Government Internal Audit Agency found improvement needed on National Pupil Database
National Pupil Database pupil privacy / April 21, 2016
Improvements should be made over vetting and validation of applications to access the National Pupil Database, information retention procedures, and data handling guidance, according to The DfE Consolidated Annual Report and Accounts 2014-15 published on April 20, 2016.
The Government Internal Audit Agency (GIAA) rated assurance as ‘Limited’. [p40]
The internal audit findings confirm our concerns that the access process for the National Pupil Database needs urgent attention.
The Department gives out 20 million children’s confidential personal data to unaccredited third parties without the consent of parents or pupils.
We are calling for The Department for Education (DfE) to improve transparency and its handling of the National Pupil Database.
There should be transparent external audits of those who have received data to date and tightened up data access and destruction processes.
We have concerns that children’s identities are being potentially exposed to theft and misuse while the DfE carries on outdated data release practices handing data out ‘into the wild’. These sensitive confidential data must be used in safe settings, and need a new privacy impact assessment, and public consultation. There should be a review of the DfE sharing children’s personal data in legislative theory, and in practice.
No audit of the 500+ recipients of confidential data had ever been carried out by the DfE when we asked via Freedom of Information in 2015, the DfE “not having needed to exercise this power to date” .
Without independent audit no one knows whether the recipients are handling data well or who might be selling it, losing it, or not ever deleting it. In 2015 The Telegraph, for example, was overdue confirming whether it had deleted the data of millions of children it received over 2 years earlier.
The report also mentions one official Unauthorised Disclosure of personal data, a significant incident reported to the Information Commissioner’s Office when the personal data of 4,190 pupils (including some sensitive personal data as defined in Section 2 of the DPA 1998) were sent in error to local authorities and their management information service providers.
Amyas Morse, head of the National Audit Office, provided an adverse opinion on the truth and fairness of DfE’s financial statements in the Consolidated Annual Report and Accounts 2014-15.
– end –
1 [p40] https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/517766/DfE-consolidated-annual-report-and-a-counts-2014-to-2015-Web-version.pdf