Q1. What data exactly does the National Pupil Database hold?
A. From age 2-19, since 2000, any school pupil’s full educational record made up of i) personal data given to schools by parents including name and address and sensitive data like ethnicity and date of birth, and ii) the pupil data created by the school. It is a melting point of various different education data collections.
This is a lifetime record of testing and tracking; attainment records, absence, exclusions, SEN special needs and health data, indicators of armed forces or linked to indicators of children in care. It is “one of the richest education datasets in the world’ according to the National Pupil Database (NPD) User Guide. The full national code sets of all the items of data that can be collected on individual children can be downloaded here, including the health and SEND (special educational needs and disability) related data.
Higher Education data (HESA) is held separately, dating from 1994. It is applicable to England, and children from Wales whose school may come under English authority.
Q2. Who has the Department for Education given my personal data to?
A. In addition to academic researchers in the public interest, those given children’s highly sensitive and identifiable data include charities, think tanks, journalists on Fleet Street papers and TV journalists, data consultancies and ‘one-man-bands.’ Home Office access for immigration enforcement purposes began in 2015, and originally included nationality data.
The majority of releases, 553 since 2012, were of identifying, individual pupil-level, sensitive data. See our analysis of the releases March 2012-16.
There is a list of third parties who get given identifiable data is published on rolling basis. It currently includes the releases since 2012 up to and including March 2016.
Here are some case studies to download of data releases 2012-14, of when journalists have been given identifiable and sensitive personal data, and where named data have been used. This also lists how many releases have been of individual level data, and where the DfE Fair Processing notice fails to mention releases of identifiable individual level data, or commercial and press access. In 2016 The Department started to update their release register more regularly.
We have been told that most requests are population wide; that’s 20 million children, 12 million of whom are now adults. We hope that more information will shortly be included in the release register for future requests, to know the volume of data given away in each release. The Department is unable to tell you which releases give away your own child’s data, so we do not know exactly who has it for which purpose.
Q3. What about the plans to collect about ethnicity, English as an additional language(EAL) and country-of-birth data?
• NEW: Nationality to be collected at national level
Q4. Why is my child’s personal data given away without my consent?
A. Schools are obliged to send pupil data including names to the Department for Education. The 2013 regulations also require that the pupils name is provided. [see p17] Our research so far with over 75 schools, shows that the Department for Education fails to adequately inform schools who they pass data on to, so schools fail to tell parents. Schools are required to ask for it and submit what they receive. Parents and pupils can choose not to provide country of birth, nationality, ethnicity and first language information.
Q5. Is this legal?
A. Cumulative changes to laws by successive governments up to and including the 2013 changes have enabled the release of individual and named data. The Department for Education has a duty under the Data Protection Act 1998 to ensure Principle 1, fair processing is met. We are campaigning for transparency from the Department to properly inform pupils and parents how their data are used by third parties. We also suggest the legislation should be reviewed, including by the Parliamentary Joint Human Rights Committee for breach of privacy. Scope expansion has not been communicated to any of the data subjects (pupils) unless schools updated their privacy notice after the 2013 Act enabled identifiable individual data to be released, and as far as we are aware, no one who left school since 2012 when the law was changed has been contacted to be informed of the use of their personal data in these ways.
Q6. Can I opt out of giving my child’s data to journalists or others?
A. No. But we believe you should be able to, and are campaigning for this. Ask that question of your schools, governors, MPs or write to the Department for Education, and Information Commissioner if you have no adequate response. Here are some of the recipients of sensitive and highly sensitive identifiable data; BBC Newsnight, The Times, Telegraph, FFT Education. [sourced via whatdotheyknow.com]
Q7. Are they selling our children’s personal data?
A. We have been told by DfE that National Pupil Database data are given away for free to third parties, however HESA (Higher Education data) including workforce data, are sold. We asked for more information about this from the Department for Business and Innovation and Skills.
Q8. Isn’t it good researchers can access children’s data to understand education better?
A. We support safe use of data for researchers. Today it’s no longer acceptable to pass sensitive data around on CDs and for similar reasons, data should not be given out to third parties. Best practice is for data to be managed in safe settings, where bona fide researchers can come to the data and take out their findings, but not the raw data.
In addition, we believe the level of identifiable and sensitive data given out is inappropriate for anyone other than accredited researchers, and data should be anonymised and minimised wherever possible. Today’s users are given too much data that parents feel is a breach of privacy.
Bona fide research is in the public interest and generally has public support. But a wide range of recipients get individual level, sensitive and sometimes highly sensitive items – special needs, and exclusions for example from the National Pupil Database. These are not anonymous or statistical data, but pupil-level identifiable data releases.
Some of these third parties don’t meet the public’s expectation of what a ‘researcher’ should be and how data should be handled. Journalists getting sent out the most sensitive tier 1 data to their own site? Where appropriate for all accredited users we would like to see them have safe access, in safe settings and can take away knowledge, not identifiable data.
All secondary data uses should be with consent, and shared with respect to the Data Protection principles. And that our children’s data are used for a wide range of purposes without our consent shouldn’t be a secret, pupils must be told.
Q9. Where can I find out who the DfE gave data to since 2012?
A. Here, in the third party release register. We have campaigned for a regular and frequently published list to improve transparency. We have also asked for more information about the releases and how long the data may be used for by third parties, as we have shown that data has not been destroyed as should have been after use. This destruction due date was added to the register and published in May 2016 for the first time. This transparency may help reduce the risk of errors going unnoticed for a long time.
Forward dates for publication are here in the “Forthcoming Publications” section. We expect further updates on July 14, and again in November 2016 covering requests up to the end of June 2016.
Q.10 How long will the Department for Education keep the data?
A. Forever. The Department for Education uses the Data Protection Act exemption (s33(3)) to keep the data indefinitely for historical, statistical or research purposes. This means the database will grow indefinitely to become population-wide, and is now giving away adults as well as children’s data; from anyone in education since 1994 (HESA) and 2000 (NPD).
Q.11 How many children’s data are in the National Pupil Database?
A. “The total number of Unique Pupil Numbers (UPNs) in the NPD as at 28/12/2015 was 19,807,973. This covers pupil records since 2000.
“The total number of individuals in the further education (FE) and HE data held by the DfE as at 28th December 2015, in addition to the number of UPNs already identified in the NPD in the previous answer provided, was 1,422,659.
“However, the DfE only holds a subset of FE and HE data – if you require complete information on the total number of individuals held in further and higher education databases by Government you should approach the Department for Business, Innovation & Skills (BIS).”
Q12. Can I find out exactly what they store about my child or me?
A. The Department for Education (DfE) has refused Subject Access Requests for National Pupil Data (age 2-19). This means that while they give children’s identifiable data to third parties, the DfE won’t let parents or pupils check it is accurate. We are discussing this further with the DfE and want to find practical solutions to protect data privacy and rights, and reduce the risk of inappropriate access or misuse.
However, we believe that the DfE should comply with the Data Protection Act 1998 and meet Subject Access Requests. We suggest how to apply here. It is called, “Making a Subject Access Request.”
Separately, HESA, the Higher Education Statistics Agency Ltd, does have a process for subject access requests here. Under the Data Protection Act 1998 you have rights of access to the data HESA holds about you. You will have to pay a small fee for this. For further information about data protection and the HESA record see www.hesa.ac.uk/dataprot or email firstname.lastname@example.org
Q13. Do these databases release names, and other personal data?
A. Yes, the National Pupil Database has released names on numerous occasions.
NPD data are used in surveys: a named survey What About Youth was created by extracting named pupil data and matching it with HSCIC held data in 2014 for an intensely detailed questionnaire social survey mailshot to the homes of 15 year old pupils. Almost 300,000 of them according to the published report.
Similarly the IoE used it to get all Year 7 pupils’ data and send them named tests for completion in 2014.
From Higher Education data, names are supplied to Statutory Customers for record linking and in support of audit processes. Access to names within HESA and its Statutory Customers, HESA says, “is restricted to essential staff who have received the appropriate training in data protection.”