Why we are calling for change in National Pupil Data handling:

It’s not safe. It’s not fair, and not transparent. The personal confidential data of 23 million people is given away by the government.

In ever-broader use of national pupil data without consent, David Cameron announced in 2011, that the government would open up access to anonymised data. The responses to a brief consultation over the Christmas holidays 2012, concluded that press and others getting raw data would be a mistake, and made no effort to involve under 18s, or the people whose data it was. The plans carried on regardless.

But the pupil level data released to a wide range of third parties since, are not anonymous at all, but identifying and sensitive. And released with no supression of small numbers.

The Department for Education then most recently began giving the Home Office access to national pupil data for immigration enforcement and to create “a hostile environment,” as set out in an agreement in 2015, without consulting Parliament.

Our Position

  • Children and parents do not know that their identifying and sensitive personal data are given out to third parties without their consent by the Department. They must be told, including the 15 million former pupils whose NPD data are used from the database.
  • Sensitive data for indirect uses, should only be given out with consent. Explicit consent should be collected for the use of sensitive data, when the data are collected, and may be revoked. Purposes must be clear on collection. Pupil data collection must be fair.
  • We should each be able to see what data is held, who it has been given to, and for what purposes. This is supported by coming laws under GDPR Articles 12-15, “in particular for any information addressed specifically to a child.” The Department refuses Subject Access Requests (SAR) today.  That must change. Pupil data uses must be transparent.
  • Children and parents may experience distress and harm if their confidential personal data from their school records collected for their education, are used for new purposes of immigration enforcement. The National Pupil Database is therefore no longer only processing data that meets the rules of (a) and (b) below. These uses should end.
  • Identifying and sensitive data are sent out to third parties. This increases risks of loss, theft and misuse, and children’s safeguarding issues. Government should stop sending data out ‘into-the-wild’. Researchers can take away knowledge, not identifying data. Pupil data must be made safe.

Background on Legislation

  1. Sensitive data require Schedule 3 conditions to be met before release. How do current third parties such as journalists and web-tutor companies meet this condition?
  2. Home Office use of data for non-educational purposes or promoting the wellbeing of children.
  3. Section 33 of the Data Protection Act relates to personal data which are processed (or further processed) ‘only for research purposes’ (undefined, but includes statistical or historical purposes). [source: ADRN] To qualify for the research exemption, the research must be able to comply with the following ‘relevant conditions’

(a) that the data are not processed to support measures or decisions with respect to particular individuals, and

(b) that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

Once these ‘relevant conditions’ have been satisfied, the further processing of personal data for research may be used:

  1. for purposes other than it was originally obtained for (therefore exempt from the Second Data Protection Principle); and
  2. the personal data may be kept indefinitely (therefore exempt from the Fifth Data Protection Principle); and
  3. the personal data will be exempt from the data subject’s rights of access where ‘the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them’ (section 33(4)).

Section 33 does not, however, give exemption to the remaining data protection principles which apply to personal data provided and/or used for research. Third-parties using personal data should be aware that most of the data protection principles will still apply (notably the requirement to keep data secure and data subject access rights) and, although the data subject’s consent to the processing is not always required, one of the other conditions relevant for the purposes of the fair and lawful processing of personal data will still be required where consent is absent. The First Data Protection Principle requiring personal data to be fairly and lawfully processed still needs to be adhered to, even if the section 33 ‘research exemption’ applies.

The release of individuals’ identifiable data was updated by a 2013 change to legislation:

Extract from the Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009 (Amended 2013)

persons who, for the purpose of promoting the education or well-being of
children in England are—

(i) conducting research or analysis,

(ii) producing statistics, or

(iii) providing information, advice or guidance,

and who require individual pupil information for that purpose.

For the purposes of these Regulations, ‘well-being’ has the meaning referred to in sections 332E and 507B of the Education Act 1996 in relation to those sections. Section 332E was inserted by section 1 of the Special Educational Needs (Information) Act [10]2008 (c.11) and section 507B was inserted by section 6(1) of the Education and Inspections Act [11]2006 (c.40).

But this does not mean data can be given to just anyone. The amendment above was made to this law from 2009, listing prescribed persons. The Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009.

Prescribed persons

3.—(1) For the purposes of section 537A(4) of the Act, the following are prescribed as persons to whom the Secretary of State may provide individual pupil information—

(a)any person referred to in paragraph (5) below;

(b)any person falling within any of the categories referred to in paragraph (6) below;

(c)any person having access to a database established and operated by the Secretary of State under section 12 of the Children Act 2004(4); and

(d)any local authority which has reasonable grounds to believe that it is a relevant local authority in respect of the pupil to whom the individual pupil information relates.

(2) For the purposes of section 537A(5)(b) of the Act, the Secretary of State prescribes as a person to whom an information collator may provide individual pupil information—

(a)any person referred to in paragraph (5) below; and

(b)any person falling within any of the categories referred to in paragraph (6) below.

(3) The individual pupil information which an information collator may so provide, in accordance with section 537A(5)(b) of the Act, is any such information—

(a)specified in Schedule 1 to the Education (Information about Individual Pupils) (England) Regulations 2006(5);

(b)relating to the educational achievements of pupils in any National Curriculum assessment carried out for the purpose of assessing the achievements of pupils in the first, second or third key stage;

(c)relating to the educational achievements of pupils in any external qualification approved under section 98 of the Learning and Skills Act 2000(6), for the purposes of section 96 of that Act.

(4) For the purposes of section 537A(6) of the Act, the Secretary of State prescribes as a person to whom any person holding any individual pupil information may provide that information—

(a)any person referred to in paragraph (5) below; and

(b)any person falling within any of the categories referred to in paragraph (6) below.

(5) The persons referred to in paragraphs (1)(a), (2)(a) and (4)(a) are—

(a)the Joint Council for Qualifications;

(b)the Office for Standards in Education, Children’s Services and Skills(7)

(c)the Higher Education Funding Council for England;

(d)a relevant local authority;

(e)the governing body of the relevant school;

(f)the management committee of a pupil referral unit at which the relevant pupil is or was registered;

(g)the Training and Development Agency;

(h)the States of Guernsey Education Department;

(i)the States of Jersey Education Department;

(j)the Isle of Man Department of Education;

(k)the Welsh Ministers;

(l)WJEC CBAC Limited(8);

(m)the Student Loans Company Limited;

(n)the University and Colleges Admissions Service(9);

(o)the Higher Education Statistics Agency(10);

(p)Ufi Limited(11);

(q)the British Educational Communications and Technology Agency (Becta);

(r)any person with whom a relevant local education authority has made arrangements under section 68 or section 70 of the Education and Skills Act 2008(12);

(s)any person who, either alone or jointly with others, awards or authenticates any qualification accredited by the Qualifications and Curriculum Authority;

(t)the Learning and Skills Council for England(13);

(u)the Qualifications and Curriculum Authority(14).

(6) The categories referred to in paragraphs (1)(b), (2)(b) and (4)(b) are—

(a)institutions within the further education sector;

(b)Primary Care Trusts(15);

(c)work-based learning providers;

(d)persons conducting research into the educational achievements of pupils and who require individual pupil information for that purpose;

(e)learning providers registered with the UK Register of Learning Providers(16);

(f)institutions within the higher education sector.

 

Paragraph 6 (b) was amended from:

persons conducting research into the educational achievements of pupils and who require individual pupil information for that purpose;

to

persons who, for the purpose of promoting the education or well-being of children in England are—

(i) conducting research or analysis,

(ii) producing statistics, or

(iii) providing information, advice or guidance,

and who require individual pupil information for that purpose.

 

Human Rights implications on Rights to Education, Privacy and Family Life

The Right to Education is protected by: Article 26 of the Universal Declaration of Human Rights. Articles 13 & 14 of the International Covenant on Economic Social and Cultural Rights and Articles 28,29 & 40 of the Convention on the Rights of the Child.

Article 8: Everyone has the right to respect for his private and family life, his home and his correspondence.

The assessment of the “best interests of the child” is intrinsic to the proportionality assessment under Article 8.

Article 7 of the Charter of Fundamental Rights means everyone has the right to respect for his or her private and family life, home and communications, and Article 8 on the Protection of Personal Data means data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

The Charter of Fundamental Rights Article 52 further requires that any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

The upcoming EUGDPR reiterates these fundamental freedoms and requires accountability and adequacy of data protection aligned with those Principles. The requirements for collection of children’s data for processing by third parties and particularly with predictive scoring are not met in the school census collections.

The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided, it could not be open-ended or blanket consent to cover future processing.

Finally, Article 7(3) of the GDPR gives data subjects the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.”  Not currently possible in the NPD since most whose data are stored, do not know it exists at all

 

UK Supreme Court ruling July 28, 2016

We believe a review of the legal basis is necessary for the data given away to non-academic research purposes, with regards to many of the third parties receiving confidential pupil data, including sensitive personal data, from the National Pupil Database in England. The legal position on the DfE release of sensitive data is unclear.

The judgment in the Named Persons case, listed as “The Christian Institute and others (Appellants) v The Lord Advocate (Respondent) (Scotland)”.

The Supreme Court judges said the law was “defective” for breaching article 8 of the European Convention on Human Rights (ECHR), which guarantees everyone’s “right to a private and family life”. They declared Holyrood had exceeded its powers by making a law which allowed public bodies to share sensitive private information about children and parents without consent.

The judges stated: “The sharing of personal data between … the operation of the information sharing provisions will result in interferences with the rights protected by article 8 of the ECHR” (Para. 78). Because of the lack of safeguards “the overriding of confidentiality is likely often to be disproportionate” (Para. 100).

The Supreme court ruling for the Scottish Named Persons scheme reiterates DPA requirements:

‘For example, the second principle is that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes”.’

The purposes of the school census collection, parents and pupils believe, are for their education. NOT to be handed out to commercial third parties, charities and press without their knowledge.

Mr Gibb has said in July 2016 that: “There are currently no plans for the Department to change the existing protocols and processes for the handling and disclosure of confidential information.”

The current communication to parents and pupils fails fair processing and is therefore illigitimate on the grounds of both consent or explicit and specified purposes.

Decision, Department of Education and Skills, Ireland, July 11, 2016

Further, in July 2016 the court in Ireland ruled that Secondary uses of data (ie. in this case using children’s data for anything other than their direct in school education, reasons parents and pupils believe data are given in) need privacy impact assessment and secondary purposes must be optional. Objections to data processing for any secondary purposes from the NPD should be respected as ruled in Ireland recently.

What does the Department for Education say?

Did the government consider when it actively changed the law to make commercial use of children’s identifiable, confidential data, that it should first ask the parents of 20 million children for consent?

The 2015/16 Department for Education census data collection video [1] to schools on the DfE website, expressly tells schools they are not required to collect consent and that “they are protected from legal challenge over a breach of confidence.” [from 0:40 seconds in]

The 2015-16 guide issued in December repeats the statements that being on a statutory basis, “means that schools do not need to obtain parental or pupil consent to the provision of information” and “ensures schools are protected from any legal challenge that they are breaching a duty of confidence to pupils”

The guidance fails to mention the UK requirements of data protection law, the common law of confidentiality, and Human Rights Act right to privacy.

Section 29 of the Education Act, refers only to the requirement schools have to send data to the Department: The statutory gateway. This gateway does not dispense with the duty to ensure properly informed citizens before data sharing between public bodies.

Their very own Department of Education guide [2] to legal issues on datasharing from 2009 says:

“Having express or implied statutory powers in any particular case does not mean that the Human Rights Act 1998, the common law duty of confidentiality, and the Data Protection Act 1998 can be disregarded. Where a statutory gateway explicitly removes the need to consider confidentiality, then confidential information can be shared however this will be rare and in limited circumstances.”

The confidential information has been shared in over 650 cases since 2012. Is that rare and limited, or has that boundary been overstepped? We believe it has because the policy and practice is to hand out identifiable personal data on a regular basis.

The Data Protection Act 1998

Legislation that permits the use of personal data for research purposes is of particular relevance to the National Pupil Database.

Section 33 of the Data Protection Act relates to personal data which are processed (or further processed) ‘only for research purposes’. These are undefined, but explicitly include statistical or historical purposes. To qualify for the research exemption, the use of data must be able to comply with the following ‘relevant conditions’:

(a) that the data are not processed to support measures or decisions with respect to particular individuals, (section 33 (1) and

(b) that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

Once these ‘relevant conditions’ have been satisfied, the further processing of personal data for research purposes may be used:

  • for purposes other than it was originally obtained for (therefore exempt from the Second Data Protection Principle); and
  • the personal data may be kept indefinitely (therefore exempt from the Fifth Data Protection Principle); and
  • the personal data will be exempt from the data subject’s rights of access where ‘the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them’ (section 33(4)).

Section 33 does not, however, give exemption to the remaining data protection principles which apply to personal data provided and/or used for research:

Most of the data protection principles still apply, these include requirements for:

i. personal data to be fairly and lawfully processed, the First Data Protection Principle

ii. one of the other conditions relevant for the purposes of the fair and lawful processing of personal data will still be required where consent is absent.(Schedule 2)

iii. for sensitive data (Tier 1 of the National Pupil database include all the data items classified as ‘sensitive’) an additional condition from Schedule 3 must also be met to justify disclosure.  These conditions are for example, in the interests of justice.

iv. personal data must be kept secure (Principle 7)

Further, the processing must be ’necessary’.

These criteria are intended to set a high bar for protection of individuals’ rights, and cannot all be disregarded simply because data uses are classed as ‘research’.

In particular, Principle 1, the fairness obligation cannot be set aside merely because of the presence of a legal basis (in the form, say, of legislation under the Education Act).

On October 1, 2015, this latter point has been again made explicit for public bodies in the judgment of the Court of Justice of the European Union in the Bara case (C‑201/14) in which it ruled that “[the Directive] must be interpreted as precluding national measures…which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing,” i.e the public must be informed when public bodies share their data and why.

The confidential information is kept indefinitely and not used for what parents and pupils consider research purposes, but include commercial use. There is inadequate fair processing. Our research with school staff and teachers, parents and pupils, shows almost none have heard of a national pupil database and don’t understand what happens to their adta collected in the Census. The DPA requiremenst on fair processing fail.


Subject Access Requests are rights under DPA: denied

The Department uses the Research exemption s33 of the Data Protection Act to keep data indefinitely so the database now has 20 million individuals names and data recorded in it.

The Department use the same clause to deny parents Subject Access Requests to understand what the NPD stores about our own children or check that it is accurate.

But The Department also knowingly fails to properly meet Fair Processing, principle 1 of the Data Protection Act. It’s own 2015-16 Department video to advise schools how to complete the census, fails to mention any onward sharing of pupils’ information to commercial third parties or press. As does their template privacy notice for schools.

The Department appears to pick and choose when it sticks to the legal requirements of the Data Protection Act to suit itself and when it chooses not to comply with it.

Laws designed to protect the identity of its people from exploitation are not something to ‘work around’. Laws designed to ‘protect’ data are to protect the person behind the data from potential harm; through identity fraud, harassment, prejudicial treatment or stigma.

Identifiable and confidential data tell the story of a person’s private life. It’s not government data to be used simply because it’s sitting in a database over which the citizen was never asked about being included in, and cannot opt out from.

It’s time our children’s data and identity were respected as they deserve to be.

How are our individual children’s ‘education and well-being promoted’ by giving away their personal data to outside non-secured settings, commercial third parties and journalists. How are the principles of the Data Protection Act 1998 to be met? When will parents be told?

We have also asked for information about NPD transfers abroad.

Relevant Legislation

1. Education Act 2005 http://www.legislation.gov.uk/ukpga/2005/18/section/114
2. Education Act 1996 http://www.legislation.gov.uk/ukpga/1996/56/section/537A
3. Children Act 1989 http://www.legislation.gov.uk/ukpga/1989/41/section/83
4. The Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009 http://www.legislation.gov.uk/uksi/2009/1563/made
5. The Education (Individual Pupil Information) (Prescribed Persons) (England) (Amendment) Regulations 2010  http://www.legislation.gov.uk/uksi/2010/1940/contents/made
6. The Education (Individual Pupil Information) (Prescribed Persons) (England) (Amendment) Regulations 2013 http://www.legislation.gov.uk/uksi/2013/1193/contents/made
7. Special Educational Needs (Information) Act 2008 http://www.legislation.gov.uk/ukpga/2008/11/contents
Education and Inspections Act 2006 http://www.legislation.gov.uk/ukpga/2008/11/contents

8. Statutory Instrument No.208 in 2016, for the expansion of pupil data collection to include Country of Birth, Nationality and EAL at national level http://legislation.data.gov.uk/uksi/2016/808/made/data.html The Education (Pupil Information) (England) (Miscellaneous Amendments) Regulations 2016

9. List of some individual data items extracted mentioned in 2013 SI  http://www.legislation.gov.uk/uksi/2013/2094/schedule/1/made The Education (Information About Individual Pupils) (England) Regulations 2013
2013 No. 2094 SCHEDULE 1

10. Revocation http://www.legislation.gov.uk/uksi/2013/2094/schedule/2/made

11. School Standards and Framework Act 1998 (section 537A) http://www.legislation.gov.uk/ukpga/1998/31/pdfs/ukpga_19980031_en.pdf