The Ministry of Education has violated data protection laws when handling student data, the information guard ruled after an investigation that found widespread errors.
The Information Commissioner’s Office has concluded that the DfE has failed to comply with several articles of the General Data Protection Regulation (GDPR) that govern the management and use of data across Europe.
The audit, conducted in February and March, was triggered by complaints from human rights groups Liberty and DefendDigitalMe about the national student database, which contains information on millions of past and present students. It emerged that data protection “was not prioritized” and that this “has severely affected the DfE’s ability to comply with UK data protection laws”.
The ICO expanded the audit to include the Learning Records Service database in November 2019 after it became known that it had been accessed by data intelligence company GB Group, whose clients include 32Red and Betfair. FE Week announced in January that the training provider’s founder, who falsely disclosed the data, was the subject of an earlier government investigation.
The audit found that data protection was not being prioritized and this had severely affected the DfE’s ability to comply with UK data protection laws
The audit also follows a series of investigations by FE Week’s sister school, School Week, showing how the government has attempted to collect data on students’ nationality and country of birth to share with the Home Office for immigration control purposes. Reporting and a high profile campaign by children’s rights groups resulted in a widespread boycott of the collection, which was subsequently scrapped.
School Week announced last November that the DfE is facing potential action because of “wide-ranging and grave concerns” about its data exchange activities. The ICO’s review today shed new light on the extent to which data protection laws have been violated more generally at the DfE.
The watchdog issued 139 suggestions for improvement, over 60 percent of which were rated “urgent or high priority”. The DfE said it has since reviewed “all processes related to the use of personal data”.
The ICO examined how the NPD, the Learning Records Service and the DfE’s “internally maintained databases” were managed and found that “no formal proactive monitoring of an information governance function, including data protection, record management, risk management, data”, exchange and information security takes place “.
Coupled with the lack of formal documentation, this meant the department “cannot demonstrate accountability to the GDPR”.
The audit revealed that “internal cultural barriers and attitudes” prevented the introduction of an “effective system of information governance” and that the role of the DfE’s data protection officer did not meet all the requirements of the GDPR.
The DfE also has “no policy framework or document control,” and policies that do exist “are not version controlled and are not subject to formal review procedures, which means many are out of date and ineffective,” the ICO noted.
There is also “no clear picture of what data is stored in the DfE” and therefore no records of the existing processing activities, which is a direct violation of Article 30 of the GDPR. Without this, it would be “difficult for the DfE to meet its other obligations such as data protection information, retention and security precautions,” said the ICO.
The sharing of data between the NPD and outside organizations has been the subject of controversy for a number of years, and children’s rights groups have called for this to be discontinued despite their triumph over nationality and the country of birth records.
As part of the data exchange process, the DfE forwards anonymized sections of the NPD to organizations that request them. However, the ICO found that the reasons behind this were not always justified.
Instead, there was “over-reliance” on the use of “public duties” as a legitimate basis for data sharing, which “was not always appropriate and supported by the legislation identified”.
“Legitimate interest” has also been used as a legitimate basis in some applications, but there is “limited understanding of legitimate interest requirements and how to assess the application and legality prior to the exchange,” warned the ICO.
“Out of 400 applications, only about 12 were rejected due to an approach aimed at finding a legal gateway that fits the application, rather than evaluating the application against a set of robust measures that ensure certainty and accountability for sharing to ensure is lawful in accordance with the legal requirements. “
A DfE spokesman said the department had taken personal data handling “very seriously” and had “taken a number of steps since the audit to take into account the findings and recommendations, including a review of all processes for the use of personal data and the Significantly increase the number of employees dedicated to effective administration. “
Limited training and mismanagement of risks
It was also found that the DfE is not providing enough data protection information to data subjects as required by the GDPR. The ICO also pointed to “confusion” within the DfE and its executive agencies as to “when they are controllers, joint controllers or processors and whether this is as a controller at the time of collection or as a recipient of personal data”.
There is also “no certainty” as to whether organizations receiving data from the DfE are acting as controllers or processors on their behalf.
As a result, there is “no clarity” about what information needs to be provided.
“The DfE rely on third parties to provide data protection information on their behalf. However, this often results in insufficient and, in some cases, no information at all, which means that the DfE does not comply with the first principle of the GDPR described in Article 1, according to Article 5 (1) (a), this data becomes lawful, fair and transparent processed. “
The DfE offers employees “very limited training” on topics such as information governance, file management, risk management, data exchange, information security and individual rights. In some cases there is “no guarantee that staff will be trained at all”.
The ICO also found that information risks “were not being managed in an informed or consistent manner” and that the commercial department did not have “appropriate controls” to protect personal data processed by data processors on behalf of the DfE.
This means that “there can be no guarantee that it will be processed in accordance with legal requirements, especially when processing orders are of low value in order not to be subject to formal procurement procedures”.