The Department for Education (DfE) broke GDPR data protection laws, an ICO audit has concluded.
The DfE failed to meet standards on a number of different counts, demonstrating a nonchalance towards data protection laws to the extent that there was “no formal proactive oversight of any function of information governance” in areas including data protection, data sharing and information security.
The audit found that because of these failings, the department “cannot demonstrate accountability to the GDPR”.
The report makes a grand total of 139 recommendations for improvement, of which 60% are classified as urgent or high priority.
This isn’t the first time the department has been criticised for dodgy data practices. The audit itself was prompted by action from Liberty and DefendDigitalMe, who complained that the national pupil database, which contains data on millions of pupils, was not being managed in line with UK data protection laws.
In 2019, it emerged that the department was planning to share pupil data with the Home Office for immigration purposes. However, the plans were suspended following a campaign by children’s groups including Against Borders for Children.
The DfE has accepted all the recommendations and is working to address them, according to a statement released by the ICO.