News / Blog National Pupil Database

The ICO audit of the Department for Education two years on

Two years ago today the Information Commissioner’s Office announced that they had carried out an audit at the Department for Education (“DfE”), and published an executive summary of their 139 findings.

It found the DfE policy on learners’ records was, designed to find a legal gateway to ‘fit’ the application”. There were insufficient controls, oversight, or lawful basis. And the DfE are not fulfilling the first principle of the GDPR, outlined in Article 5(1)(a), that data shall be processed lawfully, fairly and in a transparent manner.

The ICO decided to make it compulsory, due to the risks associated with the volume and types of personal data processed within the NPD as well as the ages of the [over 21 million] data subjects involved”… .

What has happened since?

The summary is no longer linked from the ICO announcement and does not appear in their published list of audit activity. If we had not captured it, you’d no longer know where to read it.

Both the ICO and the Department for Education have refused FOI requests to publish the audit in full.

In January 2021 the DfE published a limited written response with a promised further update in June 2021. It omitted any mention of commercial reuse. Or anything on how it will address rights or actions to address access to the 28 million learner records.

In April 2021, the then Schools Minister said that the Department had “undertaken to publish an update to the audit in June 2021 and further details….of the full audit report will be contained in this update.”

Later, a statement said it was delayed to the end of July 2021.

Nothing was published.

Little has appeared to change, since our summary one year ago today. In fact, the DfE has continued to disregard the importance of data protection law and has gone ahead with new intrusive projects, without involving the ICO despite claiming to the school sector that they had.

We continue to actively seek redress and to restore the rights of nearly 9 million children in state education today, and a further nearly 20 million in the DfE learner records databases. If the DfE will not change in response to a to-date unenforced audit from the regulator, what will it take? We will find out.

If you want to donate to support our continued legal work, the crowdfunder is here. This goes towards our costs, and is paid directly to the law firm supporting our case.