ICO findings on national pupil data: comment

The Information Commissioner’s Office (ICO) has published the outcome of a compulsory audit of the Department for Education (DFE). It was undertaken in response to our legal team complaint on the handling of all pupil data, made in 2019 building on the complaint first made in 2015 and subsequent complaints by Liberty on DfE data sharing with the Home Office.
The audit found that data protection was not being prioritised and this had severely impacted the DfE’s ability to comply with the UK’s data protection laws.
A total of 139 recommendations for improvement were found, with over 60% classified as urgent or high priority.
The DfE are not fulfilling their duties that data “shall be processed lawfully, fairly and in a transparent manner.”
This is damning and confirms what has been true since 2012 when government Ministers decided to change the law to give away millions of children’s identifying school records.
It’s unsafe, unaccountable and unlawful. The Department have done what they wanted and made the law ‘fit’ what they want to do. Yet don’t see fit to tell us. They seem to feel entitled to take away our ‘rights to know’ and rights to control our own records.
This is deeply sensitive stuff. Well over 21 million people’s names are now in the national pupil database, collected since 1996, with special educational needs, even university students’ religion and sexual orientation from equality monitoring. But the ICO identifies, that the DfE doesn’t have a good grasp of everything it holds.
“There is no clear picture of what data is held by the DfE and as a result there is no Record of Processing Activity (ROPA) in place which is a direct breach of Article 30 of the GDPR.”
Let’s be very clear. This is a systemic and structural set of problems, as a direct result of Ministerial decisions that changed the law in 2012 to give personal data away but didn’t tell the people, whom the data were about. The ICO clearly identifies that the requirement for a ROPA has been documented for over a year in audit reports and meeting minutes, however little progress has been made to address this. The DPO has been doing a good job. The accountability rests much higher up.
What will Gavin Williamson change to protect our children now, or will his Department continue to sell them out? Children’s confidential data are collected simply because they go to school. Without parents’ permission they’re given away and used for profit. Not for the purposes of a child’s education but misused by other government departments. Misused by gambling companies.

We need systemic change. We are calling for new law, an Education and Digital Rights Act, and independent oversight under a National Data Guardian for education.
The government wants a national data strategy, “that will support the UK to build a world-leading data economy”. At the moment, that means we’re all the data products, so we need to speak up and say no. Our children should not be commercially exploited just because they go to school. It’s long overdue that we take back control of our children’s lives described by all the data the government holds. If you’re under 37 and went to state school this involves you. Write and tell your MP that you object. You can use the letter on our webpage.

• “The Commercial department do not have appropriate controls in place to protect personal data being processed on behalf of the DfE by data processors.”
• “There is an over reliance on using public task as the lawful basis for sharing which is not always appropriate and supported by identified legislation.”
• “The DfE are providing very limited training to staff about information governance, data protection, records management, risk management, data sharing, information security, individual rights and in some cases there is no assurance that staff are receiving any training whatsoever.”
• “The DfE are reliant on third parties to provide privacy information on their behalf however, this often results in insufficient information being provided and in some cases none at all which means that the DfE are not fulfilling the first principle of the GDPR, outlined in Article 5(1)(a), that data shall be processed lawfully, fairly and in a transparent manner.”
• “There is no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security within the DfE which along with a lack of formal documentation means the DfE cannot demonstrate accountability to the GDPR.”
• “In 400 applications, only approximately 12 were rejected due to an approach which is designed to find a legal gateway to ‘fit’ the application rather than an assessment of the application against a set of robust measures designed to provide assurance and accountability that the sharing is lawful in line with statutory requirements.”

We obviously welcome that the ICO has found what was necessary and appears to expect action from the DfE. The facts and evidence speak for themselves that regulatory intervention was long overdue. The key questions to ask now include will the ICO stop the DfE doing the things they found unlawful and what are they exactly? The audit covered several key control areas but only published its executive summary. Will it end unlawful data sharing? Will it end unsafe practice and by when?
The ICO executive summary of their compulsory audit of the Department for Education can be downloaded from the ICO website [link]. An Assessment Notice was issued to the Department for Education (DfE) on 19 December 2019. The audit field work was undertaken at DfE Offices in London, Coventry, and Sheffield between 24 February and 4 March. We expect the full findings to be published in the public domain, not only a summary.

---

What data are we talking about? Click on the infographic to expand what is collected by the DfE nearly all of which is potentially in each National Pupil Database record.