UK Department For Education fails to meet UK, GDPR data protection standards - with flying colors

A compulsory audit has revealed severe security failings and data management problems.
Written by Charlie Osborne, Contributing Writer

A compulsory audit at the UK Department For Education (DFE) has exposed a quagmire of confusion and failures in managing and protecting data. 

When a government's "world-beating" COVID-19 test-and-trace system seems to fall at each hurdle and Excel spreadsheets are blamed for the loss of close to 16,000 confirmed coronavirus case registrations, perhaps it should not be a surprise that other departments also have data management problems.

In 2019, the DFE was the subject of complaints stemming from the Against Borders for Children (ABC) group for apparently sharing information belonging to minors "secretly" with the Home Office. 

At the time, as reported by The Guardian, the UK Information Commissioner's Office (ICO) said, "DFE is failing to comply fully with its data protection obligations, primarily in the areas of transparency and accountability, where there are far-reaching issues, impacting a huge number of individuals in a variety of ways."

See also: ICO slams UK Met Police for failure to handle public data requests

The department was also accused of refusing to allow parents to see their child's record in the National Pupil Database or correct any inaccurate data by DefendDigitalMe (.PDF). 

In light of data protection concerns and potential violations of the EU's General Data Protection Regulation (GDPR), the ICO launched a compulsory audit into the department's data practices. 

The results are in and it appears the DFE has a long way to go before coming close to complying with UK protection laws. In total, 139 recommendations for improvement have been made, with over 60% classified as "urgent" or "high priority."


According to the audit (.PDF), completed in February and now made public, the DFE has "no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security [...] along with a lack of formal documentation."

CNET: DHS found disinformation efforts mirror Trump attacks on mail-in voting, senators say

This lack of structure means that the department cannot demonstrate GDPR compliance. In addition, the ICO notes a lack of "central oversight of data processing activities."

The employees at the department have also come under fire, with "internal cultural barriers and attitudes" cited as reasons for a failure on the DFE's part to implement an "effective system of information governance."

There are no formal policy frameworks, the role of Data Protection Officer (DPO) has not been established properly, little training is available to employees in data protection laws, and what data itself is held by the DFE is murky -- since there is no substantial record of data processing activity. 

Othe points of note include:

  • The DFE is not providing "sufficient privacy information to data subjects."
  • The DFE and internal executive agencies have shown confusion over who, or what, is a data controller, joint controller, or data processor;
  • The department hasn't shown any certainty of those who obtain data are controllers or processors -- and so it is not clear on what information should be provided;
  • There is a lack of awareness among staff of data protection, potentially upping the risk of data breaches;
  • No experts are involved in the creation of data storage or retention record systems;
  • No Data protection impact assessments (DPIAs) are being carried out at the correct and early stages of cases;
  • The Privacy Assurance Team (PAT) are risk assessing projects they aren't fully briefed on.

TechRepublic: How to boost the effectiveness of your cybersecurity operations

When it comes to sharing data with other organizations, the ICO notes that only 12 applications out of 400 were rejected due to an "over-reliance" on citing "public tasks" as the legal basis for the transfer of information. 

"The ICO's primary responsibility is to ensure compliance with the law and its policy is to work alongside organizations committed to making the necessary changes to improve data protection practice," the ICO said in a statement. "The department accepted all the audit recommendations and is making the necessary changes."

"We treat the handling of personal data -- particularly data relating to schools and other education settings -- extremely seriously and we thank the ICO for its report which will help us further improve in this area," a DFE spokesperson told ZDNet. "Since the ICO completed its audit, we've taken a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data and significantly increasing the number of staff dedicated to the effective management of it."

Furthermore, the department says that training plans have now been created for staff and internal vacancies related to data management have been "vastly increased" over the last year, the majority of which have now been filled. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards