The Department for Education has struggled to comply with data protection laws after the regulations were not “prioritised”, a watchdog has warned.
An audit by the Information Commissioner’s Office (ICO) found that the Government department had been in “direct breach” of a data protection law as there was “no clear picture” of what data it held.
The Department for Education (DfE) failed to “demonstrate accountability” to General Data Protection Regulation (GDPR), according to the ICO report.
We have published the outcome of our compulsory audit of the Department for Education. Read the executive summary here: https://t.co/If7Dlh8Vtz
— ICO (@ICOnews) October 7, 2020
The watchdog, which upholds information rights in the public interest, has issued 139 recommendations for improvement, with over 60% classified as “urgent or high priority”.
It has warned that a lack of awareness among staff at the DfE could lead to “multiple data breaches or further breaches of legislation” due to the high volume of personal data being processed.
The compulsory audit, which was carried out in February and March, followed complaints from campaign groups DefendDigitalMe and Liberty about the National Pupil Database.
It found that there was no record of processing activity in place – which is a “direct breach of Article 30 of the GDPR” – making it difficult for the DfE to fulfil other obligations around privacy information and security arrangements.
The ICO said it found that data protection “was not being prioritised” by the DfE and that this had “severely impacted” the department’s ability to comply with the UK’s data protection laws.
“Limited reporting lines, monitoring activity and reporting means there is no central oversight of data processing activities. As a result, there are no controls in place to provide assurance that all personal data processing activities are carried out in line with legislative requirements,” the report said.
It added that the department had provided “very limited training” to staff about information governance, data protection, records management, risk management, information security, individual rights, and in some cases “there is no assurance that staff are receiving any training whatsoever”.
The watchdog warned: “Given the volume and categories of personal data being processed, the lack of awareness amongst staff presents a high risk that data will not be processed in a compliant manner and could result in multiple data breaches or further breaches of legislation.”
Sam Grant, policy and campaigns manager at Liberty, said the report “displays a shocking failure of privacy protections which is dangerous for our rights”.
He said: “The type of data collected by the DfE can reveal a huge amount of sensitive personal information about us, and often about children and young people.”
Mr Grant added: “Our privacy protects us and control over our personal information is key to our autonomy. If this Government is serious about respecting our rights, it must start taking this seriously.”
Jen Persson, director of the DefendDigitalMe campaign group, said: “What will Gavin Williamson change to protect our children now, or will his department continue to sell them out?”
A DfE spokesman said: “We treat the handling of personal data – particularly data relating to schools and other education settings – extremely seriously and we thank the ICO for its report which will help us further improve in this area.
“Since the ICO completed its audit, we’ve taken a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data and significantly increasing the number of staff dedicated to the effective management of it.
“As well as welcoming these moves, the ICO has recognised the stringent processes we have in place to make sure children and young people’s personal data is secure.”