UK Authority reported today, based on a procurement notice, that The Department for Education (DfE) is aiming to develop a privacy controlling API for access to its National Pupil Database (NPD) in England.

It says that the project is, “an early step in a broader programme to maximise the benefits of its data by providing fast and secure access to users who can create value,” and that its, “potential benefit should have an emphasis on ‘distributing access, not data’.”

We warmly welcome this acknowledgement of a need to keep data safe, and that pupil privacy is being addressed.

Since 2012 data has been handed out over a thousand times to data recipients in their own settings. These third parties who store copies of pupil-level identifying and sensitive personal data are wide-ranging, from academic researchers and think tanks, through journalists, to data intermediaries and private tutoring websites.

We wait to see what the API means in practice. It will be positive only if it means a change in current practices to protect pupil privacy. We will need to see a detailed assessment of how today’s different customers will be accommodated in future to understand if that will happen. The contract description might say that access is for “essential research (that may help to shape future DfE policy),”  but today’s customers don’t all meet that high bar.

We dispute that product and service commercial companies should be called researchers at all. Not every NPD user’s work is equal in terms of public interest, or their analytical skill level. Giving so many all the same levels of identifying data, Tier 1 and Tier 2, is unnecessary to meet their needs.  And the Department recognises that, “People are accessing sensitive data, but only to then aggregate. The access to sensitive data is a means to an end to produce the higher level findings.”  So what will it change?

While the API will not meet every ‘want’ of every user, it will potentially add a new level of information security, and offer faster data access for some users, who may currently wait months for their data requests to be reviewed, and who receive more data than necessary to meet their purpose.

What must still follow is a shift of policy that will put children’s confidentiality first. The Department must begin clear communication to every individual whose data it is, exactly who they are giving it to and who may have access, and why.

People entrust their personal data to public services with clear expectations. Secondary uses should not go beyond those ‘reasonable expectations‘ so that there are no surprises and the collection of public data retains the public’s trust.  None of these uses of confidential personal data are with consent. And while journalists and charities can get hold of our confidential data, children are denied access to see their own information when they ask, what’s in my record?

The Department’s priorities might still need to be realigned to make every use of pupil data safe, fair and transparent. Children’s rights must be restored and put ahead of commercial customers’ wants.

Overall, we welcome this news as a sensible step in the right direction, towards safe data. But much more needs done in practice and with a sense of urgency.

It is after all, the bare minimum we should reasonably expect from public data controllers, that our data are protected, and our rights to privacy respected.