We are calling for the application of law in theory, to be reviewed against what happens in practice

[1]Section 114 of the Education Act 2005, and [2] section 537A of the Education Act 1996, together with the 2009 Prescribed Persons Act, updated in 2013, specifically allows the release of individual children’s data to third parties which in practice has permitted data to get identifiable individual level data given to journalists, commercial third parties and charities. Which data items are involved is based on the 2006 Act around the register data a school must hold, which has subsequently had many amendments.

The release of individuals’ identifiable data was updated by a 2013 change to legislation:

Extract from the Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009 (Amended 2013).

persons who, for the purpose of promoting the education or well-being of
children in England are—

(i) conducting research or analysis,

(ii) producing statistics, or

(iii) providing information, advice or guidance,

and who require individual pupil information for that purpose.

For the purposes of these Regulations, ‘well-being’ has the meaning referred to in sections 332E and 507B of the Education Act 1996 in relation to those sections. Section 332E was inserted by section 1 of the Special Educational Needs (Information) Act [10]2008 (c.11) and section 507B was inserted by section 6(1) of the Education and Inspections Act [11]2006 (c.40).

Human Rights implications on Rights to Education, Privacy and Family Life

The Right to Education is protected by: Article 26 of the Universal Declaration of Human Rights. Articles 13 & 14 of the International Covenant on Economic Social and Cultural Rights and Articles 28,29 & 40 of the Convention on the Rights of the Child.

Article 8: Everyone has the right to respect for his private and family life, his home and his correspondence.

The assessment of the “best interests of the child” is intrinsic to the proportionality assessment under Article 8.

Article 7 of the Charter of Fundamental Rights means everyone has the right to respect for his or her private and family life, home and communications, and Article 8 on the Protection of Personal Data means data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

The Charter of Fundamental Rights Article 52 further requires that any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

The upcoming EUGDPR reiterates these fundamental freedoms and requires accountability and adequacy of data protection aligned with those Principles. The requirements for collection of children’s data for processing by third parties and particularly with predictive scoring are not met in the school census collections.

The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided, it could not be open-ended or blanket consent to cover future processing.

Finally, Article 7(3) of the GDPR gives data subjects the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.”  Not currently possible in the NPD since most whose data are stored, do not know it exists at all


UK Supreme Court ruling July 28, 2016

We believe a review of the legal basis is necessary for the data given away to non-academic research purposes, with regards to many of the third parties receiving confidential pupil data, including sensitive personal data, from the National Pupil Database in England. The legal position on the DfE release of sensitive data is unclear.

The judgment in the Named Persons case, listed as “The Christian Institute and others (Appellants) v The Lord Advocate (Respondent) (Scotland)”.

The Supreme Court judges said the law was “defective” for breaching article 8 of the European Convention on Human Rights (ECHR), which guarantees everyone’s “right to a private and family life”. They declared Holyrood had exceeded its powers by making a law which allowed public bodies to share sensitive private information about children and parents without consent.

The judges stated: “The sharing of personal data between … the operation of the information sharing provisions will result in interferences with the rights protected by article 8 of the ECHR” (Para. 78). Because of the lack of safeguards “the overriding of confidentiality is likely often to be disproportionate” (Para. 100).

The Supreme court ruling for the Scottish Named Persons scheme reiterates DPA requirements:

‘For example, the second principle is that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes”.’

The purposes of the school census collection, parents and pupils believe, are for their education. NOT to be handed out to commercial third parties, charities and press without their knowledge.

Mr Gibb has said in July 2016 that: “There are currently no plans for the Department to change the existing protocols and processes for the handling and disclosure of confidential information.”

The current communication to parents and pupils fails fair processing and is therefore illigitimate on the grounds of both consent or explicit and specified purposes.

Decision, Department of Education and Skills, Ireland, July 11, 2016

Further, in July 2016 the court in Ireland ruled that Secondary uses of data (ie. in this case using children’s data for anything other than their direct in school education, reasons parents and pupils believe data are given in) need privacy impact assessment and secondary purposes must be optional. Objections to data processing for any secondary purposes from the NPD should be respected as ruled in Ireland recently.

What does the Department for Education say?

Did the government consider when it actively changed the law to make commercial use of children’s identifiable, confidential data, that it should first ask the parents of 20 million children for consent?

The 2015/16 Department for Education census data collection video [1] to schools on the DfE website, expressly tells schools they are not required to collect consent and that “they are protected from legal challenge over a breach of confidence.” [from 0:40 seconds in]

The 2015-16 guide issued in December repeats the statements that being on a statutory basis, “means that schools do not need to obtain parental or pupil consent to the provision of information” and “ensures schools are protected from any legal challenge that they are breaching a duty of confidence to pupils”

The guidance fails to mention the UK requirements of data protection law, the common law of confidentiality, and Human Rights Act right to privacy.

Section 29 of the Education Act, refers only to the requirement schools have to send data to the Department: The statutory gateway. This gateway does not dispense with the duty to ensure properly informed citizens before data sharing between public bodies.

Their very own Department of Education guide [2] to legal issues on datasharing from 2009 says:

“Having express or implied statutory powers in any particular case does not mean that the Human Rights Act 1998, the common law duty of confidentiality, and the Data Protection Act 1998 can be disregarded. Where a statutory gateway explicitly removes the need to consider confidentiality, then confidential information can be shared however this will be rare and in limited circumstances.”

The confidential information has been shared in over 650 cases since 2012. Is that rare and limited, or has that boundary been overstepped? We believe it has because the policy and practice is to hand out identifiable personal data on a regular basis.

The Data Protection Act 1998

Legislation that permits the use of personal data for research purposes is of particular relevance to the National Pupil Database.

Section 33 of the Data Protection Act relates to personal data which are processed (or further processed) ‘only for research purposes’. These are undefined, but explicitly include statistical or historical purposes. To qualify for the research exemption, the use of data must be able to comply with the following ‘relevant conditions’:

(a) that the data are not processed to support measures or decisions with respect to particular individuals, (section 33 (1) and

(b) that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

Once these ‘relevant conditions’ have been satisfied, the further processing of personal data for research purposes may be used:

  • for purposes other than it was originally obtained for (therefore exempt from the Second Data Protection Principle); and
  • the personal data may be kept indefinitely (therefore exempt from the Fifth Data Protection Principle); and
  • the personal data will be exempt from the data subject’s rights of access where ‘the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them’ (section 33(4)).

Section 33 does not, however, give exemption to the remaining data protection principles which apply to personal data provided and/or used for research:

Most of the data protection principles still apply, these include requirements for:

i. personal data to be fairly and lawfully processed, the First Data Protection Principle

ii. one of the other conditions relevant for the purposes of the fair and lawful processing of personal data will still be required where consent is absent.(Schedule 2)

iii. for sensitive data (Tier 1 of the National Pupil database include all the data items classified as ‘sensitive’) an additional condition from Schedule 3 must also be met to justify disclosure.  These conditions are for example, in the interests of justice.

iv. personal data must be kept secure (Principle 7)

Further, the processing must be ’necessary’.

These criteria are intended to set a high bar for protection of individuals’ rights, and cannot all be disregarded simply because data uses are classed as ‘research’.

In particular, Principle 1, the fairness obligation cannot be set aside merely because of the presence of a legal basis (in the form, say, of legislation under the Education Act).

On October 1, 2015, this latter point has been again made explicit for public bodies in the judgment of the Court of Justice of the European Union in the Bara case (C‑201/14) in which it ruled that “[the Directive] must be interpreted as precluding national measures…which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing,” i.e the public must be informed when public bodies share their data and why.

The confidential information is kept indefinitely and not used for what parents and pupils consider research purposes, but include commercial use. There is inadequate fair processing. Our research with school staff and teachers, parents and pupils, shows almost none have heard of a national pupil database and don’t understand what happens to their adta collected in the Census. The DPA requiremenst on fair processing fail.

Subject Access Requests are rights under DPA: denied

The Department uses the Research exemption s33 of the Data Protection Act to keep data indefinitely so the database now has 20 million individuals names and data recorded in it.

The Department use the same clause to deny parents Subject Access Requests to understand what the NPD stores about our own children or check that it is accurate.

But The Department also knowingly fails to properly meet Fair Processing, principle 1 of the Data Protection Act. It’s own 2015-16 Department video to advise schools how to complete the census, fails to mention any onward sharing of pupils’ information to commercial third parties or press. As does their template privacy notice for schools.

The Department appears to pick and choose when it sticks to the legal requirements of the Data Protection Act to suit itself and when it chooses not to comply with it.

Laws designed to protect the identity of its people from exploitation are not something to ‘work around’. Laws designed to ‘protect’ data are to protect the person behind the data from potential harm; through identity fraud, harassment, prejudicial treatment or stigma.

Identifiable and confidential data tell the story of a person’s private life. It’s not government data to be used simply because it’s sitting in a database over which the citizen was never asked about being included in, and cannot opt out from.

It’s time our children’s data and identity were respected as they deserve to be.

How are our individual children’s ‘education and well-being promoted’ by giving away their personal data to outside non-secured settings, commercial third parties and journalists. How are the principles of the Data Protection Act 1998 to be met? When will parents be told?

We have also asked for information about NPD transfers abroad.

Relevant Legislation

1. Education Act 2005 http://www.legislation.gov.uk/ukpga/2005/18/section/114
2. Education Act 1996 http://www.legislation.gov.uk/ukpga/1996/56/section/537A
3. Children Act 1989 http://www.legislation.gov.uk/ukpga/1989/41/section/83
4. The Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009 http://www.legislation.gov.uk/uksi/2009/1563/made
5. The Education (Individual Pupil Information) (Prescribed Persons) (England) (Amendment) Regulations 2010  http://www.legislation.gov.uk/uksi/2010/1940/contents/made
6. The Education (Individual Pupil Information) (Prescribed Persons) (England) (Amendment) Regulations 2013 http://www.legislation.gov.uk/uksi/2013/1193/contents/made
7. Special Educational Needs (Information) Act 2008 http://www.legislation.gov.uk/ukpga/2008/11/contents
Education and Inspections Act 2006 http://www.legislation.gov.uk/ukpga/2008/11/contents

8. Statutory Instrument No.208 in 2016, for the expansion of pupil data collection to include Country of Birth, Nationality and EAL at national level http://legislation.data.gov.uk/uksi/2016/808/made/data.html The Education (Pupil Information) (England) (Miscellaneous Amendments) Regulations 2016

9. List of some individual data items extracted mentioned in 2013 SI  http://www.legislation.gov.uk/uksi/2013/2094/schedule/1/made The Education (Information About Individual Pupils) (England) Regulations 2013
2013 No. 2094 SCHEDULE 1

10. revocations http://www.legislation.gov.uk/uksi/2013/2094/schedule/2/made

11. School Standards and Framework Act 1998 (section 537A) http://www.legislation.gov.uk/ukpga/1998/31/pdfs/ukpga_19980031_en.pdf