To ask His Majesty’s Government what steps they are taking in response to the reprimand issued by the Information Commissioner’s Office to the Department for Education on 6 November for breaching data protection law regarding children’s private information.
My Lords, the department takes the security of the data that it holds extremely seriously. At the time of the breach, it was already working closely with the Information Commissioner’s Office. The department has made significant, positive progress in improving its processes. The ICO has recommended in the reprimand notice that the department continue with its current improvement plans, and we will publish an update in early 2023.
My Lords, I thank the Minister for her Answer, notwithstanding—for noble Lords who are not aware—that the Information Commissioner’s Office formally reprimanded the DfE for prolonged misuse of the data of 28 million students over a 16-month period. The department breached GDPR by allowing online gambling companies to use pupil information to build their age verification systems. The reprimand concluded that the processes put in place by the DfE were woeful. Can the Minister confirm how this happened, how the Government will prevent such a shocking breach happening again and whether they will apologise to the 28 million students affected?
I absolutely understand why the noble Baroness probes hard on this Question. The Government have made significant changes to their learner registration system, and those were noted by the Information Commissioner’s Office in its letter to the department in November this year. We previously did not have a centralised data protection function in the department. We were in the process of setting it up when we discovered this breach, and it is now in place.
My Lords, is the Minister fully aware of the damaging effect of data protection law on universities? It has been used, rightly or wrongly, to prevent universities getting in touch with students’ parents when they are in distress; it has been used to prevent the full publication of degree results, which opens the door to fraud. Does she agree that it is time to review the Data Protection Act and its damaging effect in those circumstances?
The noble Baroness will be aware that the Government have brought forward the Data Protection and Digital Information Bill, which was introduced in the Commons in July this year. We are committed to making sure that our data protection systems are fit for purpose, including in relation to the issues raised by the noble Baroness.
My Lords, the next scandal brewing is the use of facial recognition technology in schools and the department’s lack of a grip on this issue. Despite repeated requests from the Biometrics and Surveillance Camera Commissioner to have legal oversight of the ethical use of that technology in schools, the Government have refused to agree. Why is this loophole still there, and when will it be closed?
The noble Lord raises an important point. The safety of our children is of course fundamental and the department’s role in protecting them is vital. If I may, I will write to the noble Lord on the details of his question.
My Lords, the organisation Defend Digital Me sets out that the DfE extended the possible distribution of identifying pupil-level extracts from the national pupil database when Michael Gove was Secretary of State. This was done
“to maximise the value of this rich dataset”.
On reflection, does the Minister believe that that was a mistake?
I do not believe that it was a mistake. If we look at any sector or industry, we see that the most successful use data intelligently, proportionately and safely. That is what the department intends to do.
My Lords, in her response to my noble friend, the Minister did not answer the key question. She told us the criteria that the department used for its use of data, but this was clearly the use of data to make money. Is that appropriate for a government department in respect of records that relate to children?
To be absolutely clear and for the avoidance of doubt, the department was not making money out of this. It was a previously legitimate user of the department’s data which changed its business model and breached its contract with the department to sell the data.
My Lords, does my noble friend agree that we should be grateful that the department is now taking this matter seriously? I urge her to make sure that this is dealt with as speedily as possible; I know that she would like that to happen as well.