The Information Commissioner’s Office (ICO) has made 139 recommendations – more than 60% of which are classified as urgent or high priority – to the Department for Education after publishing the outcome of a compulsory audit carried out in February 2020.
The ICO said the audit had found that data protection was not being prioritised “and this had severely impacted the DfE’s ability to comply with the UK’s data protection laws”.
The watchdog carried out the compulsory audit following complaints received in 2019 regarding the National Pupil Database.
The executive summary, which can be viewed here, detailed a series of criticisms including:
- There was no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security within the DfE “which along with a lack of formal documentation means the DfE cannot demonstrate accountability to the GDPR”. There were “no controls in place to provide assurance that all personal data processing activities are carried out in line with legislative requirements”.
- Internal cultural barriers and attitudes were preventing the DfE from implementing an effective system of information governance.
- The organisational structure of the DfE meant the role of the Data Protection Officer (DPO) was not meeting all the requirements of Article 37-39 of the GDPR.
- There was no policy framework or document control in place which meant that key policies such as an Information Governance Framework or Data Protection Policy had not been created.
- There was no clear picture of what data was held by the DfE and as a result there was no Record of Processing Activity (ROPA) in place which was a direct breach of Article 30 of the GDPR. “Without a ROPA it is difficult for the DfE to fulfil their other obligations such as privacy information, retention and security arrangements.”
- The DfE were not providing sufficient privacy information to data subjects as required by Articles 12, 13 and 14 of the GDPR.
- The DfE were providing very limited training to staff about information governance, data protection, records management, risk management, data sharing, information security, individual rights and in some cases there was no assurance that staff were receiving any training whatsoever. “Given the volume and categories of personal data being processed the lack of awareness amongst staff presents a high risk that data will not be processed in a compliant manner and could result in multiple data breaches or further breaches of legislation.”
- Information risks were not managed in an informed or consistent manner throughout the DfE or in line with the Risk Management Framework.
- Data protection impact assessments (DPIAs) were not being carried out at a stage of the project early enough to influence the outcome and in some cases prior to processing beginning altogether. The assignment of lawful basis in DPIAs was also high level and did not include a justification for the designated lawful basis or details of how it applied to each specific processing activity.
- There was an over reliance on using public task as the lawful basis for sharing “which is not always appropriate and supported by identified legislation”. Legitimate interest had also been used as a lawful basis in some applications however there was limited understanding of the requirements of legitimate interest and to assess the application and legalities of it prior to sharing taking place.
- In 400 applications, only approximately 12 were rejected due to an approach which was designed to find a legal gateway to ‘fit’ the application rather than an assessment of the application against a set of robust measures designed to provide assurance and accountability that the sharing was lawful in line with statutory requirements.
The ICO acknowledged that throughout the audit process the DfE had engaged with it and showed a willingness to learn from and address the issues identified.
“The Department accepted all the audit recommendations and is making the necessary changes,” it said.
The watchdog said it would continue to monitor the DfE, reviewing improvements against pre agreed timescales. Enforcement action will follow if progress falls behind the schedule, it warned.
A Department for Education spokesperson said: “We treat the handling of personal data - particularly data relating to schools and other education settings - extremely seriously and we thank the ICO for its report which will help us further improve in this area.
“Since the ICO completed its audit, we’ve taken a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data and significantly increasing the number of staff dedicated to the effective management of it.
“As well as welcoming these moves, the ICO has recognised the stringent processes we have in place to make sure children and young people’s personal data is secure.”