Department for Education failed to protect data on millions of children, says ICO

The Department for Education (DfE) has been criticised over a series of failures to prioritise data security that compromised its ability to comply with the UK’s Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR), following a lengthy investigation by the Information Commissioner’s Office (ICO) into the National Pupil Database (NPD).

The NPD contains millions of records relating to young people aged between two and 21 and is designed to track individuals as they move through the education system. Besides details of a pupil’s educational attainment at various levels, it holds identifying data on schools and personal data such as birth dates, ethnicity and nationality, disability, and, for older university students, data on sexual orientation and religion.

Identifying data from it can be made available to third parties for various purposes. The ICO began its audit in 2019 after receiving complaints from non-governmental organisations defenddigitalme and Liberty that the legal basis for a number of data releases made from 2012 to 2017 was not met.

“The audit found that data protection was not being prioritised and this had severely impacted the DfE’s ability to comply with the UK’s data protection laws. A total of 139 recommendations for improvement were found, with over 60% classified as ‘urgent’ or ‘high priority’,” said the ICO.

“The ICO’s primary responsibility is to ensure compliance with the law and its policy is to work alongside organisations committed to making the necessary changes to improve data protection practice.”

The ICO conducted its audit between 24 February and 4 March 2020 using its powers under section 146 of the DPA. The probe covered the areas of governance and accountability, individual rights, training and awareness, information risk, data sharing, records management and information security.

It found that the DfE had no formal proactive oversight of any function of information governance and lacked formal documentation that meant it could not demonstrate GDPR compliance. Responsibility for compliance was found to be fragmented, and limited reporting lines, monitoring and reporting activity meant there was no central oversight of data processing, and hence no controls to provide assurance that data processing was being carried out legally.

The ICO said it uncovered cultural barriers and attitudes within the DfE, highlighting limited staff training in key areas and in some cases found no assurance that staff had received any data protection training. It said the DfE had tended to rely on staff to become self-aware of policies and procedures without follow-up or acknowledgement. Additionally, the department’s organisational structure left the data protection officer (DPO) functionally unable to comply with Articles 37, 38 and 39 of the GDPR.

The ICO found that the DfE had no formal proactive oversight of any function of information governance and lacked formal documentation that meant it could not demonstrate GDPR compliance

The report went on to highlight a lack of policy framework or document control, which meant the department was operating without key policies such as an information governance framework or data protection policy. There was no clear picture of what data it actually held, and as a result no record of processing activity (Ropa) in place, a direct breach of the GDPR.

Additionally, the DfE was found in breach of Articles 12, 13 and 14 of the GDPR relating to the provision of privacy information to data subjects. There was also confusion, said the ICO, within the department and its executive agencies about whether it was a controller, joint controller or processer of the data it held, and what role third parties that accessed the data played, and as a result, no clarity on what information was supposed to be provided. It said the DfE was reliant on third parties to provide privacy information on their behalf, which often resulted in insufficient information being provided, and in some cases none whatsoever, a breach of Article 5(1)(a) of the GDPR.

The report summary, which can be downloaded in full from the ICO website, goes on to record a number of other failings. One of these is that the department’s knowledge and information management team had no active involvement in the NPD, which meant at no point was there expert involvement to develop procedures for the creation, storage and retention of data.

Information risks were not managed in an informed or consistent manner, information assets were not assessed often enough, and resulting risks were not recorded with sufficient detail to enable meaningful control and monitoring, on top of which not all information risks were actually recorded. Nor did it conduct data protection impact assessments (DPIAs) in a timely or appropriate manner, or put controls in place to protect data being processed on the department’s behalf by external data processors.

Nevertheless, the ICO noted the DfE’s positive engagement with the process. “Throughout the audit process, the DfE … showed a willingness to learn from and address the issues identified. The department accepted all the audit recommendations and is making the necessary changes,” it said.

A DfE spokesperson said: “We treat the handling of personal data – particularly data relating to schools and other education settings – extremely seriously and we thank the ICO for its report which will help us further improve in this area.

“Since the ICO completed its audit, we’ve taken a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data and significantly increasing the number of staff dedicated to the effective management of it.

“As well as welcoming these moves, the ICO has recognised the stringent processes we have in place to make sure children and young people’s personal data is secure,” the spokesperson said.

Computer Weekly understands that the DfE has created a number of new data management roles in the past 12 months and rolled out data protection training for its staffers over the summer.

It also discloses all third-party access to its databases, which can be downloaded from its website. Organisations that have accessed data held in the NPD in the past include government departments such as the Department for Work and Pensions and HM Revenue & Customs, NHS organisations, examination bodies including Ofqual, research institutions such as the Institute for Fiscal Studies, multiple universities, and even, on one occasion, the Football Association, which was compiling data to help better support pupils taking part in Premier League youth development programmes.