In the United Kingdom the Government’s Department for Eduction (DfE) has been found guilty of breaching the European Union’s General Data Protection Regulation in relation to the manner that it processes pupil data.
This comes following an investigation that first kicked off during 2019 after complaints were submitted by human rights groups including Liberty and DefendDigitalMe that DfE would not permit parents access to their child’s record in the National Pupil Data. Additionally it was claimed that there was no provision for amending incorrect data and that data belonging to minors was privately being shared with the U.K. Home Office.
The results of the ICO audit into the processes beign used by the DfE showed widespread shortcomings in relation to data. The report included 139 recommendations to be addressed and of those 60% are marked as being highly urgent.
It found, for example, that the DfE is not providing “sufficient privacy information to data subjects”, that no data protection impact assessments (DPIAs) are being carried out at the correct and early stages of cases, and that no experts are involved in the creation of data storage or retention record system.
When the investigation began an ICO representative said: “DFE is failing to comply fully with its data protection obligations, primarily in the areas of transparency and accountability, where there are far-reaching issues, impacting a huge number of individuals in a variety of ways.”
Remarks that were released by ICO with the final report said: “There is no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security within the DfE, which along with a lack of formal documentation, means the DfE cannot demonstrate accountability to the GDPR. Limited reporting lines, monitoring activity and reporting means there is no central oversight of data processing activities. As a result, there are no controls in place to provide assurance that all personal data processing activities are carried out in line with legislative requirements.”
The ICO reported that it identified a lack of awareness among staff of data protection, “potentially upping the risk of data breaches”.
DfE responded saying that it takes the processing personal data “extremely seriously” and “thanks the ICO for its report which will help us further improve in this area.” It went on: “Since the ICO completed its audit, we’ve taken a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data and significantly increasing the number of staff dedicated to the effective management of it”.