The DfE permitted third party access to the LRS database outside of the DfE and subsequent processing took place of some of that personal data (including children) for the purposes of age verification, without appropriate control or oversight. The investigation has found that therefore the personal data on the LRS database was processed in an insecure manner and for purposes that were not initially intended. Furthermore, the DfE failed to be transparent about that processing.