The update issued by the Office of the Information Commissioner on their compulsory audit of the DfE passed me by when it appeared in October this year. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/statement-on-the-outcome-of-the-ico-s-compulsory-audit-of-the-department-for-education/ The executive summary of the original audit report had appeared in February 2020 and didn’t read like a ‘good news’ story for the Department.

It is good to know that the ICO is able to state in October that throughout the audit process the DfE engaged with the ICO and showed a willingness to learn from and address the issues identified and that the Department accepted all the audit recommendations and is making the necessary changes.

However, it appears that the ICO continues to monitor the DfE, reviewing improvements against pre agreed timescales and that the ICO warns that enforcement action will follow if progress falls behind the schedule.

The ICO carried out the compulsory audit following complaints received in 2019 regarding the National Pupil Database.

According to the Executive Summary in the Report, an Assessment Notice was issued to the Department for Education (DfE) on 19 December 2019. The audit field work was undertaken between 24 February and 4 March [sic]. The full report doesn’t seem to be available on the ICO website.

As with Ofsted inspections, key areas for improvement are identified for the DfE to consider and if necessary act upon. These included but were not limited to;

• There is no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security within the DfE which along with a lack of formal documentation means the DfE cannot demonstrate accountability to the GDPR. Although the Data Directorate have been assigned overall responsibility for compliance actual operational responsibility is fragmented throughout all groups, directorates, divisions and teams which implement policy services and projects involving personal data. Limited reporting lines, monitoring activity and reporting means there is no central oversight of data processing activities. As a result there are no controls in place to provide assurance that all personal data processing activities are carried out in line with legislative requirements.
• Internal cultural barriers and attitudes are preventing the DfE from implementing an effective system of information governance, which properly considers the rights and freedoms of data subjects against their own requirements for processing personal data to ensure data is processed in line with the principles of the GDPR.
• The Commercial department do not have appropriate controls in place to protect personal data being processed on behalf of the DfE by data processors. Which means there is no assurance that it is being processed in line with statutory requirements particularly where processing contracts are of low enough value to not be subject to formal procurement procedures. Processor and third party due diligence does not always consider whether appropriate organisational and security measures are in place to provide the DfE with assurance that personal data will be processed in line with statutory requirements.
• There is an over reliance on using public task as the lawful basis for sharing which is not always appropriate and supported by identified legislation. Legitimate interest has also been used as a lawful basis in some applications however there is limited understanding of the requirements of legitimate interest and to assess the application and legalities of it prior to sharing taking place how it should be applied to ensure the use of this lawful basis is appropriate and considers the requirements set out in Article 6(1)(f) of the GDPR.

In all, 15 areas for improvement were listed in the report. This is both a comprehensive and very depressing list. No doubt since February, and despite the covid-19 concerns that have taken up the time of the Department, procedures have been tightened up. Perhaps this is behind the nature of some of the data requests regarding the monitoring of the pandemic in schools.

Unlike Ofsted, the ICO doesn’t award grades to its audits. Without sight of the whole report it would be invidious to offer a suggested grade of the ofsted type, but it clearly wasn’t a ‘clean bill of health’ for the DfE.