We welcome that the Office for Statistics Regulation has taken time to address the serious issues of children’s confidentiality and National Pupil Database (NPD) raised in the course of 2017 and welcome the core recommendations in the OfS letter to the Department for Education:
• For data safeguarding and legal compliance, all NPD outputs, data flows and sharing should have regard for the Five Safes framework,
• A Data Protection and Privacy Impact Assessment should be carried out of the National Pupil Database,
• Communications with children and parents need user-testing with parents and children, with thought to age and capability, (but it must be informed not a fig leaf for public acceptance)
• Proactive involvement with the Office of the Information Commissioner in future changes, (**as long as it does not mean a conflict of interest when time comes for regulation)
• Transparency of onward data sharing from third-parties to other non-published third-parties,
• The Department for Education should be accountable for and publish how the School Census and NPD will be GDPR compliant.
The most urgent change required is for National Pupil Data to be made safe. It is one thing to talk about outputs being safe — what the users publish, but if data are sent out to users that has already put the data into the public domain in ways the schools, children and parents do not expect. It increases the risks of loss, theft, and misuse persist. And carries on without oversight.
The OfS new Code of Practice says that, “Above all, the confidentiality of individuals and of business information must be protected.”
Yet today’s distribution of personal confidential data to third parties does not respect that. Schools Minister Nick Gibb confirmed in December 2017 that, “between August 2012 to 20 December 2017, 919 data shares containing sensitive, personal or confidential data at pupil level have been approved for release from the National Pupil Database. For the purpose of this answer, we have assumed the term sensitive, personal or confidential uses of information to be data shares classified as either Tier 1 or Tier 2 as set out in the National Pupil Database area on gov.uk.”
The DfE must commit to safe settings for these data now. Anything less is an acceptance of child exploitation of privacy for third-party commercial profit at national scale, by all involved.
Each one of us, and children in particular, have a right to privacy. It is to protect children’s full development, reduce risk, free from harm, and ensure their flourishing. This has been set aside by the Department for Education in an institutionalised breach of confidentiality every month for millions of children. That is unsustainable.
Parents provide their child’s information to school for their education, and with expectations how the school will use it. Not for it to be given out to companies, journalists, or any other kind of researcher at individual level.
Subject Access rights need restored, so that pupils and parents can check their own data are accurate, and verify fair and lawful processing.
Privacy Impact Assessment
It is unsurprising to read the DfE deem themselves that their own practice risks of re-identification was minimal. No one has ever carried out any privacy impact assessment (DPIA/PIA), or regular audit process. We look forward to practical application of improvement, and a time limit to be set for the assessment that the OfS recommends.
Communications and public involvement has prominence in the UKSA recommendations. This can only be meaningful and not a fig leaf for public acceptance, if the participants have a full understanding of what the National Pupil Database is; a melting pot of over 15 separate data collections, on termly, annual or other regular basis. Every single individual has a right to privacy and a right to be told how their data are processed, not only a selected panel. Our recently commissioned Survation poll of over 1,000 parents found 69% had not been told pupil data can be given away from the National Pupil Database.
Today’s uses go far beyond reasonable expectations and are incompatible purposes compared with what children and parents expect when they give in personal data to a school for their education. Children’s records are being linked with data in the National Police Computer, predictive uses in criminology research, and used monthly in Immigration Enforcement. And all the time given away monthly to commercial companies and media third parties at individual pupil level.
Fair and lawful processing can only take place if every person whose data are used, know they are used. This includes the 8 million children in school today, and the growing 15 million who have already left but whose data are given away.
February 2017: Letter from Ed Humpherson, Director General at the UK Statistics Authority [download].