The reprimand issued to the Department for Education UK (DfE) raises five lessons for organisations who have internal colleagues and/or external partners re-used existing personal data.
1) Personal Data can be reused – but only for compatible purposes
In this case, the DfE enabled personal data of millions of children (name, data of birth, gender and their learning achievements / qualifications).
…which had been collected for one purpose (to enable education providers to verify the academic qualifications of potential students and/or check their eligibility for funding).
…to be used for a different purpose (age verification purposes - to check whether people opening online gambling accounts were 18).
…and the organisation using the data was a private company not in the education sector.
Article 6(4) of the GDPR is critical here.
It defines how you should assess whether a proposed re-use of personal data for a new purpose is compatible with the original purpose for which it was initially collected.
Key Questions:
- Do you have procedures to manage internal requirements and external requests to use existing personal data for new purposes?
- Do you document your decision making?
2) Suppliers and partners can change – and you should monitor and manage such change
In this case, a company that was a training provider (and therefore had a license to access the database) at some point changed to an age verification/screening company.
Yet the DfE continued to grant them access to the database, even though the original company advised the Department of its new trading name.
The ICO implies that the DfE was not checking with sufficient detail who was requesting access to the database or why they wanted access. Most damningly, they assert that “no regular checks were carried out on a user’s activities which left the LRS database vulnerable to misuse.”
The ICO identified “weaknesses with [the DfE’s] registration process” and that “more stringent checks and controls” have since been introduced.
Key Questions:
- Have you got a programme of audit and review for your suppliers and partners?
- How do you ensure the contractual terms, security measures and agreed uses of data on key relationships are still being adhered to?
3) A Data Protection Impact Assessment (DPIA) could have spotted the risks
The ICO required the DfE to implement several measures to improve its compliance.
One requires the DfE to undertake a DPIA to “adequately assess…the risks” posed by the processing so they can “identify and mitigate the data protection risks of that processing on individuals.”
Reading between the lines: if the DfE had done a DPIA in a timely manner, they would likely have identified some of the risks.
And given the facts – i.e. the nature of the data (about children’s education) and scope (28 million records, retained for 66 years) and context (a major government department; a clear interest in the data from external
organisations (12,600 organisations had access to the LRS database at the time of the breach)) and purposes of processing – it’s clearly processing that deserved a DPIA.
Key Questions:
- Do you start DPIAs early enough in your project planning or process changes?
- Do you ensure the data protection risks are assessed?
- And could you evidence what mitigations were deployed or which risks were deemed acceptable to the project or change?
4) Training, training, training (a broken record…but still a critical one)
Having made changes to their processes, the ICO still appears concerned that not all relevant staff at the DfE may be fully aware of them.
As with the recent Interserve fine, the ICO seems at pains to highlight that simply making policy and procedural change is not enough: staff need to know about them, understand them, and follow them.
The ICO has therefore required the DfE to ensure relevant staff are trained on the changes and all staff receive data protection training.
Key Questions:
- Can you evidence that staff have read your policies?
- Can you evidence who has received training?
- Could you explain why certain roles received the training they did?
- Do you provide training at induction and annually?
5) Transparency is not just about having a privacy policy – it’s about individual rights
It is all too easy to slip into believing that transparency begins and ends with having a long, detailed Privacy Policy on your website.
This case serves as a useful reminder that at the core of being transparent is ensuring people know what is happening to their personal data so they can then use their rights.
In this case, the ICO noted that the children we “unaware of the processing and could not object or otherwise withdraw from this processing…”
It required the DfE to improve transparency so that the children (and their parents) “are aware and are able to exercise their…rights, in order [that the DfE can] satisfy the requirements of article 5(1)(a) of the UK GDPR”.
Key Questions:
- Do you provide privacy statements at all points of data collection?
- Are your privacy statements accessible and easy to understand?
