Tabled by
of Darlington
To ask His Majesty’s Government what steps they are taking in
response to the reprimand issued by the Information
Commissioner’s Office to the Department for Education on 6
November for breaching data protection law regarding children’s
private information.
(Lab)
On behalf of my noble friend Lady Chapman, and with her
permission, I beg leave to ask the Question standing in her name
on the Order Paper.
The Parliamentary Under-Secretary of State, Department for
Education () (Con)
My Lords, the department takes the security of the data that it
holds extremely seriously. At the time of the breach, it was
already working closely with the Information Commissioner’s
Office. The department has made significant, positive progress in
improving its processes. The ICO has recommended in the reprimand
notice that the department continue with its current improvement
plans, and we will publish an update in early 2023.
(Lab)
My Lords, I thank the Minister for her Answer,
notwithstanding—for noble Lords who are not aware—that the
Information Commissioner’s Office formally reprimanded the DfE
for prolonged misuse of the data of 28 million students over a
16-month period. The department breached GDPR by allowing online
gambling companies to use pupil information to build their age
verification systems. The reprimand concluded that the processes
put in place by the DfE were woeful. Can the Minister confirm how
this happened, how the Government will prevent such a shocking
breach happening again and whether they will apologise to the 28
million students affected?
(Con)
I absolutely understand why the noble Baroness probes hard on
this Question. The Government have made significant changes to
their learner registration system, and those were noted by the
Information Commissioner’s Office in its letter to the department
in November this year. We previously did not have a centralised
data protection function in the department. We were in the
process of setting it up when we discovered this breach, and it
is now in place.
(CB)
My Lords, is the Minister fully aware of the damaging effect of
data protection law on universities? It has been used, rightly or
wrongly, to prevent universities getting in touch with students’
parents when they are in distress; it has been used to prevent
the full publication of degree results, which opens the door to
fraud. Does she agree that it is time to review the Data
Protection Act and its damaging effect in those
circumstances?
(Con)
The noble Baroness will be aware that the Government have brought
forward the Data Protection and Digital Information Bill, which
was introduced in the Commons in July this year. We are committed
to making sure that our data protection systems are fit for
purpose, including in relation to the issues raised by the noble
Baroness.
(LD)
My Lords, the next scandal brewing is the use of facial
recognition technology in schools and the department’s lack of a
grip on this issue. Despite repeated requests from the Biometrics
and Surveillance Camera Commissioner to have legal oversight of
the ethical use of that technology in schools, the Government
have refused to agree. Why is this loophole still there, and when
will it be closed?
(Con)
The noble Lord raises an important point. The safety of our
children is of course fundamental and the department’s role in
protecting them is vital. If I may, I will write to the noble
Lord on the details of his question.
(Lab)
My Lords, the organisation Defend Digital Me sets out that the
DfE extended the possible distribution of identifying pupil-level
extracts from the national pupil database when was Secretary of State. This
was done
“to maximise the value of this rich dataset”.
On reflection, does the Minister believe that that was a
mistake?
(Con)
I do not believe that it was a mistake. If we look at any sector
or industry, we see that the most successful use data
intelligently, proportionately and safely. That is what the
department intends to do.
The (CB)
My Lords, how much information is the Home Office allowed to get
from the DfE for immigration enforcement purposes?
(Con)
I apologise; I am afraid that I will have to write to the noble
Earl with the detail on that.
(Lab)
My Lords, in her response to my noble friend, the Minister did
not answer the key question. She told us the criteria that the
department used for its use of data, but this was clearly the use
of data to make money. Is that appropriate for a government
department in respect of records that relate to children?
(Con)
To be absolutely clear and for the avoidance of doubt, the
department was not making money out of this. It was a previously
legitimate user of the department’s data which changed its
business model and breached its contract with the department to
sell the data.
(Con)
My Lords, does my noble friend agree that we should be grateful
that the department is now taking this matter seriously? I urge
her to make sure that this is dealt with as speedily as possible;
I know that she would like that to happen as well.
(Con)
My noble friend is right. I would stress that, unsurprisingly and
rightly, the department took this breach extremely seriously. It
was proactive in raising it with the Information Commissioner’s
Office and has a very active programme of work but, in relation
to the recommendations from the Information Commissioner, the
vast majority of them are completed and the rest are on
track.
(LD)
For the record, the Minister has just said from the Dispatch Box
that the problem arose because the company changed to a different
business model. Is it not correct that the Information
Commissioner’s Office pointed out that the reason this happened
was not that the change took place but that the department had no
oversight of third-party use of that database?
(Con)
I am not sure that the Dispatch Box is the ideal place to go
through the line-by-line analysis. The noble Lord is right that
the way that the department’s contracts were set up at the time
did not give the same recourse if the terms and conditions of a
contract were breached by a third party. That has now been
changed.
(Lab)
My Lords, I find this whole saga staggering. It should give
serious pause for thought to anyone who does not think that data
protection and personal privacy matter. When the Minister replies
in writing to the noble Lord’s earlier question about facial
recognition technology, will she include in that response, and
perhaps place a copy in the Library, an answer as to whether CCTV
cameras on school premises are provided by Hikvision or any other
Chinese companies?
(Con)
I would be delighted to add that information.
(Lab)
My Lords, again according to the organisation Defend Digital Me,
the ICO found that the DfE’s policy on records was
“designed to find a legal gateway to ‘fit’ the application”.
If the Minister recognises that, can she say that it simply will
never happen again?
(Con)
I tried to be clear that the department has made very significant
changes in its approach to data protection and privacy in
relation to our internal systems and processes, to our
communication with data subjects about their privacy, and to the
culture of the department and the training and support that we
put in place for colleagues.
(Lab)
Are the people who oversee this new model the same as those who
oversaw the previous one? Where is the accountability in the
system? What happened to those people, who should have known
better and should not have let this happen?
(Con)
My understanding is that we relied on an existing advisory
service at the time of the data breach and that those functions
have now been brought in house. We have a dedicated data
protection officer, who sets policy for the whole department.
(Lab)
My Lords, can the noble Baroness expand on this third-party
provider who changed their business model? How many contracts
does that third party have with government in respect of other
aspects of data?
(Con)
My understanding is that that third-party provider is no longer
trading.
(Lab)
My Lords, can the noble Baroness confirm that a senior official
on the board of the department, at Permanent Secretary or
director-general level, was responsible for what happened? What
action was therefore taken?
(Con)
I have tried to explain to your Lordships that we did not have a
centralised data protection function at the time of this breach.
As a result, different teams had different policies across the
department. That is no longer the case.
