When the Department for Education (DfE) received complaints regarding how the department managed its National Pupil Database, the response from the Information Commissioner’s Office (ICO) was to perform a thorough audit of the practices at the DfE. In early 2020, the ICO issued a statement regarding its findings. We’ll look at the lessons from the audit and how they can be applied to organisations everywhere.
The goal of the compulsory audit was to look into as many different facets of the DfE’s protocols and identify any risks regarding the individual rights of its 21 million data subjects. Given the young age of the students, this was a sensitive topic for many people. The ICO believed that it required a full investigation, looking into everything from the DfE’s sharing processes to its accountability measures.
What the ICO found was a lack of transparency regarding how much how data the DfE had and how it was processed. The training that employees received was deemed to be minimal, with very little emphasis placed on the privacy of students.
The staff at the DfE seemed to be unaware of what exactly constituted a controller according to GDPR rules. There were also no attempts to put experts in charge of the retention systems or data storage procedures.
It seems clear that privacy for data subjects simply wasn’t a priority at the DfE and why data protection impact assessments (DPIAs) were not being completed according to the rules. The purpose of the DPIA is to identify any flaws in data processing and develop contingency plans to keep that data safe. For example, installing firewalls to prevent criminals from stealing data, but also encrypting that data in case a breach does occur.
These reports are a major undertaking for any controller to assume. A DPIA has to include written descriptions of how data is processed, what measures are taken to protect it, and how different risks are abated. One of the big lessons that we’ve seen from the DfE audit is that DPIAs aren’t being carried out early enough to benefit data subjects.
From massive conglomerates to individuals, all data controllers must meet GDPR standards. DPIAs should be completed long before the project begins, and they also need to be updated if the parameters of the project change. Too often, these reports are haphazardly completed or, in some cases, avoided altogether.
The ICO found that there the DfE was producing risk assessments for projects that they didn’t fully understand. Assessors wrote general statements that didn’t fully address the threats of a potential data leak. It was found that the recommended actions to mitigate the risks didn’t have a real effect on the risk scores.
DPIAs created at such a high level simply are useful to the reader. A DPIA is meant to be a deep dive into the full scope of data processing. It can’t possibly cover every scenario, but it should include specific information that shows certain measures were taken to avoid the rights of the individual.
GDPR violations are serious matters for all data controllers. H&M recently made headlines for breaking these guidelines, resulting in a fine of more than €35 million. The investigation and resulting penalty came after a technical error allowed an employee’s information to be seen company-wide. In addition to paying the fine, the company also appointed a new data protection coordinator and made restitution payments to affected employees.
The information collected by H&M from employees included everything from family issues to religious beliefs. H&M leaders justified their actions, saying they needed a complete employee profile to make smarter decisions regarding employment. It seems safe to say that this was not a good enough excuse for investigators.
While it’s good that the company is taking corrective measures after the investigation, this all could have been avoided with a DPIA. Had the company decision-makers been forced to consider the true ramifications of asking for personal information (and the consequences of that information being displayed company-wide), they would have most likely realized that there as no lawful basis to request it.
DPIAs are not always required, so you shouldn’t create more work if it’s not necessary. The GDPR has clarified that systematic monitoring, the processing of sensitive data, and profiling are all situations that likely warrant one, simply because they present a high degree of risk for the data subjects.
The ICO understands that there’s so such thing as zero-risk, but a DPIA can help organisations identify solutions to problems that haven’t occurred yet. Mostly, it forces people to concentrate on the risk factors, which can help them adjust their protocol or eliminate unnecessary steps.
Data protection is a complicated matter these days, made more complex by the sheer volume at which it is collected. When in doubt about whether to complete a DPIA, the best practice recommendations are to move forward with one.
There’s a lot to unpack from the outcome of the DfE’s audit, but the major lesson is that more attention needs to be paid to data security at every level of an organisation. PrivIQ is a software designed to keep organisations compliant, regardless of how much data you process and who your data subjects are.