The UK’s data protection regulator has made scores of urgent recommendations to the Department for Education (DfE) after an audit revealed it is failing to meet legal obligations enshrined in the GDPR and local law.
The Information Commissioner’s Office (ICO) launched its investigation after concerns were raised over inaccuracies in the National Pupil Database (NPD). Liberty also raised complaints last year over secret sharing of pupil data with the Home Office.
Completed in February but not published by the ICO until yesterday, the report highlights widespread data protection failings at the DfE. Of its 139 recommendations for improvement, 60% are classed as urgent or high priority.
“There is no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security within the DfE, which along with a lack of formal documentation, means the DfE cannot demonstrate accountability to the GDPR,” the report noted.
“Limited reporting lines, monitoring activity and reporting means there is no central oversight of data processing activities. As a result, there are no controls in place to provide assurance that all personal data processing activities are carried out in line with legislative requirements.”
Other failings include internal cultural barriers and attitudes preventing effective information governance, an ineffective Data Protection Officer (DPO) thanks to structural failings, a lack of data protection policy or information governance framework, and no Record of Processing Activity (ROPA), which directly breaches the GDPR.
Insufficient privacy information is provided by DfE to data subjects, staff are provided only “very limited training” in data protection and handling, information risks are not managed in an “informed or consistent manner,” and data protection impact assessments (DPIAs) are not carried out early enough in projects to influence the result.
On the plus side, the DfE has accepted all audit recommendations and is believed to be making the necessary changes, although it faces enforcement action if it falls behind, the ICO said.