Last month, the Department for Education (DfE) received a formal reprimand from the Information Commissioner’s Office (ICO) over a ‘serious breach’ of the GDPR involving the unauthorised sharing of up to 28 million children’s personal data. But the DfE has avoided a fine, despite a finding of ‘woeful’ data protection practices.
The reprimand followed the ICO’s investigation into the sharing of personal data stored on the Learning Records Service (LRS) database, for which the DfE is the data controller. LRS provides a record of pupils’ qualifications that education providers can access. It contains both personal and Special Category Data and at the time of the incident there were 28 million records stored on it. Some of those records would have pertained to children aged 14 and over.
The ICO investigation found that the DfE’s poor due diligence meant that it continued to grant Trustopia access to the database when it advised the DfE that it was the new trading name for Edududes Ltd, which had been a training provider. Trustopia was in fact a screening company and used the database to provide age verification services to help gambling companies confirm customers were over 18. The ICO ruled that the DfE failed to:
- Protect against the unauthorised processing by third parties of data held on the LRS database for reasons other than the provision of educational services. Data subjects were unaware of the processing and could not object or otherwise withdraw from this processing. Therefore the DfE failed to process the data fairly and lawfully in accordance with Article 5 (1)(a).
- Have appropriate oversight to protect against unauthorised processing of personal data held on the LRS database and had also failed to ensure its confidentiality in accordance with Article 5 (1)(f).
The DfE has been ordered to implement the following five measures to improve its compliance:
1. Improve transparency around the processing of the LRS database so data subjects are aware and are able to exercise their data subject rights.
2. Review all internal security procedures on a regular basis to identify any additional preventative measures that can be implemented.
3. Ensure all relevant staff are made aware of any changes to processes as a result of this incident, by effective communication and by providing clear guidance.
4. Complete a thorough and detailed Data Protection Impact Assessment, which adequately assesses the risk posed by the processing.
5. Ensure sufficient data protection training is provided to all staff.
This investigation could, and many would say should, have resulted in a fine. However, in June 2022 information commissioner John Edwards announced a new approach towards the public sector with the aim of reducing the impact of fines on the sector. Had this new trial approach not been in place, the DfE would have been issued with a fine of over £10m.
The ICO also followed its new public sector enforcement approach when issuing a reprimand to NHS Blood and Transplant. In August 2019, the service inadvertently released untested development code into a live system for matching transplant list patients with donated organs. This error led to five adult patients on the non-urgent transplant list not being offered transplant livers at the earliest possible opportunity. The ICO said that, if the revised enforcement approach had not been in place, the service would have received a fine of £749,856.
Some would say that the DfE has got off very lightly here and, given its past record, perhaps more stringent sanctions should have been imposed. Two years ago, the ICO criticised the DfE for secretly sharing children’s personal data with the Home Office, triggering fears it could be used for immigration enforcement as part of the government’s hostile environment policy.
Many will question why the public sector merits this special treatment. It is not as if it has been the subject of a disproportionate number of fines. The first fine to a public authority was only issued in December 2021 (more than three and a half years after GDPR came into force) when the Cabinet Office was fined £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online. This was recently reduced to £50,000 following a negotiated settlement of a pending appeal.
Compare the DfE reprimand with last month’s Monetary Penalty Notice in the sum of £1,350,000 issued to a private company, Easylife Ltd. The catalogue retailer was found to have been using 145,400 customers’ personal data to predict their medical condition and then, without their consent, targeting them with health-related products. With austerity coming back with a vengeance, no doubt the private sector will question the favourable terms for the public sector.
Perhaps the government will come to the private sector’s rescue with its plans for UK GDPR reform. In July, Boris Johnson’s government published the Data Protection and Digital Information Bill (see tinyurl.com/3yuuacyv). Following the change of PM, during the Conservative party conference on 3 October, new digital secretary Michelle Donelan MP made a speech announcing a plan to replace the UK GDPR with a new ‘British data protection system’. The bill’s passage through parliament was suspended. It seemed that drafters would have to go back to the drawing board to showcase even more ‘Brexit benefits’. There was even talk of another round of consultation. Remember the bill is the result of an extensive consultation launched in September 2021 (‘Data: A New Direction’).
I attended the IAPP Conference in Brussels. Owen Rowland, deputy director at the Department for Digital, Culture, Media & Sport, said that the latest ‘consultation’ on the stalled bill will begin shortly. However, he confirmed it will not be a full-blown public consultation but a set of roundtables with different business sectors as well as privacy and consumer groups. Will these roundtables make a difference to the bill’s contents? I am sceptical but time will tell.
Ibrahim Hasan is a solicitor and director of Act Now Training
No comments yet