The Information Commissioner’s Office (ICO) has issued a rebuke to the Department for Education (DfE) for shortcomings in its approach to data protection.
It has published the outcome of a compulsory audit, carried out in February, which found that data protection was not given sufficient priority and had undermined the department’s ability to comply with the relevant laws.
The audit produced 139 recommendations for improvement, with over 60% classified as urgent or high priority.
The move followed complaints about the DfE’s handling of the National Pupil Database (NPD).
Among the areas recommended for improvement by the ICO are shortcomings in information governance, problems with organisational infrastructure, the lack of a policy framework or document controls for data protection, a failure to provide sufficient privacy information to data subjects, and limited staff training.
In addition, the DfE’s knowledge and information management team has had no active involvement with the NPD, which meant to appropriate procedures had been developed for the creation, storage and retention of records. Also, the commercial department has not had appropriate controls in place to protect personal data being processed on behalf of the DfE by data processors.
Image from iStock, abluecup