Response: UKSA National Pupil Database Update

Summary

The UKSA first regular assessment of DfE’s progress on UKSA recommendations made earlier this year, has come after the first major improvement in DfE data handling.

It follows on from commitments made in March, when Ed Humpherson, Director General for Regulation, Office for Statistics Regulation wrote to the Department for Education with actions that would be required, and that UKSA would, “proactively monitor progress on these recommendations via our regular meetings with DfE […] and “publish an update to this letter to report on progress in September 2018.”

The concerns raised related to:

  • NPD data access protocols, including third-party onward sharing
  • Privacy impact assessments and the Alternative Pupil Census
  • Engagement with pupils, parents and schools
  • Progress on previous OSR recommendations to DfE about the NPD
  • Pupil census data validation
  • Data Protection Act (DPA) compliance
  • The accuracy of DfE’s response to parliamentary questions (PQs) about data identifiability

Overall, the progress that the Department has made to deliver a safe model of data access is to be commended. Much remains to be done and there are legacy uses and loose-ends to be tied up over a transition period. We continue to monitor the progress of this work, and we warmly welcome that the UKSA is doing so.

However, the ongoing misuse of data in bulk for non-educational purposes such as by the Home Office, and new projects, such as “Send Data to DfE / Data Exchange” continue to jeopardise the progress made if their issues are not resolved, or delivered with the same level of transparency.

We see the positive value of public involvement panels, but this must not become a pseudo method of public acceptance for 23 million records in the NPD. Adequate fair processing communication still remains to be done with the public today, both in school, and those no longer in the school system, whose personal data are still being processed, even on a named basis. This is a lawful requirement, the first principle of data protection law, and should not be ignored. Privacy rights have been disregarded for many years and must now be addressed, not only at point of use, but at point of collection.

We hope that the Department will urgently publish much more information, and suitable for children, about its other projects using their personal and learning data, such as: ASP, LEO, the AP census expansion, new Baseline testing trials, as well as the long-term 5-year work with the Data Exchange, which is opaque, and not even within scope of NAO oversight.

It is now for the Department to learn from the fixes it is currently working through in NPD and implement similar work needing done such as adequate Data Protection and Privacy Impact Assessments across these projects, and begin an appropriate and effective programme of public and professional communication.


In detail

The Department for Education has stopped the data distribution policy it began in 2012 under then Secretary of State for Education, Michael Gove, ending the mass distribution of pupil level personal confidential data to a very wide range of commercial third parties, press, and many others.

The Department and the Office for National Statistics (ONS) have started to enable access to individual level data for research, from the National Pupil Database (NPD), School Workforce, Individualised Learner Record and Higher Education Statistics Agency in a new way.

However, the caveats to this new model are important to resolve, and it is not yet unpublished how long they will remain in place. These include:

  1.  Access through the Secure Research Service may not be required if the request meets one or more of several conditions.
  2. There are plenty of other data sharing agreements between the Department and third parties still in place, including six who have entire copies or large volumes of identifying, including named pupil data, still sent to their own settings for benchmarking and commercial repackaging, and no oversight of sub-contracting to date.
  3. Researchers who won’t accept a ‘no’ or who do not want to use more secure settings from the Department, are deliberately working around the national safeguards. Similar safeguards need extended across the local data distribution models — which are currently unrecorded, and opaque to the people the data come from.

Other key areas of work required are in:

1. Communication and Transparency:

Engagement with pupils and parents has not yet happened. It is paramount that children and families are told what happens to their personal data. We expressed this recently in more detail in submission to the Science and Technology Committee consultation on Digital Government (data questions).

We welcome the intention for user-testing of privacy notices with parents and pupils, and suggest that there is a tie-in to the work with Youth Juries carried out by researchers under the 5Rights umbrella at Nottingham University, and further academics’ work supported by the ICO such as Professor Livingstone’s work on children and consent. Both offer good opportunities to engage young people on this topic.

2. Transparency

We welcome much greater transparency. The external data share registers now include police, Court Orders and Home Office, which is welcome. This should continue. Details of many more data shares to third parties are now included in the summary information published by DfE in the transparency publication including the Individualised Learner Record (ILR) from which there is an opt out available, but has never been publicised. The public is not aware of this data collection, or its uses. A Unique Learner Number system began in 2013. Learners may choose not to share their PLR data and can opt-out of sharing with some third parties, by contacting the LRS customer helpdesk on 0345 602 2589. We will continue to champion greater transparency and follow the UKSA intervention and expectations on communication closely, in line with our own work.

3. Data purposes misuse

It is surprising to us that there is no mention in the review of the ongoing misuse of national pupil data for the purposes it is collected under the Education Act 1996 (s537a), by using it for bulk shares for the purposes of Home Office immigration enforcement. Although schools must no longer collect nationality data, the monthly transfers of name, date of birth and gender, home and school addresses continue. This ongoing use must end. A coalition of campaigners led by Against Borders for Children, continues to call for the deletion of the data collected to date, for the SI to be revoked, in order to safeguard children from this use, and potential uses in future by other governments.

If this does not end, then it is likely the National Pupil Database will no longer be considered a research database at all, but for operational purposes, and lose the research exemptions DfE applies today including, indefinite data retention and will instead have to accept a much shorter operational data retention period for research.

4. Identifiability in public guidance

Incorporation of the identifiability spectrum about personal data, and its suggested terms for different levels of data, into materials about NPD, and other relevant materials about data would be helpful, but only if it is universally comparable. It is unhelpful, even to the point of being misleading, if documentation uses language that is different from where is is commonly understood with a lawful underpinning, such as in the Data Protection Act 2018 and GDPR. Terms such as ‘depersonalised’ in Wellcome Trust’s Understanding Patient Data programme are meaningless in such areas, and therefore misleading to the reader, especially since pseudonymous data under data protection law are still considered personal data. There must be consistent terms that are clear and honest and do not seek to make data sharing which has known risks, appear more palatable to the public. Any attempt that could appear to want to downplay risks, will not be trustworthy. We hope to resolve this ahead of the stated ‘planned December publication.’

5. Data safeguarding and legal compliance of the Alternative Provision Census

There has still been a) no Data Protection Impact Assessment and b) no communication to families, as was recommended by the UKSA in March.

We believe both of these should take place before the next collection in January — the second of the new AP census collections. Our legal challenge is still open, as we have recently received an ICO response, and we are preparing a further complaint to the ICO in this regard. Despite their simultaneous involvement in September 2017 — before the expanded AP census collection took place — no fair processing was required of the Department, and no DPIA was done, which highlights a secondary area of concern that we have regards the ability of the ICO to be both the DfE ‘go-to’ for advice, *and* entirely independent effective regulator.

We fully understand and support the needs of data users, such as the Children’s Commissioner staff we spoke with earlier this year. We understand the UKSA who has spoken to “data users who highlighted the need for more data to be available about vulnerable children to better understand their needs and improve their outcomes.” But we remain firm that one does not better support some of children’s rights, by trampling over others. There was no reason why fair processing should not have taken place of these extremely sensitive data, and one year on, we are still working in this effort in our #LabelsLastaLifetime campaign.

6. The new Data Sharing Approval Panel

This group oversee all external requests for personal data held by DfE now includes two external members. DfE are still seeking a third panel member, and we have proposed that this must be filled by a person of professional ethics calibre, and that there should be an open recruitment process.

7. Data Ethics

The data ethics round table held in February 2018, at the Royal Society, involved external data users and other organisations. For the record, defenddigitalme was explicitly not invited to this, which would seem counter productive given the knowledge level about the National Pupil Database in most third-parties.

Ethics is currently a large gap on the data distribution approvals process, and cannot be filled by lay expertise, or another data sharing body or academic with an interest in ethics. The kinds of data sharing that already goes on and is likely to expand, linking with police national computer and justice data, with health, and sensitive longitudinal data demand a high calibre of qualified and professional ethics. Unlike academic data based projects, commercial companies have zero ethics research ethics councils (REC), or privacy and ethics requirement as part of their data request process. This practice is an outlier in how other data requests are considered across other government sectors such as health with the professional involvement of CAG (Confidentiality Advisory Group) as well as REC panels.

The two out of three non-DFE positions that have already been filled on the DSAP (Data Sharing Approvals Panel) are not with data ethics professionals, and a qualified position on this is imperative.

The DSAP also still requires adequate and published Terms of Reference, transparent meeting and decision criteria and outcome minutes, and publication of the privacy impact and ethics paperwork that requests are expected to make.

8. Onward brokerage

There is still no transparency of onward data sharing to unidentified third-parties such as sub-contractors, noted in the March letter of the Director General’s letter— onward sharing by the registered recipient, is not recorded or public and while DfE says “that onward data sharing with third-parties only happens in a small minority of cases when data are shared” — until it is transparent the facts are unknown.

While it appears the new External Data Shares will include more detail — there is no intention to document where this has gone in the past.

The Department responded to a parliamentary question by saying,”A full review of each underlying NPD data request to definitively quantify the number of instances which have involved sub-contracting or onward data share arrangements from an approved third-party organisation could only be provided at disproportionate cost.”

We welcome that this has changed going forwards, but much like the opening of the National Pupil Database in 2012, it should never have happened in the first place.