DfE broke data-protection law, ICO investigation finds

Watchdog makes 139 recommendations after identifying numerous lapses

By Sam Trendall

09 Oct 2020

A regulatory investigation has identified scores of issues with the data-protection policies and practices at the Department for Education, including some which are in “direct breach” of the law.

The Information Commissioner’s Officer has published the findings of a compulsory audit of the DfE’s data protection set-up that was conducted earlier this year. The watchdog found that, throughout the department, “data protection was not being prioritised and this had severely impacted the DfE’s ability to comply with the UK’s data protection laws”.

“There is no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security within the DfE which, along with a lack of formal documentation, means the DfE cannot demonstrate accountability to the GDPR,” the ICO said. “Although the [department’s] data directorate have been assigned overall responsibility for compliance actual operational responsibility is fragmented throughout all groups, directorates, divisions and teams which implement policy services and projects involving personal data. Limited reporting lines, monitoring activity and reporting means there is no central oversight of data processing activities. As a result, there are no controls in place to provide assurance that all personal data processing activities are carried out in line with legislative requirements.”

Specific issues identified by the audit include a department-wide culture of failing to recognise the importance of the rights of data subjects, as well as a lack of formal lines of communication between the data protection officer function and the wider organisation. There is also, according to the ICO, a total lack of policies and frameworks to guide data use.

Perhaps most damningly, auditors found that, despite repeated calls to do so, the DfE has not managed to create and maintain adequate records of the data it holds and processing that takes place. The failure to do is unlawful under the General Data Protection Regulation.

“There is no clear picture of what data is held by the DfE and, as a result, there is no record of processing activity (ROPA) in place, which is a direct breach of article 30 of the GDPR,” the ICO said. “Without a ROPA it is difficult for the DfE to fulfil their other obligations such as privacy information, retention and security arrangements. The requirement for a ROPA has been documented for over a year in audit reports and meeting minutes. However, little progress has been made to address this.”

The department is often unclear whether it is operating as a data controller, processor – or both – and there is also “no certainty whether organisations who receive data from the DfE are acting as controllers or processors on their behalf”.

The regulator added: “As a result, there is no clarity as to what information is required to be provided. The DfE are reliant on third parties to provide privacy information on their behalf however, this often results in insufficient information being provided and in some cases none at all which means that the DfE are not fulfilling the first principle of the GDPR… that data shall be processed lawfully, fairly and in a transparent manner.”

Staff across the DfE are typically provided with “very limited training” on issues of data protection, privacy and information assurance, auditors found. Given the breadth, volume and sensitivity of data handled by the department, this is liable to “result in multiple data breaches or further breaches of legislation”.

In light of the audit – with which the ICO said the department had engaged fully, and shown a willingness to learn from – a total of 139 recommendations have been made for improvement,  including 32 considered ‘urgent’, and a further 57 deemed as ‘high priority’. Timescales for achieving these targets have been agreed, and the regulator will continue to monitor the department.

A Department for Education spokesperson said: “Since the ICO completed its audit, we’ve taken a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data and significantly increasing the number of staff dedicated to the effective management of it. As well as welcoming these moves, the ICO has recognised the stringent processes we have in place to make sure children and young people’s personal data is secure.”

The audit came on the back of a “broad-range investigation” that was undertaken last year after concerns about the National Pupil Database (NPD) were raised by campaign groups Liberty and DefendDigitalMe.

Having met with departmental officials in November 2019 to discuss the possibility of a consensual audit, the ICO opted to enforce a compulsory process “due to the risks associated with the volume and types of personal data processed within the NPD, as well as the ages of the data subjects involved”.

In addition to the pupil database – which holds data on 21 million people – the ICO broadened the remit of the audit to include assessment of the Learner Records Service, following a January data breach in which up to 28 million records might have been compromised.

In the weeks following the breach, the department claimed to have implemented various measures to keep a tighter rein on who has access to the LRS. This included nightly checks of who is viewing of individual records, and suspensions for those deemed to be doing so excessively. Those wishing to obtain large data sets will also be subject to increased scrutiny.

Sam Trendall is the editor of CSW's sister title PublicTechnology,  where a version of this story first appeared.

 

Read the most recent articles written by Sam Trendall - What new data laws mean for central government

Share this page