The Department for Education potentially leaked the personal data of more than 84,500 people last financial year, it has admitted.
The figure has been condemned as “unacceptable” and the problem has sparked demands for transparency.
According to the , it reported five personal data breaches to the Information Commissioner’s Office (ICO), which “potentially affected” some 84,532 people, in the financial year ending 31 March 2025.
This represented a huge increase from the 20 people potentially affected the year before, when there were eight breaches reported to the ICO.
DfE data breach ‘deeply worrying’
Liberal Democrat MP Munira Wilson, her party’s spokesperson for education, children and families, said: “These revelations are deeply worrying. A series of data breaches of this size simply isn’t acceptable.
“The DfE should reassure parents and teachers by coming clean on whether this leak involved children’s data, and should spell out exactly how they will ensure this cannot happen again.”
ICO states that it only needs to be notified of a personal data breach if it is “likely to result in a risk to the rights and freedoms of individuals”.
If left unaddressed, the guidance warns, “such a breach is likely to have a significant detrimental effect on individuals”, such as discrimination, damage to reputation, financial loss, loss of confidentiality or “any other significant economic or social disadvantage”.
Julie McCulloch, director of strategy and policy at the Association of School and College Leaders, said: “It is worrying to see that over 84,000 individuals were potentially affected by DfE data breaches serious enough to be reported to the ICO.”
She added: “It is important for the sake of public confidence and reassurance that there is transparency on these matters, and we would urge the DfE to provide this information.
“It is not clear whether these individuals were students, parents, education staff or someone else; the extent of the breaches; and what actions were taken as a result in respect of the individuals concerned.”
Two of the breaches last year were due to data being emailed to the incorrect recipient and three were the result of “personal data [being] incorrectly shared”. The data breaches cover the DfE and its agencies.
The DfE did not specify whether a specific agency or area of the department had caused the breaches, what type of data had been breached or who had been impacted, such as pupils or teachers.
Tes asked the DfE and ICO whether the breaches involved datasets containing personal data (including special category data such as religion and ethnicity); whether the DfE has told those potentially affected; whether the DfE is subject to any legal proceedings as a result of the breaches; and whether they are concerned by the DfE’s apparent increased mishandling of personal data.
The ICO declined to comment and the DfE declined to respond.
Staff training on data security
All government departments are required to report personal data breaches that meet the ICO’s criteria threshold each financial year.
Personal data breaches must be reported within 72 hours of being identified, where feasible, and are defined as breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
In its annual report, the DfE also reports personal data breaches that did not fall within the criteria for reporting to the ICO.
In the 2024-25 financial year there were 264 of these breaches, up from 230 and 231 in 2023-24 and 2022-23, respectively.
Some 117 incidents were the result of data or an email being sent to the incorrect recipient, and 75 of the incidents were caused by the incorrect sharing of personal data.
There was one cyber incident and one case of unauthorised access, as well as five instances of the “loss or theft of paperwork or data left in insecure location”.
The DfE’s annual report says that its office of data protection “provided training and guidance to limit or reduce the number of breaches”, and that additional controls would be put in place this year, “which should further reduce the number of breaches”.
It adds: “Where incidents occurred, advice and guidance is provided to prevent recurrence.”
You can now get the UK’s most-trusted source of education news in a mobile app. Get Tes magazine on and on
