Pre-action protocol letter claims Department for Education continues to breach GDPR over pupil data two years on from ICO audit
The Department for Education has been threatened with judicial review proceedings by a campaign group which claims it has failed to implement the recommendations of the Information Commissioner's Office and continues to gather data on school children in a way that breaches information law.
In a pre-action protocol letter Defend Digital Me alleged that, two years on from an audit of the department by the ICO, the DfE's data-gathering practices for the National Pupil Database still fail to comply with the transparency and notification obligations required by the UK General Data Protection Regulation and Data Protection Act 2018.
In October 2020, the ICO published the outcome of a regulatory audit of the DfE, which found that data protection was not being prioritised "and this had severely impacted the DfE's ability to comply with the UK's data protection laws".
A total of 139 recommendations were made, with over 60% classified as urgent or high priority.
At the time, the ICO said that the DfE had accepted all the recommendations and was making "the necessary changes".
But according to Defend Digital Me, the DfE refused to publish a copy of the ICO report "or any timeline to assess what was and was not to be actioned by when". It has also "repeatedly failed to provide details they have promised of the steps that they are taking to address the failings", the group claimed in a statement announcing the legal action.
Defend Digital Me added: "[As] far as we can see, the DfE's practices in relation to the collection and sharing of children's information seem to continue largely unchanged, and worse, have continued to ignore necessary changes before further starting new data expansions."
The National Pupil Database includes information collected annually at child-level as part of the Alternative Provision Census. The database includes information concerning any special educational needs; learning difficulties; social, emotional and mental health needs; speech, language and communication needs; physical disability; autistic spectrum disorder; vision impairment; hearing impairment; or other difficulty or disorder.
It also covers matters such as pupils' pregnancy; mental health or physical health need; permanent exclusion, or the fact that a child has been placed in a young offender institution.
According Defend Digital Me, the DfE has failed to provide a Privacy Notice to parents and children setting out what information is collected, why it is collected and what is then done with it.
In addition, the group stated that the DfE does not appear to have appropriate procedures and safeguards in place in relation to the handling of the information. "This should include mechanisms for enabling the right to object to the processing of the data, a process for inaccurate data to be corrected, and adequate safeguards in relation to the sharing of the data with third parties", it notes.
The group has instructed solicitors at Leigh Day and barristers at Monckton Chambers. Its letter before claim gives 21 days for the DfE to respond.
The Department for Education said it would be inappropriate to comment on the pre-action protocol letter.
Adam Carey