To ask His Majesty’s Government what steps they are taking in response to the reprimand issued by the Information Commissioner’s Office to the Department for Education on 6 November for breaching data protection law regarding children’s private information.
On behalf of my noble friend Lady Chapman, and with her permission, I beg leave to ask the Question standing in her name on the Order Paper.
My Lords, the department takes the security of the data that it holds extremely seriously. At the time of the breach, it was already working closely with the Information Commissioner’s Office. The department has made significant, positive progress in improving its processes. The ICO has recommended in the reprimand notice that the department continue with its current improvement plans, and we will publish an update in early 2023.
My Lords, I thank the Minister for her Answer, notwithstanding—for noble Lords who are not aware—that the Information Commissioner’s Office formally reprimanded the DfE for prolonged misuse of the data of 28 million students over a 16-month period. The department breached GDPR by allowing online gambling companies to use pupil information to build their age verification systems. The reprimand concluded that the processes put in place by the DfE were woeful. Can the Minister confirm how this happened, how the Government will prevent such a shocking breach happening again and whether they will apologise to the 28 million students affected?
I absolutely understand why the noble Baroness probes hard on this Question. The Government have made significant changes to their learner registration system, and those were noted by the Information Commissioner’s Office in its letter to the department in November this year. We previously did not have a centralised data protection function in the department. We were in the process of setting it up when we discovered this breach, and it is now in place.
My Lords, is the Minister fully aware of the damaging effect of data protection law on universities? It has been used, rightly or wrongly, to prevent universities getting in touch with students’ parents when they are in distress; it has been used to prevent the full publication of degree results, which opens the door to fraud. Does she agree that it is time to review the Data Protection Act and its damaging effect in those circumstances?
The noble Baroness will be aware that the Government have brought forward the Data Protection and Digital Information Bill, which was introduced in the Commons in July this year. We are committed to making sure that our data protection systems are fit for purpose, including in relation to the issues raised by the noble Baroness.
My Lords, the next scandal brewing is the use of facial recognition technology in schools and the department’s lack of a grip on this issue. Despite repeated requests from the Biometrics and Surveillance Camera Commissioner to have legal oversight of the ethical use of that technology in schools, the Government have refused to agree. Why is this loophole still there, and when will it be closed?
The noble Lord raises an important point. The safety of our children is of course fundamental and the department’s role in protecting them is vital. If I may, I will write to the noble Lord on the details of his question.
My Lords, the organisation Defend Digital Me sets out that the DfE extended the possible distribution of identifying pupil-level extracts from the national pupil database when Michael Gove was Secretary of State. This was done
“to maximise the value of this rich dataset”.
On reflection, does the Minister believe that that was a mistake?
I do not believe that it was a mistake. If we look at any sector or industry, we see that the most successful use data intelligently, proportionately and safely. That is what the department intends to do.
My Lords, how much information is the Home Office allowed to get from the DfE for immigration enforcement purposes?
I apologise; I am afraid that I will have to write to the noble Earl with the detail on that.
My Lords, in her response to my noble friend, the Minister did not answer the key question. She told us the criteria that the department used for its use of data, but this was clearly the use of data to make money. Is that appropriate for a government department in respect of records that relate to children?
To be absolutely clear and for the avoidance of doubt, the department was not making money out of this. It was a previously legitimate user of the department’s data which changed its business model and breached its contract with the department to sell the data.
My Lords, does my noble friend agree that we should be grateful that the department is now taking this matter seriously? I urge her to make sure that this is dealt with as speedily as possible; I know that she would like that to happen as well.
My noble friend is right. I would stress that, unsurprisingly and rightly, the department took this breach extremely seriously. It was proactive in raising it with the Information Commissioner’s Office and has a very active programme of work but, in relation to the recommendations from the Information Commissioner, the vast majority of them are completed and the rest are on track.
For the record, the Minister has just said from the Dispatch Box that the problem arose because the company changed to a different business model. Is it not correct that the Information Commissioner’s Office pointed out that the reason this happened was not that the change took place but that the department had no oversight of third-party use of that database?
I am not sure that the Dispatch Box is the ideal place to go through the line-by-line analysis. The noble Lord is right that the way that the department’s contracts were set up at the time did not give the same recourse if the terms and conditions of a contract were breached by a third party. That has now been changed.
My Lords, I find this whole saga staggering. It should give serious pause for thought to anyone who does not think that data protection and personal privacy matter. When the Minister replies in writing to the noble Lord’s earlier question about facial recognition technology, will she include in that response, and perhaps place a copy in the Library, an answer as to whether CCTV cameras on school premises are provided by Hikvision or any other Chinese companies?
I would be delighted to add that information.
My Lords, again according to the organisation Defend Digital Me, the ICO found that the DfE’s policy on records was
“designed to find a legal gateway to ‘fit’ the application”.
If the Minister recognises that, can she say that it simply will never happen again?
I tried to be clear that the department has made very significant changes in its approach to data protection and privacy in relation to our internal systems and processes, to our communication with data subjects about their privacy, and to the culture of the department and the training and support that we put in place for colleagues.
Are the people who oversee this new model the same as those who oversaw the previous one? Where is the accountability in the system? What happened to those people, who should have known better and should not have let this happen?
My understanding is that we relied on an existing advisory service at the time of the data breach and that those functions have now been brought in house. We have a dedicated data protection officer, who sets policy for the whole department.
My Lords, can the noble Baroness expand on this third-party provider who changed their business model? How many contracts does that third party have with government in respect of other aspects of data?
My understanding is that that third-party provider is no longer trading.
My Lords, can the noble Baroness confirm that a senior official on the board of the department, at Permanent Secretary or director-general level, was responsible for what happened? What action was therefore taken?
I have tried to explain to your Lordships that we did not have a centralised data protection function at the time of this breach. As a result, different teams had different policies across the department. That is no longer the case.