State of Data 2018: Report for Policy Makers with a view to GDPR in Education

On National Children’s Day 2018, we are pleased to publish our interim report the State of Data 2018: Lessons for Policy Makers with a view to GDPR in education. This is our first summary of research with recommendations on children’s data privacy policy and practice in education in England, including parents’ views.

The government sets out its aim in the Digital Charter to give people more control over their personal data through the Data Protection Bill and protect children and vulnerable adults online. We suggest that this must start in education by ending bad practice, and building better founded on rights.

We include views from parents in England think their children’s data are used in education (1) polled in February 2018, and their attitudes and trust in some of the uses children’s data are put to at national level. We asked whether or not their child had been signed up to or involved with a range of everyday technologies in use in the UK education sector. We also highlight some of the key issues in some of these common technologies used in schools and in national pupil data collections.

This interim report is a summary of research with recommendations for policy makers and highlights:

  • Parents have lost track of their child’s digital footprint in school by a child’s 5th birthday.
    • 
Before a child has left primary school aged 10, their personal data are commonly sent to over ten commercial companies without a parent’s knowledge — often further shared onwardly as is, or after processing, with many app and platform partner affiliates who go on to use data for profiling behaviour, or for product marketing purposes;
    • sent over 25 times in national school censuses and attainment tests in England, to a National Pupil Database of 23 million named records for re-use for life, and are given away to thousands of data analytics researchers by the DfE.
  • While parents give the Department for Education (DfE) a high level of trust to use data well (68%), almost the same number of parents (69%) said they had not been informed the DfE may give out data from the National Pupil Database(2) to third parties. At national level the broad distribution of children’s confidential personal data for use by third parties for purposes far beyond public reasonable expectations is unsustainable.
  • In Scotland and Northern Ireland children’s sensitive biometric data need improved protection in law, since the Protection of Freedoms Act 2012 (E&W) does not apply.
  • Web monitoring software, common in England’s schools since 2016, scans and profiles children’s every Internet search, surveils their screen content and if a child types a keyword that matches a watchword in libraries of up to 20,000 words. automated flags are created on permanent records. One latest version enables admin operators to see a child through the webcam. Schools also impose the software on personal devices in school, so operate at home, in personal space and time. Review and regulation of these policies and software, and safeguards are necessary on profiling and automated decision-making, to create protections against harm, and ensure children’s flourishing.

To better protect children and uphold their data rights and human rights, defenddigitalme recommends:

  1. National pupil databases must be safe, and children’s subject access rights assured
  2. Safeguards on profiling and automated decision-making with significant effects
  3. Obligations on controllers and processors of biometric data to explicitly register processing of this category of data with the Commissioner where it concerns a child
  4. A Statutory Code of Practice in Education(4) to underpin and enforce good practice, bringing clarity, consistency and confidence to data handling across the sector, and promoting children’s rights under the UN Convention on the Rights of the Child. (5)
  5. Education in schools and teacher training on data and digital rights and responsibilities

Improvement is needed urgently though some changes for which we advocate will be longer term in their development. Children can’t put growing up on pause, while policy makers get their act together.

Our future work will include the full in-depth report this summer, a review of the most commonly used apps later this year and a summary for families and young people in state education, and schools, for Back-to-School in Autumn 2018. We continue to push back on bad practice  including the distribution of highly sensitive new personal data by the Department for Education in the 2018 Alternative Provision census(3) and beyond.


Notes:

This interim report is a summary of highlights with recommendations for policy makers.

Download small, low resolution [2.5 MB]

Download large, high resolution [17.2 MB]

1. Wherever we refer to the Survation poll, our poll or our survey, we mean the State Of Data 2018 survey: A poll of 1,004 parents of children age 5-18 in state education in England, carried out between 17-20 February 2018 by Survation, commissioned by defenddigitalme.

2. While the bulk of our work is related to England, data protection is for the most part, not devolved, unlike education. There are differences in law as regards children’s age and capacity, which are reflected in GDPR and the UK Data Protection Bill (as of May 2018). However this makes no material difference in our comments. Our general 
recommendations and technology apply across the UK unless otherwise stated. 
The National Pupil Database in focus is that containing children’s personal data from England, but we also include a summary comparison of UK national pupil databases.

3. defenddigitalme is currently fundraising for a judicial review of the Department for Education’s distribution of children’s sensitive data collected in the Alternative Provision census and beyond.

4. We are disappointed that the government rejected an amendment in the Data Protection Bill on 22 March 2018, for a Code of Practice in Education for children, but we hope that the Information Commissioner’s Office will develop one in consultation, outwith the minimum requirements of the legislation.

5. The United Nations Convention on the Rights of the Child, or UNCRC, is a list of 54 articles that sets out what the rights of each and every child should be, regardless of where they are born or grow up.