The United Kingdom’s Information Commissioner’s Office (“ICO”, the UK’s data privacy regulator) has found that the country’s Department for Education (“DFE”) use of pupil data breaches the General Data Protection Regulation (“GDPR”). While it is not yet known what penalties will follow this audit failure, this finding puts on notice governmental bodies handling personal information that GDPR enforcement extends to public organizations.
The ICO first began investigating the DFE last year after receiving complaints from human rights groups Liberty and DefendDigitalMe for failing to allow parents to obtain their child’s data, its refusal to correct inaccurate date, and for “secretly” sharing information belonging to minors with the U.K. Home Office. The ICO released the findings of its months-long audit in early October, with 139 recommendations for improvement; 60% of which are considered high priority.
The ICO found that DFE employees are not well-versed in data protection, so the risk of data breaches is high. Additionally, the ICO found no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security within the DFE. In summary, DFE has not implemented proper controls to ensure personal data processing activities are carried out in compliance with GDPR.
Regardless of whether your organization is public or private, you need to determine whether you’re subject to relevant data privacy laws like GDPR and CCPA. If you are you’ll need to ensure that your protocols and procedures are in compliance; if they’re found to be wanting you’re risking significant financial penalties.