9 November 2020
GDPR lessons to learn from the Department of Education’s data protection issues
By Faye Cheung, Researcher
The Information Commissioners Office (ICO) recently published its audit report of the Department of Education (DfE). It launched an investigation into DfE after receiving complaints over its handling of the National Pupil Database. The database contains information on every pupil in England – that’s over 21 million data subjects. One of the primary reasons for the investigation, which has been an on-going concern for years, was the Home Office’s use of the database within its policy to create a ‘hostile environment for illegal immigrants’.
The gravity of the concerns raised meant that the ICO invoked a rarely used power, granted by Section 146 of the Data Protection Act 2018, to conduct a data protection audit without obtaining consent from the party in question.
The summary of the audit report, published on 7th October 2020, states that the DfE has not demonstrated accountability with the UK’s data protection legislation. The ICO has issued a total of 139 recommendations to the DfE to address this. The recommendations are not published but the report outlines 15 general areas in need of improvement.
Lessons we can learn
Below is a brief summary of the report’s 15 areas of concern at the DfE. Alongside these, is an outline of our recommended lessons to be learnt.
|No.||Area of concern at DfE||Lessons for us to learn|
|1||No formal proactive oversight of any function of information governance||Compliance with UK’s data protection legislation will not occur naturally or organically. Active leadership is key.|
|2||Internal attitudes and cultural barriers preventing effective and legal information governance system.||Organisations should promote and maintain an appreciation of “privacy by design” and staff’s awareness of their roles and responsibilities under the data protection legislation. Training and information on the risks of non-compliance can enable this. Staff should appreciate that risks data breaches and monetary penalties from the ICO.|
|3||Organisational structure preventing legislative requirements of Data Protection Officer (DPO) as per Article 37-39 of the GDPR.||Organisations should have clear reporting lines and a clear understanding of the duties of the DPO, data processors and data controllers.|
|4||No policy framework or document control.||Organisations should have a written Information Governance Framework or Data Protection Policy. Furthermore, a system should be in place than ensures regular review. Good housekeeping is key when ensuring documents are up to date and accessible.|
|5||It is not clear what data is held by the DfE, which has resulted in there being no Record of Processing Activity (ROPA). This is a breach of Article 30 of the GDPR.||Organisations must understand what data they hold so that they know how to fulfil their legal obligations. Organisations with 250 or more employees must document all their data processing activities.|
|6||The DfE are not providing sufficient privacy information to data subjects as required by Articles 12, 13 and 14 of the GDPR. This is partly due to a confusion over the roles of third party organisations, who are working with the DfE.||Clarity and transparency are key when working with third parties. If organisations are working with third parties, it should be understood who is playing which role. For example, if applicable, who is playing the role of a Data Controller, joint Data Controller or Data Processor and what the varying obligations of each role are.|
|7||Lack of training and awareness amongst staff. This is particularly problematic due to the volume and categories of personal data being processed at the DfE.||Meaningful staff training is vital, especially when dealing with large volumes of data or particularly sensitive data or data subjects, such as children.|
|8||The Knowledge and Information Management Team had no active involvement with the National Pupil Database, meaning there was no expert involvement despite the volume of children’s data being held.||Know what information is being collected within your organisation and how it is being used. If applicable, obtain expert advice to ensure data protection compliance.|
|9||Information risks are not managed in an informed or consistent manner. There is a lack of recorded information and detail.||Have a policy and implement it. Risk registers should be kept updated. Training, monitoring and good housekeeping will enable this.|
|10||Data protection impact assessments (DPIAs) are not being carried out early enough or at all.||Implement data protection procedures and do so meaningfully. It will be clear to the ICO if a DIPA is an afterthought and it could result in risks materialising. It is compulsory to conduct a DIPA for any projects that are likely to result in a high risk to individuals.|
|11||The Commercial department lacks control to ensure third parties are protecting DfE data.||It is important to pay particular attention to legal obligations when working with third parties.|
|12||Contrary to its duties, the Data Sharing Approvals Panel (DSAP) has limited oversight and consistency around how data is shared externally.||Those responsible for assessing and implementing data protection policy need to be accessible, proactive and legitimate.|
|13||Lack of formal assessment of applications for data access.||Organisations must have a clear and meaningful process in place for dealing with applications for access to their data and specifically Data Subject Access Requests (DSARs).|
|14||There are instances of DfE claiming lawful basis for sharing data, which are not always appropriate and supported by identified legislation.||No one is above data protection law. It might be necessary to obtain advice regarding the applicability of any exemptions to data protection legislation.|
|15||Only approximately 12 out of 400 applications for data access were rejected by the DfE. This was found to be due to an approach which actively favours the application rather than a robust assessment of whether the application is lawful.||Data protection law is not flexible. Training and a positive data protection culture should be embedded within an organisation to enable staff to have the confidence to comply with law despite any pressures from other parties.|
In need of data protection advice?
- Drafting data protection policies which outline clear roles and responsibilities.
- Facilitating senior management briefing sessions and presenting to boards about the importance of data protection compliance.
- Developing and implementing suitable internal governance framework to ensure data protection compliance
- Providing data protection audits and health checks.
- Providing comprehensive training for staff
- Drafting Data Subject Access Request policies, procedures and related documentation.
© Naomi Korn Associates, 2020. Some Rights Reserved. The text is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)
Disclaimer: The material in this blog post is for general information only and is not legal advice. Always consult a qualified lawyer about a specific legal problem.