When looking over what happened this week, there were a couple of things I could talk about: EDPB’s guidelines on relevant and reasoned objection under the GDPR, or Ryanair being accused in a US court of hiding behind the GDPR or perhaps musing on the Schrems II ruling and its impact on international data transfers and how it might relate to Brexit.
But I keep coming back to the ICO’s audit of the UK’s Department for Education (DfE). Both how shocking it is and how it highlights some of the trends I’m seeing.
GDPR observations: third parties driving enforcement and corrective action vs. fines.
These are hunches at this point, but as I mentioned in a previous post, it does seem that pressure from third parties are driving supervisory authorities to investigate and enforce GDPR compliance.
Two different human rights groups rang the bell that led to the ICO audit of the DfE. Against Borders for Children informed the ICO that the DfE was sharing student’s personal data held in the with Foreign Office. DefendDigitalMe informed the ICO that the DfE didn’t give parent’s access or rectification writes to data that was stored in the National Pupil Database (NPE). The law requires that through privacy notices, people are informed of the third parties with whom their data is being shared. Also, it grants people the right to access their data and get it updated if it’s inaccurate.
The ICO completed an audit in February 2020. As a result, they issued a list of 139 corrective actions that the DfE should implement to resolve the gaps in its data protection processes. Over 2/3’s of these were classed as urgent. It begs the question: Might public shaming by nailing an organisation’s failings to the church door be a more effective way of pushing organisations to compliance instead of issuing attention grabbing fines? Both are possible recourses under the law and it’s too early to tell what mix of both will be most effective. For it to hold weight, it will also be necessary to publish the follow-up.
The Department for Education’s data protection failings
I hope the irony isn’t lost on the ICO in its decision to use the DfE’s failings as a mean of educating other organisations. Their failings are legion and cover almost all aspects of the regulation. I won’t go through all of the items, but will shout out a couple I found particularly shocking.
The technical failures
Privacy notices and data subject access requests.Perhaps the most egregious were those, raised by the third parties. The complete disregard for providing transparency in relation to data processing including a facility for the data subjects to exercise their rights. This means inadequate privacy notices which weren’t displayed at the points of data collection or in some cases ever provided to the data subjects and no means for people to make data subject access requests.
Inadequate security controls.Article 32 requires adequate security around use of information technology, yet the ICO found that “there has been no expert involvement to develop appropriate procedures for the creation storage and retention of records“. The thought that no experts involved in data storage and record retention systems is frightening. This negligence is what leaves organisations open to external threats.
Records of processing activities.According to the audit article 30 had been entirely disregarded. In fact the DfE had no clear understanding of what data it actually held. In that light of this I guess, it’s not a surprise there were inadequate security controls.
The organizational failures
Training and Awareness.Instead of having a proactive system the DfE was reliant on staff to become “self-aware of policies and procedures without follow up or acknowledgement”. It’s not just that they didn’t have an adequate program in place. They didn’t even have a system in place to make sure that staff was receiving the policies, reading them and understanding them. Which brings me to the next item…
No Policies. No formal documentation.
They had no policy framework and “no governance over the creation review and approval of policies”, so key policies had not even been created. Obviously, it’s hard to make staff aware of them if they don’t even exist.
No DPIAs at early stages
Truth be told many other organisations will be failing at this. Carrying out a thorough DPIA and involving all the right people at the right time is a complex process. If they failed at all the other items I’ve indicated, it’s almost impossible for them to get DPIAs right and practice data protection by design.
Obviously, such failures were the result of no oversight over information governance within the organisation. I can appreciate that this can be difficult within a very large bureaucracy, but the scale of the failing is exceptional. If you’ve not yet read the audit, I suggest you consider doing so. You’ll see that the items I shouted out above are just a handful of the items cited. Maybe you’ll find some of the other ones even more shocking. Let me know in the comments below.
And just a last shameless push for GDPR365 – we provide frameworks and tools to address all of the failings the DfE had that I just cited above. If you’re looking to make sure you’re compliant or simplify the management of your compliance documentation. Please, click the button below and ask for a demo.
What if GDPR stood for ‘Get Data Protection Right’. At GDPR365 we’re enabling GDPR compliance.
Book a demo to know more.