The Information Commissioner's Office said it has issued 139 recommendations, including 32 urgent ones, to the Department of Education (DfE) after carrying out a comprehensive audit of the department's data protection practices.
The audit, which was conducted in February this year, was initiated after the ICO received complaints from privacy campaign groups Liberty and DefendDigitalMe about poor security protocols governing the National Pupil Database. Following the completion of the audit, ICO said it found glaring gaps in DfE's data protection policies that "severely impacted the DfE’s ability to comply with the UK’s data protection laws".
Based on its assessment of the risks involved, the ICO issued a total of 139 recommendations to DfE to help it straighten its data protection practices. These included 32 urgent priority recommendations and 49 high priority recommendations to address risks that represented clear and immediate risks to the DfE’s ability to comply with the requirements of DPA.
"There is no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing, and information security within the DfE which along with a lack of formal documentation means the DfE cannot demonstrate accountability to the GDPR," ICO said.
"Although the Data Directorate has been assigned overall responsibility for compliance, actual operational responsibility is fragmented throughout all groups, directorates, divisions, and teams which implement policy services and projects involving personal data.
"Limited reporting lines, monitoring activity, and reporting means there is no central oversight of data processing activities. As a result, there are no controls in place to provide assurance that all personal data processing activities are carried out in line with legislative requirements.
"Internal cultural barriers and attitudes are preventing the DfE from implementing an effective system of information governance, which properly considers the rights and freedoms of data subjects against their own requirements for processing personal data to ensure data is processed in line with the principles of the GDPR," it added.
Among ICO's other findings were that the DfE did not have key policies such as an Information Governance Framework or Data Protection Policy in place, that existing policies were not subject to any formal review procedures, that DfE did not maintain Record of Processing Activity (ROPA) in violation of GDPR, and that DfE did not provide sufficient privacy information to data subjects as mandated by GDPR.
ICO also discovered during the audit process that the DfE provided very limited training to staff about information governance, data protection, records management, risk management, data sharing, information security, and individual rights and relied on staff to become self-aware of policies and procedures without follow up or acknowledgment.
As far as the management of the National Pupil Database was concerned, ICO found that DfE's Knowledge and Information Management Team (KIM) had no active involvement with the database. This meant that there was no procedure governing the creation, storage, and retention of pupil records, and hence, no oversight on what information was added to or removed from the database.
Finally, ICO also found the DfE did not carry out Data protection impact assessments (DPIAs) early enough to influence the outcome of a project and in some cases, DPIA was not carried out prior to the beginning of a project. In addition, DfE's Commercial department did not have controls in place to protect personal data being processed on behalf of the DfE by data processors.
These findings prompted the ICO to state that these failures "severely impacted the DfE’s ability to comply with the UK’s data protection laws". "The ICO continues to monitor the DfE, reviewing improvements against pre-agreed timescales. Enforcement action will follow if progress falls behind the schedule," it added.