Department for Education in ‘direct breach’ of data protection law – watchdog

The Department for Education has struggled to comply with data protection laws after the regulations were not “prioritised”, a watchdog has warned.

An audit by the Information Commissioner’s Office (ICO) found that the Government department had been in “direct breach” of a data protection law as there was “no clear picture” of what data it held.

The Department for Education (DfE) failed to “demonstrate accountability” to General Data Protection Regulation (GDPR), according to the ICO report.

The watchdog, which upholds information rights in the public interest, has issued 139 recommendations for improvement, with over 60% classified as “urgent or high priority”.

It has warned that a lack of awareness among staff at the DfE could lead to “multiple data breaches or further breaches of legislation” due to the high volume of personal data being processed.

The compulsory audit, which was carried out in February and March, followed complaints from campaign groups DefendDigitalMe and Liberty about the National Pupil Database.

It found that there was no record of processing activity in place – which is a “direct breach of Article 30 of the GDPR” – making it difficult for the DfE to fulfil other obligations around privacy information and security arrangements.

The ICO said it found that data protection “was not being prioritised” by the DfE and that this had “severely impacted” the department’s ability to comply with the UK’s data protection laws.

“Limited reporting lines, monitoring activity and reporting means there is no central oversight of data processing activities. As a result, there are no controls in place to provide assurance that all personal data processing activities are carried out in line with legislative requirements,” the report said.

It added that the department had provided “very limited training” to staff about information governance, data protection, records management, risk management, information security, individual rights, and in some cases “there is no assurance that staff are receiving any training whatsoever”.

The watchdog warned: “Given the volume and categories of personal data being processed, the lack of awareness amongst staff presents a high risk that data will not be processed in a compliant manner and could result in multiple data breaches or further breaches of legislation.”

A DfE spokesman said: “We treat the handling of personal data – particularly data relating to schools and other education settings – extremely seriously and we thank the ICO for its report which will help us further improve in this area.

“Since the ICO completed its audit, we’ve taken a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data and significantly increasing the number of staff dedicated to the effective management of it.

“As well as welcoming these moves, the ICO has recognised the stringent processes we have in place to make sure children and young people’s personal data is secure.”