The Information Commissioner’s Office (ICO) has carried out an investigation into the Department for Education’s (DfE) use of data. The ICO has now concluded its investigation and has issued a reprimand which has been published on its website.
The DfE has overall responsibility for the learning records service database (LRS). The LRS is a database that provides a record of pupil’s qualifications. This is then shared with education providers. The LRS contains personal and special category data.
The DfE had continually granted an employment screening firm (Trustopia) access to the LRS to check whether people opening online gambling accounts were 18. The ICO conducted its investigation to determine whether the DfE had complied with the requirements of the data protection legislation when giving Trustopia access to the data.
The ICO found that the DfE was in breach of a number of requirements of the UK GDPR including the lawfulness, fairness, and transparency principle and the integrity and confidentiality principle.
Lawfulness, fairness, and transparency principle
In accordance with Article 5(1)(a) of the UK GDPR, the processing of data must be lawful, fair, and transparent.
For the processing of personal data to be lawful, a ‘lawful basis’ for the processing needs to be identified. If no lawful basis applies the processing is unlawful and in breach of this principle. In a previous blog, we discussed the six lawful bases in more depth, see here.
The processing of data must always be fair as well as lawful. If any aspect of the processing is unfair the processing will be in breach of this principle. Processing data fairly means that you should only handle personal data in ways that people would reasonably expect.
You must also ensure that you are processing data transparently. Transparent processing is about being clear, open, and honest with people about how and why you use their personal data.
The ICO found that in allowing Trustopia access to the LRS, the DfE had failed to protect against unauthorised processing and had allowed a third party to process the data for reasons other than the provision of education services. The DfE could not identify a lawful basis for the processing and therefore were not processing the data lawfully. The ICO further confirmed that the DfE had not been processing the data in a transparent manner, the data subjects were unaware of the processing and therefore could not object to it.
Integrity and confidentiality principle
In accordance with Article 5(1)(f) of the UK GDPR, a data controller must have the appropriate security measures in place to protect the data that they hold. These measures should prevent personal data from being accidentally or deliberately compromised.
The ICO found that the DfE had failed to protect against the unauthorised processing of personal data held on the LRS database. They also found that the DfE had failed to ensure its confidentiality.
The ICO considered issuing a fine of £10,030,000. However, in line with the ICO’s new approach to breaches by Public Sector Organisations, see our previous blog here. The ICO has instead issued a reprimand in accordance with Article 58 of the UK GDPR.
The DfE has since permanently removed Trustopia’s access to the LRS which has prevented any further unauthorised sharing of data. The ICO within the reprimand has identified five further measures for the DfE to implement to further improve its compliance. These are:
- taking steps to improve transparency around the processing of the LRS database so data subjects are aware and able to exercise their rights;
- reviewing internal security procedures on a regular basis to identify any additional measures that should be implemented;
- ensure all relevant staff are made aware of any changes to processes as a result of this incident;
- when processing personal data that is likely to result in a high risk to individuals, DfE should complete a thorough Data Impact Assessment; and
- ensuring sufficient data protection training is provided to all staff.
Comment
The issuing of this official reprimand (and publishing on their website) is another one of the steps the ICO has taken to implement ICO25. I suspect over the next three years we will see many more public authorities issued with reprimands and practice recommendations.
The UK Information Commission, John Edwards has published a statement following the above which sheds some light on the ICO’s thinking behind the issuing of the reprimand. John Edwards has commented as follows:
“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.
We all have an absolute right to expect that our central Government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.
“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to the Government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”
How can we help
Ruby Ashby is an Associate in our expert Dispute Resolution team.
If you need any advice concerning the subjects discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us