Children’s Private Information: Data Protection Law Debate
Full Debate: Read Full DebateBaroness Wilcox of Newport
Main Page: Baroness Wilcox of Newport (Labour - Life peer)Department Debates - View all Baroness Wilcox of Newport's debates with the Department for Education
(2 years ago)
Lords ChamberTo ask His Majesty’s Government what steps they are taking in response to the reprimand issued by the Information Commissioner’s Office to the Department for Education on 6 November for breaching data protection law regarding children’s private information.
On behalf of my noble friend Lady Chapman, and with her permission, I beg leave to ask the Question standing in her name on the Order Paper.
My Lords, the department takes the security of the data that it holds extremely seriously. At the time of the breach, it was already working closely with the Information Commissioner’s Office. The department has made significant, positive progress in improving its processes. The ICO has recommended in the reprimand notice that the department continue with its current improvement plans, and we will publish an update in early 2023.
My Lords, I thank the Minister for her Answer, notwithstanding—for noble Lords who are not aware—that the Information Commissioner’s Office formally reprimanded the DfE for prolonged misuse of the data of 28 million students over a 16-month period. The department breached GDPR by allowing online gambling companies to use pupil information to build their age verification systems. The reprimand concluded that the processes put in place by the DfE were woeful. Can the Minister confirm how this happened, how the Government will prevent such a shocking breach happening again and whether they will apologise to the 28 million students affected?
I absolutely understand why the noble Baroness probes hard on this Question. The Government have made significant changes to their learner registration system, and those were noted by the Information Commissioner’s Office in its letter to the department in November this year. We previously did not have a centralised data protection function in the department. We were in the process of setting it up when we discovered this breach, and it is now in place.