weekend press (Sunday Times originally I think then pilched by others repeating what they think they know).

The UK government skills agency operates something called the Learning Records Service database, which gathers together enrolment and qualification data for students and apprentices aged 14+ from places like schools, colleges and OfQual. In theory this allows the govt or training provider to check whether the student is eligible for funding. According to the website of a training and qualifications company:

“The Learning Records Service offers a facility which stores learner participation and achievements. By providing your personal information, relevant organisations will have access your Personal Learning Record to enable the use of your personal information in order to assess your achievements, awards and credits …”

You can imagine a database of 28 million young people which allows their identity and location to be verified is sensitive, and there must be strict controls about who can access the data and for what purpose.

I would imagine GBG, which offers verification services to prospective employers, might use LRS as a resource to verify the education and qualifcation claims made by job applicants … a legitimate exercise, no doubt with the consent of employer, applicant and presumably with a quid pro quo between GBG and the government agency/Dept for Education.

I think DoE had given approval for these legitimate activities to Trustopia.

“The DfE said the government had provided access to the Learner Record Service to employment screening firm Trust Systems Software, which trades as Trustopia. The department is investigating whether Trustopia in turn provided access to GB Group.”

So is the sharing of data, or the indirect provision of services between GBG and Trustopia, for whatever purpose a problem? The comments so far have been contradictory.

GB Group said: “We can confirm that we use the Learning Records Service dataset via a third party. We take claims of this nature very seriously and, depending on the results of our review, we will take appropriate action.”"

So if Trustopia were sharing data or providing a service to GBG, they were charging a premium for it. Were GBG then abusing its access to the data, or selling it on? Where is the smoking gun linking GBG access to LRS via Trustopia and the wild allegation that it was to exploit young gamblers?

The response from DoE reported today includes

"The DfE said it had not approved any data sharing with gambling firms, adding that a third-party company was responsible for providing access to the information.

“This was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them. We will be taking the strongest possible action,” a spokesperson said.

The breach relates to Chester-based data intelligence firm GB Group, which signed a confidential contract through another company to access the database, according to the report.

GB Group used the data for age and identity verification services it provides to clients, which include gambling firms 32 Red and Betfair."

Whether directly or through an approves third party GBG has access to even more sensitive information held by government, for example criminal records. In the same way that the DVLA gives your vehicle and address information to parking enforcement companies via its service provider Capita, there is a legitimate purpose to allowing licensed controlled access to sensitive information. The govt makes money selling the data, and private companies perform checking and enforcement tasks on a commercial basis … in another world this would be government work paid for by taxes etc.

So the real story (an allegation which everyone is treating as fact) is whether gambling firms have used GBG or others to access sensitive data available to Trustopia for unapproved purposes. The press speculation is that these gambling companies have been targetting youngsters “to boost the number of young people gambling online.”

On the face of it that sounds unlikely, how does a database of names ages and addresses help you boost online gambling?

More likely the data could be used to verify a young person applying to join an online gambling service? In which case the data is being used to screen for underage gamblers? A good thing then? This is the business GBG is in, verifying age compliance of users on behalf of companies providing age-sensitive services. If it is helping gambling firms to reject under-18s what is the problem, albeit this was not an approved purpose of LRS data.

So the DfE has decided “this” was completely unacceptable but I am not sure what the “this” is … the Sunday Times are sure that GBG has provided unauthorised access to LRS data to the gambling companies.

That would be surprising, considering GBG is in the business of providing services using data, not handing over raw data or access to it. Unless there has been a dodgy individual or business unit which has been naughty.

Anyway, apparently DfE is leaving no stone unturned:

“A DfE spokesperson said: “We have not shared any data with GBG.”"

And yet

“The Sunday Times reported the government had provided access to the Learning Records Service to employment screening company Trust Systems Software (UK) – which trades as Trustopia.”

And even more strangely

“Trustopia has denied providing the GB Group with access to the database and founder Ronan Smith said it “placed the highest possible premium” on the lawful handing of data.”"

How GBG handles its public communication from here will be crucial but I suspect it is a storm in a teacup. There has certainly been a breach of data regulations over the unauthorised sharing of LRS data, but it remains to be seen who has done the breach … Trustopia is the responsible party … and it is a huge step to assert that the data has been abused for imaginative purposes by the gambling industry, although that is a possibility.


Thank goodness, strong bounce back to 715p this morning. Phew.

32Red confirmed it never had access to data, just using a third party service to verify age. So GBG, if it was using the LRS data, was using it for a good purpose, and did not “share” it with gambling companies.

If anything the culprit here is Trustopia, a small recently incorporated Irish company which DfE gave LRS data access to for one purpose, and then Trustopia found a way of using it or providing it to GBG for another purpose. So DfE may also be guilty of something, a lack of due diligence perhaps.

What has GBG done wrong? Are Trustopia still saying they never even provided the data to GBG? In which case GBG has sub-contracted age-checking services from Trustopia who were abusing the LRS data themselves. In which case GBG is completely blameless.

If that analysis is about right then the press reporting of this, including the wild allegation that GBG was working with the gambling industry to target business at under-age punters was false and harmful. The Sunday Times has perhaps been pushing a far-fetched scoop in the hope it had found a smoking gun, but without confirmatory evidence, I wonder why they went so far.

No official response from GBG yet, I suspect if it was DfE partly to blame it will be kicking this into the long grass after Gavin Williamson was suckered into believing the worst over-stated allegations in the press.