The Department for Education broke data protection laws in the way it handles student data, the information watchdog has ruled, following an investigation that revealed widespread failures.
The Information Commissioner’s Office has concluded that the DfE failed to meet several articles of the general data protection regulations (GDPR), which govern the management and use of data across Europe.
The audit, carried out in February and March, was prompted by complaints from human rights groups Liberty and DefendDigitalMe about the national pupil database, which holds information on millions of past and present school pupils. It found that data protection “was not being prioritised” and this had “severely impacted the DfE’s ability to comply with the UK’s data protection laws”.
The ICO extended the audit to include the learning records service database in November 2019 following revelations that it had been accessed by data intelligence firm GB Group – whose clients include 32Red and Betfair among other gambling companies. FE Week revealed in January that the founder of the training provider that wrongly shared the data was subject to a previous government investigation.
The audit found that data protection was not being prioritised and this had severely impacted the DfE’s ability to comply with the UK’s data protection laws
The audit also follows a series of investigations by FE Week’s sister title Schools Week which revealed how the government tried to collect pupil nationality and country of birth data to share with the Home Office for immigration control purposes. The coverage and a high-profile campaign by children’s rights groups resulted in a widespread boycott of the collection, which was subsequently scrapped.
FE Week revealed last November that the DfE was facing potential action over “wide ranging and serious concerns” about its data sharing activities. Today, the ICO’s audit has shed fresh light on the extent to which data protection laws were breached more broadly at the DfE.
The watchdog issued 139 recommendations for improvement, with over 60 per cent classified as “urgent or high priority”. The DfE said it has since reviewed “all processes for the use of personal data”.
The ICO looked into how the NPD, learning records service and “internally held databases” at the DfE were managed, and found there was “no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security”.
This, along with a lack of formal documentation, meant the department “cannot demonstrate accountability to the GDPR”.
The audit found that “internal cultural barriers and attitudes” were preventing the implementation of an “effective system of information governance”, and that the role of the DfE’s data protection officer was not meeting all the requirements of the GDPR.
The DfE also has “no policy framework or document control” in place, and policies that do exist “demonstrate no version control and are not subject to any formal review procedures meaning that many are out of date and ineffective”, the ICO found.
There is also “no clear picture of what data is held by the DfE”, and as a result no record of processing activity in place, which is a direct breach of Article 30 of the GDPR. Without this it is “difficult for the DfE to fulfil their other obligations such as privacy information, retention and security arrangements”, the ICO said.
The sharing of data from the NPD with external organisations has been a subject of controversy for some years, and children’s rights groups have called for it to be halted, despite their victory over the nationality and country of birth data collection.
Under its data-sharing process, the DfE releases anonymised sections of the NPD to organisations that request them. However, the ICO found the reasons for doing so were not always justified.
Instead there was an “over reliance” on using “public task” as the lawful basis for sharing data, which was “not always appropriate and supported by identified legislation”.
“Legitimate interest” has also been used as a lawful basis in some applications, but there is “limited understanding of the requirements of legitimate interest and to assess the application and legalities of it prior to sharing taking place”, the ICO warned.
“In 400 applications, only approximately 12 were rejected due to an approach which is designed to find a legal gateway to ‘fit’ the application rather than an assessment of the application against a set of robust measures designed to provide assurance and accountability that the sharing is lawful in line with statutory requirements.”
A DfE spokesperson said the department treated the handling of personal data “very seriously”, and said since the audit it had taken “a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data and significantly increasing the number of staff dedicated to the effective management of it”.
Limited training and mismanagement of risks
The DfE was also found to be not providing sufficient privacy information to data subjects as required under the GDPR. The ICO also pointed to “confusion” within the DfE and its executive agencies “about when they are a controller, joint controller or processor and whether as a controller this is at the point of collection or as a recipient of personal data”.
There is also “no certainty” whether organisations who receive data from the DfE are acting as controllers or processors on their behalf.
As a result, there is “no clarity” as to what information is required to be provided.
“The DfE are reliant on third parties to provide privacy information on their behalf however, this often results in insufficient information being provided and in some cases none at all which means that the DfE are not fulfilling the first principle of the GDPR, outlined in Article 5(1)(a), that data shall be processed lawfully, fairly and in a transparent manner.”
The DfE provides “very limited training” to staff on issues such as information governance, records management, risk management, data-sharing, information security and individual rights. In some cases, there is “no assurance that staff are receiving any training whatsoever”.
The ICO also found information risks were “not managed in an informed or consistent manner”, and that the commercial department did not have “appropriate controls” in place to protect personal data being processed on behalf of the DfE by data processors.
This means there is “no assurance that it is being processed in line with statutory requirements particularly where processing contracts are of low enough value to not be subject to formal procurement procedures”.