DefendDigitalMe and Liberty, the campaign groups, have notified the ICO (The Information Commissioner’s Office) regarding DfE’s (Department for Education) data protection practices as being unsafe.
The ICO began a more thorough investigation in November 2019 and it was indeed discovered that data protection did not meet the GDPR’s (The General Protection Regulation) requirements, and an audit was undertaken at DfE’s offices between the 24th of February and 4th of March 2020.
Following the audit, it was found that there is no clear and formal data recording process according to the GDPR provisions (ROPA, Record of Processing Activity) and a risk management which means the DfE cannot demonstrate accountability to the GDPR, stated ICO.
Moreover, it was found that ‘’The DfE are not providing sufficient privacy information to data subjects as required by Articles 12,13 and 14 of the GDPR.’’
Problems were also reported regarding the staff training which proved to be very limited within the institution. According to the UK’s Data Protection Authority, the large volume of data processing should be performed by competent and properly trained staff on the ‘’information governance, data protection, records management, data sharing and individual rights.’’
When it comes to The Data Sharing Approvals Panel (DSAP), it seems the DfE needs adjustments as well. The ICO stated in the official report that the institution does not use DSAP for all the sharing decisions as it is requested ‘’so there is a limit of oversight and consistency’’ on how data is shared externally.
Based on the Priority Ratings Summary, made by ICO, there are 32 urgent recommendations that must be fulfilled by the DfE, followed by another 57 rated as High in terms of urgency, 49 are classified as being Medium and only 1 is rated with Low priority. The UK’s Department for Education is obliged therefore, to take action before a further step will be taken by the Data Authority.
”Since the ICO completed its audit, we’ve taken a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data …” declared The UK’s Department for Education.
Need help?
Sovy’s GDPR Essentials can help you with each of the steps laid out above:
- Walk through a data mapping exercise and build your data inventory.
- Build all the policies you need under the GDPR, including a privacy policy, data protection policy, and data breach response forms.
- Train your employees with industry-standard eLearning courses.
- Track document access and history to ensure transparency in the event of an audit.
- Manage your cookies and data rights (e.g. access, deletion, portability) with our consent manager dashboard.
Find out how the Sovy GDPR Privacy Essentials can help you. Get in touch to find out more information.
Source: https://ico.org.uk/media/action-weve-taken/audits-and-advisory-visits/2618384/department-for-education-audit-executive-summary-v1_0.pdf