1. What data exactly does the National Pupil Database (NPD) hold?
A. From age 2-19, since 2000, any school pupil’s full educational record made up of i) personal data given to schools by parents including name and address and sensitive data like ethnicity and date of birth, and ii) the pupil data created by the school. It is a melting point of various different education data collections.
This is a lifetime record of testing and tracking; attainment records, absence, exclusions, SEN special needs and health data, indicators of armed forces or linked to indicators of children in care.
It is “one of the richest education datasets in the world’ according to the National Pupil Database (NPD) User Guide. The full national code sets of all the items of data that can be collected on individual children can be downloaded here, including the health and SEND (special educational needs and disability) related data.
For a simplified overview see pages 19-22 of the User Guide. From autumn 2016 more data are to be collected including country-of-birth from every child for the first time, as well as nationality to be sent to the national database.
Early Years census data, Alternate Provision, as well as Early Years Foundation Stage individual child level data are also included, and have been so since 2009. The 2017 early years census is in two parts – establishment level and child level. Data transfered and stored in the NPD include surname, First name, DOB, Address, Postcode, Ethnic group, Gender, SEN, Number of hours of funded early years provision per week and Total number of hours of early years provision that the child receives per week. All English providers of funded early education in the private, voluntary and independent (PVI) sectors are within the scope of the early years census. It is mandatory to collect the data for the early years census at individual child level for children taking up a funded place. Ethnicity is optional and parents must be given the right to withhold this from submission. The 2017 census was completed between January 19 and February 10, and included two year olds born since 1 January 2014.
Higher Education data (HESA) is held separately, dating from 1994. It is applicable to England, and children from Wales whose school may come under English authority.
The National Pupil Database refered to on this website, covers only pupils in state (or partially state-funded) schools in England.
However Similar systems operate across the rest of the UK.
- For Wales see here. Pupil level data since 2004.
- For Scotland see here. The Scottish Government holds electronic records from 2002.
- For Northern Ireland see here. Contains data from approximately 1,200 schools, 400 pre-schools and individual level records for over 300,000 pupils each year. With effect from 2010/11, the pupil’s UPN (unique identifier) will remain consistent throughout their time in school.
Q2. Who has the Department for Education given my personal data to?
A. In addition to academic researchers in the public interest, those given children’s highly sensitive and identifiable data include charities, think tanks, journalists on Fleet Street papers and TV journalists, data consultancies, even a private tutoring company, and ‘one-man-bands.’ Home Office access for immigration enforcement purposes began in 2015, and originally included nationality data.
See our latest review and analysis of the releases. Of the majority of the releases — 1000+ requests for identifiable data that have been through the DfE request process in March 2012 – December May 2017, only 30 have been for aggregated data.
There is a list of third parties who get given identifiable data is published on rolling basis. It currently includes the releases since 2012 up to and including May 2017. (note split in May 2017, and before 2016 is archived, link on DfE page.)
Here are some case studies to download of data releases 2012-14, of when journalists have been given identifiable and sensitive personal data, and where named data have been used. This also lists how many releases have been of individual level data, and where the DfE Fair Processing notice fails to mention releases of identifiable individual level data, or commercial and press access. In 2016 The Department started to update their release register more regularly.
We have been told that most requests are population wide; that’s 20 million children, 12 million of whom are now adults. We hope that more information will shortly be included in the release register for future requests, to know the volume of data given away in each release. The Department is unable to tell you which releases give away your own child’s data, so we do not know exactly who has it for which purpose.
Q3. What about the plans to collect about ethnicity, English as an additional language(EAL) and country-of-birth data?
The collection of children’s personal data and its use at national level will change in autumn 2016, affecting all schools, related to ethnicity, nationality, country of birth, English as an additional language, as well as home address. These data are extracted through schools information management systems (SIMS) either directly or via the local authority in the school census and early years censuses [read our summary] [read the LSE parenting blog] and see the legislation: <
• NEW: country of birth (Pupil country of birth 100565) added and to be collected at national level
• NEW: Nationality to be collected at national level
• EXPANSION: ethnicity and nationality, expanded to all children regardless of age (Nationality 100564)
• EXPANSION: multi-level detail expanded on English as an additional language, coded in five tiers and new national extraction of measures of fluency.
• EXPANSION: pupil home address may add a unique property identifier using BS7666 address format, in addition to the 5-line home address, and in addition to postcode which is already mandatory.
• EXPANSION: age of pupil from which data may be collected has been lowered to under 2, and previous restrictions on collecting ethnicity on under 5s have been scrapped.
Census dates for 2016-17 are: October 6, January 19, 2017, and May 18, 2017.
While the government has backed down on collecting country-of-birth and nationality from pre-schoolers ethnicity and language will be collected for the first time, and more personal data than ever before from this age group. The MOU to transfer nationality data to the Home Office was amended on October 7, 2016, to stop doing so. You can download a full briefing here. [updated March 6, 2017]
Q4. Why is my child’s personal data given away without my consent?
A. Schools are obliged to send pupil data including names to the Department for Education. The 2013 regulations also require that the pupils name is provided. [see p17] Our research so far with over 75 schools, shows that the Department for Education fails to adequately inform schools who they pass data on to, so schools fail to tell parents. Schools are required to ask for it and submit what they receive. Parents and pupils can choose not to provide country of birth, nationality, ethnicity and first language information.
Q5. Is this legal?
A. Cumulative changes to laws by successive governments up to and including the 2013 changes have enabled the release of individual and named data. The Department for Education has a duty under the Data Protection Act 1998 to ensure Principle 1, fair processing is met. We are campaigning for transparency from the Department to properly inform pupils and parents how their data are used by third parties. We also suggest the legislation should be reviewed, including by the Parliamentary Joint Human Rights Committee for breach of privacy. Scope expansion has not been communicated to any of the data subjects (pupils) unless schools updated their privacy notice after the 2013 Act enabled identifiable individual data to be released, and as far as we are aware, no one who left school since 2012 when the law was changed has been contacted to be informed of the use of their personal data in these ways.
Q6. Can I opt out of giving my child’s data to journalists or others?
A. No. But we believe you should be able to, and are campaigning for this. Ask that question of your schools, governors, MPs or write to the Department for Education, and Information Commissioner if you have no adequate response. Here are some of the recipients of sensitive and highly sensitive identifiable data; BBC Newsnight, The Times, Telegraph, FFT Education. [sourced via whatdotheyknow.com]
Q7. Are they selling our children’s personal data?
A. We have been told by DfE that National Pupil Database data are given away for free to third parties, however HESA (Higher Education data) including workforce data, are sold. We asked for more information about this from the Department for Business and Innovation and Skills.
Q8. Isn’t it good researchers can access children’s data to understand education better?
A. We support safe use of data for researchers. Today it’s no longer acceptable to pass sensitive data around on CDs and for similar reasons, data should not be given out to third parties. Best practice is for data to be managed in safe settings, where bona fide researchers can come to the data and take out their findings, but not the raw data.
In addition, we believe the level of identifiable and sensitive data given out is inappropriate for anyone other than accredited researchers, and data should be anonymised and minimised wherever possible. Today’s users are given too much data that parents feel is a breach of privacy.
Bona fide research is in the public interest and generally has public support. But a wide range of recipients get individual level, sensitive and sometimes highly sensitive items – special needs, and exclusions for example from the National Pupil Database. These are not anonymous or statistical data, but pupil-level identifiable data releases.
Some of these third parties don’t meet the public’s expectation of what a ‘researcher’ should be and how data should be handled. Journalists getting sent out the most sensitive tier 1 data to their own site? Where appropriate for all accredited users we would like to see them have safe access, in safe settings and can take away knowledge, not identifiable data.
All secondary data uses should be with consent, and shared with respect to the Data Protection principles. And that our children’s data are used for a wide range of purposes without our consent shouldn’t be a secret, pupils must be told.
Q9. Where can I find out who the DfE gave data to since 2012?
A. Here, in the third party release register. Note it was split into two lists in 2017, and older releases archived here. We have campaigned for a regular and frequently published list to improve transparency. We have also asked for more information about the releases and how long the data may be used for by third parties, as we have shown that data has not been destroyed as should have been after use. This destruction due date was added to the register and published in May 2016 for the first time. This transparency may help reduce the risk of errors going unnoticed for a long time.
Forward dates for publication are here in the “Forthcoming Publications” section. We expect further updates on July 14, and again in November 2016 covering requests up to the end of June 2016.
Q.10 How long will the Department for Education keep the data?
A. Forever. The Department for Education uses the Data Protection Act exemption (s33(3)) to keep the data indefinitely for historical, statistical or research purposes. This means the database will grow indefinitely to become population-wide, and is now giving away adults as well as children’s data; from anyone in education since 1994 (HESA) and 2000 (NPD).
Q.11 How many children’s data are in the National Pupil Database?
A. “The total number of Unique Pupil Numbers (UPNs) in the NPD as at 28/12/2015 was 19,807,973. This covers pupil records since 2000.
“The total number of individuals in the further education (FE) and HE data held by the DfE as at 28th December 2015, in addition to the number of UPNs already identified in the NPD in the previous answer provided, was 1,422,659.
“However, the DfE only holds a subset of FE and HE data – if you require complete information on the total number of individuals held in further and higher education databases by Government you should approach the Department for Business, Innovation & Skills (BIS).”
Q12. Can I find out exactly what they store about my child or me?
A. The Department for Education (DfE) has refused Subject Access Requests for National Pupil Data (age 2-19). This means that while they give children’s identifiable data to third parties, the DfE won’t let parents or pupils check it is accurate. We are discussing this further with the DfE and want to find practical solutions to protect data privacy and rights, and reduce the risk of inappropriate access or misuse.
However, we believe that the DfE should comply with the Data Protection Act 1998 and meet Subject Access Requests. We suggest how to apply here. It is called, “Making a Subject Access Request.”
Separately, HESA, the Higher Education Statistics Agency Ltd, does have a process for subject access requests here. Under the Data Protection Act 1998 you have rights of access to the data HESA holds about you. You will have to pay a small fee for this. For further information about data protection and the HESA record see www.hesa.ac.uk/dataprot or email firstname.lastname@example.org
Q13. Do these databases release names, and other personal data?
A. Yes, the National Pupil Database has released names on numerous occasions.
NPD data are used in surveys: a named survey What About Youth was created by extracting named pupil data and matching it with HSCIC held data in 2014 for an intensely detailed questionnaire social survey mailshot to the homes of 15 year old pupils. Almost 300,000 of them according to the published report.
Similarly the IoE used it to get all Year 7 pupils’ data and send them named tests for completion in 2014.
From Higher Education data, names are supplied to Statutory Customers for record linking and in support of audit processes. Access to names within HESA and its Statutory Customers, HESA says, “is restricted to essential staff who have received the appropriate training in data protection.”