News / Blog

The ICO audit of the Department for Education: one year on

One year ago today, the ICO released a summary of its compulsory audit of the Department for Education. It was carried out 24 February – 4 March 2020, after a broad range investigation in 2019 and complaints from us and Liberty.

The references come from the October 7, 2020 statement on the outcome of the ICO’s compulsory audit of the Department for Education.

The ICO decided to make it compulsory due to the risks associated with the volume and types of personal data processed within the NPD as well as the ages of the data subjects involved”…”over 21 million data subjects” [people]

Findings included 139 recommendations for improvement and >60% classified as urgent or high priority (Feb 2020). Urgent priority recommendations …represent clear and immediate risks to the DfE’s ability to comply with the requirements  of data protection legislation”.

Areas for improvement began by pointing out there was no formal proactive oversight of any function of information governance and no controls in place to provide assurance that all personal data processing activities are carried out in line with legislative requirements.”

The audit made a generic finding that the Department fails to properly consider the rights and freedoms of data subjects.
A key finding is failure to inform you that your personal data are being used — including given to third parties — “the DfE are not fulfilling the first principle of the #GDPR, outlined in Article 5(1)(a), that data shall be processed lawfully, fairly and in a transparent manner.

With the cultural barriers to taking data protection seriously it may be no surprise, “The DfE are providing very limited training to staff... and in some cases there is no assurance that staff are receiving any training whatsoever.”

And eek! With databases of over 21 million people’s named sensitive records the audit found inadequate procedures on the creation, storage, weeding and retention of data.

The Department Privacy Assurance Team are not fully informed, or involved early enough to influence change and results in poor outcomes. DPIAs are one safeguard under threat of abolition in the DCMS Data: A New Direction consultation plans for killing off pesky data protection laws that protect our rights.

The audit found that the ‘commercial department’ do not have appropriate controls in place to protect personal data being processed on behalf of the DfE which is deeply concerning given the routine distribution of millions of sensitive records for commercial reuse.

And after the millions of sensitive and identifying records have left the Department for Education who knows where it goes? Not the DfE. Remember the Jan 2020 access to the Learner Records Service by gambling companies?

But before the Department gives away children’s and 15 million now adults’ *sensitive* data, they do really good due diligence, right? Wrong. There is no formal assessment of applications for data protection compliance.”

And here’s another one of the big ticket issues and a pesky thing the DCMS Data A New Direction consultation wants to be able to gloss over in future data rights’ destruction. An over reliance on legitimate interests (LI). The consultation proposes scrapping LI assessment and balancing tests.

In summary, the audit found policy designed to giveaway learners’ records designed to find a legal gateway to ‘fit’ the application. Insufficient controls, oversight, or lawful basis. Between March 2012 to June 2021 there’s been nearly 2,500 releases each of millions of records.


 

One year on after the ICO Pupil Data audit, what has changed? As far as we can see, very little.

In January 2021 the DfE published a written response to the ICO Audit with a promised further update in June 2021. It omits commercial reuse. Or anything on how it will address rights or actions to address access to the 28 million learner records by gambling companies.

What we know is only a summary of the issues. The now ex-Schools Minister Nick Gibb promised @libdemdaisy answers to be published in June 2021. Will DfE implement the 139 recommended improvements? What about publishing the full audit report? Any update has yet to be seen.

It didn’t show up in July either.

So what now? Does the January 2021 response from the Department say there will be systemic change? Not really. It’s a bit of a shoulder shrug. The lack of recognition of risk like identity fraud is shocking. It’s 28+ million people, and most are children when data is collected.

Worryingly, it took an external audit to get contracts assessed. In 2015 we asked what had happened to 9 million children’s sensitive data given to 10 journalists in 2012. The DfE didn’t know. On asking the paper, it had not yet been destroyed. Did any process change as a result?

The DfE claims to have improved ways of talking to parents. Of 28 million records in the Learner Records Service most are adults no longer in school. How will the DfE address the audit failure to tell us all what is being done to our personal confidential data by whom?

We know there’s been a pandemic in between. But we first presented a written case to the Office of the Information Commissioner and met with the DfE over 5 years ago. Privacy notices on a website that no one knows exist, especially not those who’ve left education are *not* fair processing. This is not an adequate response.

We understand that the issues are so grave that it takes time. But how long should people have to wait to get their rights in law upheld? We want to see full transparency of the full audit findings. A timetable of the actions to fix each. And systemic change to prevent it again.

Until each grave failure is fixed and rights met, the Information Commissioner should enforce a suspension of Pupil Data processing. It is a national scandal our Department for Education gives away the sensitive, personal confidential data of millions of school children.

Over a year after the audit audit, we are going in the wrong new direction. Reception Baseline has begun and parents don’t know it creates their child’s first DfE record for life. There’s another data grab in the Skills Bill. And that’s even before the DCMS Data A New Direction consultation.

Legislation is carrying on business as usual. Data distribution is carrying on, business as usual. Our children go to school to exercise their right to education not to become a product to pass around an unlimited number of third parties.

The ICO audit found the DfE fails millions of people our human rights and freedoms. We’re going to change that.


References

 

Take action https://defenddigitalme.org/my-school-records/my-records-my-rights/

Support us. To help us continue our work please support our crowdfunder.

October 2020: The ICO executive summary audit.

January 2021: The Department for Education reply.

The DCMS consultation closes at 11:45pm on November 19, 2021 on changes to data protection. https://www.gov.uk/government/consultations/data-a-new-direction