Children’s Comissioner concerns on school children’s data

We welcome the Children’s Commissioner report Who knows what about me which shows how children’s data is routinely collected online.

The report points out that children are among the first to be ‘datafied’ from birth, including policy and practice in schools, and comments on the datafication of children in the education sector; school databases, classroom apps, and biometric data in schools.

Who knows what about me shows that we do not yet fully understand the lifetime implications of this datafication. Sensitive information about a child are used to create and infer profiles and are used to make highly significant decisions about them, and this includes from an early age in school.

Who Knows What About Me raises questions about collecting so much data about children and the effects on their freedom and independence, rightly pointing out that children are also becoming accustomed to routinely having their information shared about them, without asking why it is needed or what it will be used for.

But in this respect, the report does not go far enough to ensure that the responsibility for safe, fair and transparent use of their personal data, does not rest with a child.

The Children’s Commissioner’s Office makes a number of recommendations to policy-makers including that schools should teach children about how their data is collected and used and what they can do to take control of their data footprint. These lessons should cover information shared online, at home and outside the home, and that the Government must urgently refine data protection legislation if GDPR does not prove adequate in practice.

We warmly welcome the Commissioner start to address this area of children’s rights. Research from DotEveryone recently revealed that the public care about their privacy, but have a low level of understanding how technology work, or of the level of hidden tracking and profiling of data used from Internet connected technology, and the research says that accessible information are hard to find. But the recommendations and tips the Commissioner’s report gives to children and parents are ineffective for them in school settings, so we would welcome more attention in this area.

It is important to remember that in educational settings, use of children’s personal data is almost impossible to challenge. Children and families are disempowered, do not want to be seen to ask too many questions or be seen as difficult, and cannot control their own digital footprint in schools. The Right to Object under data protection law is yet to be offered or respected in any meaningful way, at local, regional or national levels. This must change. But it is impossible to know there is a right to object, to data processing you don’t know exists.

From our research into data collection in schools, and the survey of parents of school children in England, we commissioned earlier this year, we found that as many as one in four (24%) parents said they do not know if their child has been signed up to systems using personal data.

When asked how often they were told if their child’s personal data will be stored or transferred to third-party organisations through a school administration software or an online learning service, only 31% of parents said they were always informed of this. 23% said they were never informed of this while 10% of parents replied, “Don’t know.” We also believe that many don’t know, that they don’t know.

Parents don’t know how companies use children’s data passed on via school settings; whether from homework apps, the school census, to biometrics in the canteen and library, to CCTV.  Given that educational games and apps can be found leaking personal data freely, on international scale without adequate thought for security and privacy, parents have no way to understand who has information about their child. There are no standards on transparency to families of retention, how long schools or companies retain school children’s data for, and how they meet data minimisation requirements under data protection law. The Department for Education very recently updated its guidance on GDPR compliance and added new recomendations for an annual review on data retention and destruction compliance. But only half of parents say they have been told how long CCTV images are kept, and we know not all CCTV data are kept securely. Recently some UK school CCTV was even found streaming onto US websites.

Our further research with over 400 schools and staff, suggests that a child will commonly have been signed up to over ten apps and platforms before leaving primary school. Parents who don’t even know their child uses an app, will not have been told that its providers may be located in the US, China, Russia, or send a parent’s email and home address to the third-party company.

The Children’s Commissioner indirectly references analysis of school practices routinely using biometrics, carried out by Pippa King, of Biometrics-in-Schools. Our survey found that although the Protection of Freedoms Act passed in 2012 requires parental consent, over 38% of parents where biometrics is being used in practice, said they had not been offered any choice. We also believe this means that children eligible for free school meals have their human rights to privacy and under the Act denied, where no alternative, such as a card system is offered rather than the use of a fingerprint.

School staff also record an enormous volume of information on children’s records. Teacher-based opinions, and system-generated profiles, progress, risk and RAG scores. Or benchmarking comparisons within the class and the country. A huge volume of data is generated at pupil named level for tracking accountability measures, and statutory census collections from age 2, or at the touch of a button on behaviours in the classroom which can be widely shared and viewed by other staff, or transfered between schools. Almost none of which is information provided by the parents or child, or ever seen by them. There is generally no choice or ability to refuse data collection as part of education or care. They cannot see how data provided or created by others, are re-used after collection for what is assumed to be only for their direct receipt of a service. ie. data provided to a school for teaching their child, but are in fact used by thousands of other people and can be passed on in local and national government, to researchers, and to companies.

The report mentions the National Pupil Database, but does not reference its extensive distribution, or give any appreciation of its size of 23 million named and lifetime records. Data which, despite great improvement recently and a shift to a new model after our campaign efforts, are still copied and given away to third parties. Our survey found 69% of parents asked, did not know about it at all.

We need urgent but carefully targeted changes of policy and practice regards safeguarding school children’s digital rights, data privacy, and data protection. But we also need a fundamental joined-up approach of the ethical dimensions of datafication. What level of predictive profiling or turning our children into consumers in school settings is acceptable?

There is currently no oversight of the digital exploitation of our children for profit, handed to companies through school sign-ups. For example, advertising in apps and platforms used in schools. Parents receive direct marketing straight to their phones via their child’s school’s cashless payment system, communications or homework app. Should behavioural profiling, especially where the profiles and its decision-making inputs are automated or black-boxed, be banned to support GDPR recital 71 and Article 38?

Children’s rights under GDPR and the UNCRC must be respected and enforced.

A first step towards better practice, would be for schools to consistently carry out informed Data Protection Impact Assessment of any new tools. All too often, even IT staff can have a limited view of how a company may use children’s personal data behind the scenes, and do not adequately question a company’s carefully drafted terms and conditions. Teachers cannot be expected to carry out this level of scrutiny, but accepting this, should mean they do not sign children up to third-party apps or suppliers without sufficient scrutiny and oversight by those who do, and include parental and governor transparency and approval in any new edTech adoption process.

We believe that parents and children have lost control of their digital footprint by a child’s 5th birthday due to national and local policy and practice in education.  This needs urgent action since children and parents have no influence over which systems are used in schools, cannot freely refuse consent, and are poorly informed which personal data has been sent to them from the extensive school information management system.

defenddigitalme wants education providers to be required to provide an annual report to children, that would show which third-parties have been given what of their personal data, for what purpose and for how long, with strict and narrow exemptions what parents are told, for children at risk for example. This audit report should be an automatic safety feature of school information management systems (such as Capita SIMS mentioned in the Commissioner’s report), not mean additional costs for schools. It should not create new workload or cost, but be consistent across the sector. The same report should be available to download on demand by a child or parent at any time. This would support them to know, who knows what about me  — and support schools meeting subject access requests, and meet their lawful requirements to inform about processing and to ensure accurate data, and enable error correction, under data protection legislation.

The Commissioner’s report includes recommendations on legislation, but we suggest it is not a question necessarily of whether legislation is adequate, but that it is inadequate without a change of practice and enforcement. And that includes government that must further refine its own policies and practice, at all levels.

Regards national pupil data we call on the government to

  1. respect a child’s right to see their own national pupil record and meet Subject Access Requests
  2. actively inform parents and children how data are used; and respect the Right to Object to secondary uses of data at national level
  3. introduce a statutory Code of Practice for the education sector that will support schools and companies in applying data protection and privacy law with clarity,  confidence, and consistency

The recommendations on improving children’s digital understanding or parents’ being more cautious about what they share, are well placed, but responsibility can’t rest entirely or sometimes at all, with the consumer, parent, or child.

Recommendations alone won’t fix companies doing bad things if they’re careless or creepy, or whose business model is to exploit children’s data (created we might add, through taxpayer funded time and teachers) to develop their products, or get free access to their parents for commercial purposes. That’s where we need to see enforcement of existing legislation.

Improving children’s knowledge by teaching them their rights would be beneficial but at the moment there is no funding, or capacity in the curriculum or workforce, and no consistent data protection and rights training as part of basic teacher training or CPD. We need the infrastructure to support teachers’ own capacity and knowledge, to enable the learning needs of our children. We would welcome changes to make this happen.

We warmly welcome the Children’s Commissioner start to address this area of children’s rights, and look forward to more in future.

defenddigitalme commissioned the survey from Survation as part of research for an upcoming report, The State of Data 2018: New rights and responsibilities, a review of children’s data privacy and protection in England.

An interim report for policymakers, was sent to every MP in May 2018 during their shaping of the Data Protection Act 2018. The full report is planned for early 2019.


 

Survation Methodology

Contact Survation

For more information please email chris.hopkins [at] survation.com or call 0203 818 9661.

Full tables are available here : http://survation.com/wp-content/uploads/2018/03/Defend-Digital-Me-Final-Tables.pdf

Personal data was defined as any information that can be used to identify a child.

The polling was carried out by Survation, on behalf of defenddigitalme, between 17th-20th February. The survey was conducted online with a sample size of 1,004 parents of children aged 5-18 in state education in England. Survation is a member of the British Polling Council and abides by its rules.

The Data Protection Act

New data protection laws under the UK Data Protection Act 2018 and GDPR became enforceable from May 2018.

UK Act http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted/data.htm

GDPR: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en