28 October, 2020
On 7 October 2020, the Information Commissioner's Office (ICO) published the outcome of a compulsory audit of the Department for Education (DfE) earlier in the year. The audit found that data protection was not being prioritised and this affected the DfE's ability to comply with the GDPR and the Data Protection Act 2018.
It is understood that the ICO received complaints from DefendDigitalMe and Liberty in 2019 in relation to their concerns around the National Pupil Database (NPD). Following receipt of the complaints, the ICO met with the DfE in November 2019 and discussed conducting a consensual audit. However, given the amount of data involved and the fact that the data related to children, the ICO decided to undertake a compulsory audit.
The audit took place in February and March this year and included a comprehensive review of DfE data protection practices, governance and other key control measures supporting the NPD and internally held databases, using the framework of scope areas of audit as listed below. This would allow the ICO to identify any risk associated with the data processed and implications to the individual rights of over 21 million individuals.
An executive summary of the report has been published this week. A total of 139 recommendations for improvement were found, with over 60% classified as urgent or high priority.
The summary details a series of findings including:
The ICO found that despite the Data Directorate been given the overall responsibility for compliance, actual operational responsibility had been fragmented throughout all groups, directorates, divisions and teams that implements policy services and projects relating to personal data. The absence of sufficient reporting lines, procedures for monitoring activity and reporting indicated that there was no system in place for a central oversight of data processing activities. It was noted that the DfE lacked a formal proactive oversight of any function of information governance including data protection, records management, risk management, data sharing and information security together with the absence of formal documentation.
Cultural barriers and attitudes within the DfE meant that there no effective system in place to ensure that personal data is processed in accordance with the GDPR principles.
The requirement of the Data Protection Officer (DPO) in accordance with Article 37-39 of the GDPR to inform and advise the controller was being met by the Privacy and Information Rights Advisory Service who only offers the advisory service and with no formal links to the DPO.
The ICO found that existing policies demonstrated no version control and the absence of any formal review procedures meant that many were ineffective and obsolete. As there was no governance in place for the creation, review and approval of policies, those documents produced by the various directorates were inconsistent in style, approach or content.
There was no Record of Processing Activity (ROPA) in place despite it being documented over a year ago in audit reports and meeting minutes. This meant that there was a direct breach of Article 30 of the GDPR. Without a ROPA, the DfE were unable to fulfil other obligations such as privacy information, retention and security arrangements.
There was confusion amongst the DfE and its Executive Agencies in their role as a controller, joint controller or processor. This led to uncertainty as to what information was to be provided, with the DfE having to rely on third parties to provide information on their behalf. Consequently, adequate privacy information was not being provided to the data subjects in accordance with Articles 12-14 of the GDPR. In some instances, no information was being provided to the data subjects which put the DfE in contravention with Article 5(1)(a) that the data shall be processed lawfully, fairly and in a transparent manner.
Despite the volume and categories of personal data being processed, the DfE were providing very little or no training to staff about information governance, data protection, records management, risk management, data sharing and individual rights. The DfE were reliant on staff making themselves aware of policies and procedures without any follow up or acknowledgement. This presented a high risk that personal data will not be processed in accordance with the legislative requirements and could result in multiple breaches.
The ICO found that there was no expert involvement to develop appropriate procedures for the creation, storage and retention of records. In this instance, the Knowledge and Information Management Team had no active involvement with the National Pupil Database.
The DfE were not managing information risks in accordance with the Risk Management Framework. It did not retain a record of all information risks and in instances where this was done, it did not always identify actual risks or control measures. To ensure an effective framework, the information assets must be assessed with sufficient frequency and risks identified must be recorded with adequate detail on the Information Risk Log to ensure effective control and monitoring.
Data protection impact assessments (DPIAs) were not being done in a timely manner to influence the outcome, and in some cases, prior to processing beginning altogether. The assignment of lawful basis in DPIAs was also high level without justification for the designated lawful basis or details of it being applicable to each specific processing activity.
There was an over reliance on using public task as the lawful basis for sharing. This is not always suitable and supported by identified legislation. In some applications, legitimate interest had also been used as a lawful basis, however, the understanding of the requirements of legitimate interest and how to assess the application and legalities of it prior to sharing taking place was limited.
In 400 applications, only approximately 12 were rejected. The ICO identified that this was down to an approach which was designed to find a legal gateway to 'fit' the application rather than an assessment of the application against a set of robust measures designed to provide assurance and accountability.
The ICO acknowledged that the DfE engaged with it throughout the audit process and demonstrated a willingness to learn from and address the findings. The ICO has stated it will continue to monitor the DfE, reviewing improvements made against pre agreed timescales and warns of enforcement action, if progress falls behind schedule.
The list of recommendations along with the finding that data protection was not being prioritised makes for eye watering reading. However, the long list of recommendations gives some insight into the expectations of the ICO and what it looks for when carrying out an audit. Educational institutions should review the recommendations and build the recommendations into internal review or audit procedures to ensure they are able to demonstrate compliance with the GDPR.