The UK’s Department for Eduction (DfE) breaches GDPR in the way it handles pupil data, the Information Commissioner’s Office (ICO) has found.
The ICO first began probing the DfE last year after it became the subject of numerous complaints. Human rights groups Liberty and DefendDigitalMe raised complaints about the department for failing to allow parents to see their child’s record in the National Pupil Data, its refusal to correct inaccurate date, and for “secretly” sharing information belonging to minors with the UK Home Office.
At the time, the ICO said: “DFE is failing to comply fully with its data protection obligations, primarily in the areas of transparency and accountability, where there are far-reaching issues, impacting a huge number of individuals in a variety of ways.”
The ICO released the findings of its months-long audit this week and has concluded that there are widespread data protection failings at the DfE. Of its 139 recommendations for improvement, 60% are classed as urgent or high priority.
It found, for example, that the DfE is not providing “sufficient privacy information to data subjects”, that no data protection impact assessments (DPIAs) are being carried out at the correct and early stages of cases, and that no experts are involved in the creation of data storage or retention record system.
The ICO also found that there is a lack of awareness among staff of data protection, “potentially upping the risk of data breaches”.
“There is no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security within the DfE, which along with a lack of formal documentation, means the DfE cannot demonstrate accountability to the GDPR,” the ICO’s report noted.
“Limited reporting lines, monitoring activity and reporting means there is no central oversight of data processing activities. As a result, there are no controls in place to provide assurance that all personal data processing activities are carried out in line with legislative requirements.”
In a statement, the DfE said it treats the handling of personal data “extremely seriously” and “thanks the ICO for its report which will help us further improve in this area.”
“Since the ICO completed its audit, we’ve taken a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data and significantly increasing the number of staff dedicated to the effective management of it,” a DfE spokesperson said.