A compulsory audit at the UK Department For Education (DFE) has exposed a quagmire of confusion and failures in managing and protecting data. 

When a government’s world-beating COVID-19 test-and-trace system seems to fall at each hurdle and Excel Spreadsheets are blamed for the loss of close to 16,000 confirmed coronavirus case registrations, perhaps it should not be a surprise that other departments also have data management problems. In 2019, the DFE was the subject of complaints stemming from the Against Borders for Children (ABC) group for apparently sharing information belonging to minors “secretly” with the Home Office. 

At the time, the UK Information Commissioner’s Office (ICO) said, DFE is failing to comply fully with its data protection obligations, primarily in the areas of transparency and accountability, where there are far reaching issues, impacting a huge number of individuals in a variety of ways. The department was also accused of refusing to allow parents to see their child’s record in the National Pupil Database or correct any inaccurate data by DefendDigitalMe.

In light of data protection concerns and potential violations of the EU’s General Data Protection Regulation (GDPR), the ICO launched a compulsory audit into the department’s data practices. The results are in and it appears the DFE has a long way to go before coming close to complying with UK protection laws. In total, 139 recommendations for improvement have been made, with over 60% classified as “urgent” or “high priority.”

According to the audit, completed in February and now made public, the DFE has no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security along with a lack of formal documentation. This lack of structure means that the department cannot demonstrate GDPR compliance. In addition, the ICO notes a lack of “central oversight of data processing activities.”

The employees at the department have also come under fire, with “internal cultural barriers and attitudes” cited as reasons for a failure on the DFE’s part to implement an “effective system of information governance.There are no formal policy frameworks, the role of Data Protection Officer (DPO) has not been established properly, little training is available to employees in data protection laws, and what data itself is held by the DFE is murky since there is no substantial record of data processing activity.