A National Pupil Database held by the UK’s Department of Education had ‘no formal proactive oversight’ to protect children’s data, the Information Commissioner’s Office has found.

The ICO concluded in its compulsory audit this week that DfE had ‘no formal proactive oversight of any function of information governance’ relating to data for millions of children.

The audit reveals that the DfE has not been meeting key requirements of the GDPR such as implementing policy frameworks and document controls. This meant crucial policies including an Information Governance Framework and a Data Protection Policy do not exist and therefore compliance with GDPR cannot be demonstrated. 

Additionally, the ICO states, “There is no clear picture of what data is held by the DfE and as a result there is no Record of Processing Activity (ROPA) in place which is a direct breach of Article 30 of the GDPR.” In total, 139 recommendations for improvement were found by the ICO, with over 60% considered urgent.

Furthermore, the ICO criticises the DfE’s legal basis for data sharing for being too reliant on “public task”, and where “legitimate interest” has been used in some cases, it is not clear how it should be used appropriately and in line with GDPR’s requirements.

“There is also some confusion within the DfE and its Executive Agencies about when they are a controller, joint controller or processor and whether as a controller this is at the point of collection or as a recipient of personal data,” says the ICO. “Equally there is no certainty whether organisations who receive data from the DfE are acting as controllers or processors on their behalf.” 

The ICO’s investigations into the DfE’s compliance with GDPR legislation began in 2019 after legal teams from digital rights campaigners, Defenddigitalme and Liberty claimed the legal basis for a number of data releases made from 2012 to 2017 was not met.

Responsibility for compliance has been described by the ICO as “fragmented” with limited reporting lines, monitoring and reporting activity. The audit states that the requirement for the DPO to inform and advise the controller is currently being fulfilled by the Privacy and Information Rights Advisory Service (PIRAS), who can only offer advice and are not formally connected to the DPO. 

Defenddigitalme, which made its first legal complaint in 2015, said, “The DPO has been doing a good job. The accountability rests much higher up.” According to the non-governmental organisation, the current failures of the DfE are not due to the mistakes of the DPO but are the result of changes made to the Education Act and Prescribed Persons Act in 2012-2013. 

The changes allowed children’s information to be released to external third parties for the purpose of “promoting the education or well-being of children in England.” Defenddigitalme estimates this year that at least 1,600 releases have been made of millions of records each time. 

A spokesperson for the DfE has since said: “We treat the handling of personal data – particularly data relating to schools and other education settings – extremely seriously and we thank the ICO for its report which will help us further improve in this area.

“Since the ICO completed its audit, we’ve taken a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data and significantly increasing the number of staff dedicated to the effective management of it.

They added, “As well as welcoming these moves, the ICO has recognised the stringent processes we have in place to make sure children and young people’s personal data is secure.”