The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Information Commissioner’s Office (ICO) has published the outcome of a compulsory audit of the Department for Education DFE carried out in February 2020.

The audit found that data protection was not being prioritised and this had severely impacted the DfE’s ability to comply with the UK’s data protection laws. A total of 139 recommendations for improvement were found, with over 60% classified as urgent or high priority.

The ICO’s primary responsibility is to ensure compliance with the law and its policy is to work alongside organisations committed to making the necessary changes to improve data protection practice.

Throughout the audit process the DfE engaged with the ICO and showed a willingness to learn from and address the issues identified. The Department accepted all the audit recommendations and is making the necessary changes.

The ICO continues to monitor the DfE, reviewing improvements against pre agreed timescales. Enforcement action will follow if progress falls behind the schedule.

The ICO carried out the compulsory audit following complaints received in 2019 regarding the National Pupil Database.

Notes to editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
  3. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  4. Section 146 of the DPA2018 gives the Information Commissioner the power to carry out compulsory data protection audits, but the ICO predominantly conducts consensual audits. These audits are completed by the Assurance Department.
  5. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.