The Department for Education has broken data protection law, a new audit report reveals.
The compulsory audit, carried out by the Information Commissioner's Office (ICO) earlier this year, was intended to provide "an assurance of the extent to which the DfE...is complying with data protection legislation", including how it handles and allows external access to pupil and student data.
It was determined that this would provide "a comprehensive review of DfE data protection practices, governance and key control measures supporting the NPD [National Pupil Database] and internally held databases".
"This would allow the commissioner to identify any risk associated with the data processed and implications to the individual rights of over 21 million data subjects," the report said.
And the DfE agreed to extend the scope of the audit to include the sharing of data contained within the Learning Records Service (LRS) database. This was to "assist an ICO investigation following a reported data breach", the report said.
The audit found that the department has been in "direct breach" of data protection law, as there is "no clear picture" of what data it holds, and therefore "no Record of Processing Activity (ROPA) in place".
It also found that the DfE "cannot demonstrate accountability to the GDPR", as there is "no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security" within the department.
The GDPR (General Data Protection Legislation) law came into force across the European Union member states over two years ago.
"Although the Data Directorate have been assigned overall responsibility for compliance, actual operational responsibility is fragmented throughout all groups, directorates, divisions and teams which implement policy services and projects involving personal data," the report said.
"Limited reporting lines, monitoring activity and reporting means there is no central oversight of data processing activities. As a result, there are no controls in place to provide assurance that all personal data processing activities are carried out in line with legislative requirements."
The audit followed a "broad investigation" by the information commissioner's enforcement team in 2019, which was sparked by concerns relating to the NPD.
The ICO initially met with "key senior-level data protection professionals" at the DfE to discuss the possibilities of a consensual audit, according to the report.
However, "due to the risks associated with the volume and types of personal data processed within the NPD as well as the ages of the data subjects involved", the commissioner decided to undertake a compulsory audit, it said.
An assessment notice was issued to the DfE in December 2019, and the audit fieldwork was undertaken at DfE offices in London, Coventry, and Sheffield between 24 February and 4 March.
A DfE spokesperson said: "We treat the handling of personal data – particularly data relating to schools and other education settings – extremely seriously and we thank the ICO for its report, which will help us further improve in this area.
"Since the ICO completed its audit, we've taken a number of steps to address the findings and recommendations, including a review of all processes for the use of personal data and significantly increasing the number of staff dedicated to the effective management of it.
"As well as welcoming these moves, the ICO has recognised the stringent processes we have in place to make sure children and young people’s personal data is secure."
The DfE said that it had vastly increased the number of internal posts relating to data management over the last year.
It added that it had developed specific training plans for staff relating to data management, which were rolled out over the summer.
And the department said it is increasing the frequency of its updates to its transparency publication about third-party access to DfE personal level data. The most recent update was published on 10 September, it said.