The “KGB tactics” outed in the Student Loans surveillance model demands urgent review for its implications of data sharing across government for the purposes of fraud detection.
After the Education Select Committee evidence session on October 30, 2018, with the Student Loans Company (SLC), our attention is drawn once again to the new secondary legislation on data sharing between the OfS and SLC.
We are deeply concerned over the
a) lack of definition or limitations on data sharing scope and purposes in the legislation for the functions not primarily of the OfS but of the other body.
b) to learn that the Student Loans Company surveillance model might find acceptance and become the norm across government, in a new Government Counter Fraud profession, as the SLC tweet on October 9, 2018 suggested.
Transparent review of these policies and practice are therefore all the more urgent, and go beyond the SLC and estranged students.
Social media surveillance fundamentally rides roughshod over Data Protection law, ignores ethics and human rights, and in this case, lacking in any sense of proportion and cost/benefit given the tiny numbers involved. The SLC attitude was shocking to many beyond belief, rightly condemned by senior MPs as “sinister, KGB knock-on-the-door” tactics. The SLC has denied funding and caused great harms while their investigations lasted months of the amount in question, as small as a £70 Christmas one-off cash gift from an estranged parent.
Using student / applicants’ personal data on social media is not lawful for just any purpose, despite Christian Brodie, the SLC chairman’s claims, that it regarded Facebook accounts as a public source of information, and, “they must expect that will be looked at.” It is also likely that the SLC not only “looked at” those profiles, but collected data from them, and made profiles and inferences from them, creating new data for which they became the data controller.
We have some questions.
We would also like to know what this policy and practice (to date opaque and unpublished) means for the data sharing intent between the OfS and SLC using new regulations.
Did the government just pass a law that will make this kind of the surveillance and its sharing even more common?
In that debate, Shadow Minister for Higher education Gordon Marsden MP, said [col 7], “It is unclear whether what the Department is doing is necessary to create a new and very broad legal basis for the purposes of data sharing—compared with, say, a contract—or whether it is seeking to legitimise existing data-sharing practices around the denial of funding, which may previously have avoided scrutiny.“
The Minister said [Col 9] that, it was necessary to enable the OfS to do “things it would not be able to do properly if these regulations were not put in place. I am sure they will also agree that the OFS should be able to look into suspected fraud.” What exact things? What was not already lawful between these bodies that needed new regulations?
The Digital Economy Act 2017, not a year earlier, already gave the SLC enormous new powers for both debt and fraud. The Student Loans Company was already listed in Schedule 8 of the DE Act, as one of the very many prescribed relevant persons (bodies) for the purposes of fraud. What additional new fraud purposes of the further new Regulations 607/2018 for the SLC were not already in the Digital Economy Act Part 5 set up for exactly that?
Measurable harms from these practices for the publicised cases of estranged students have been immense while no grounds for the curtain-twitching Stasi-style spying were proven. The sneaky SLC practices should clearly breach the Digital Economy Act Part 5 related statutory Code of Practice on datasharing for such purposes. And if not, then scrap any notion of data ethics having any support in government.
The negative Statutory Instrument (Higher Education and Research Act (Cooperation and Information sharing) regulations 2018 (SI 607/2018) was rushed in over three weeks in May, and lists the Student Loans Company as a relevant person (body) among the dozen listed, for the purposes of section 63 of the regulations, relevant to the Higher Education and Research Act 2017.
The Explanatory Memorandum of the Regulation had stated that, consultation took place widely within DfE and with HEFCE during Autumn 2017 to ascertain the bodies that HEFCE had historically shared information with and any new types of information sharing which would be needed by the OfS in future.
“The purpose of the information sharing, and whether it would be primarily for OfS functions or the functions of the other body was then determined through a further round of consultations within both the Department for Education and the bodies themselves between January and March 2018. “
We asked therefore for the minutes from those meetings. We have since obtained some redacted minutes and notes from the meetings in the lead up to the formulation of the Regulations. The amount of redaction around HMRC and its data sharing purposes, should be cause alone for many more questions to be asked. But what is also revealing, is that the discussion notes clarify “whether it would be primarily for OfS functions or the functions of the other body.”
The Higher Education and Research Act 2017 (s63) enables the OfS to share information with these organisations where the information shared is primarily for the functions of the other body. The purposes set out in the Explanatory Memorandum as for the purposes of the OfS then, may then very well be misleading. It’s not for the OfS, but for the purposes of the SLC, for HMRC or for Pearson et al, and importantly, are absent in any detail in the legislation, but are as set out in their company articles, for which you need to go looking. The Explanatory Notes for example shows only page *one* of these Company Articles for Pearson Education Limited, but their Articles have in fact 4 pages — and the further objects include lending money, pensions, and promotion of any other companies seen “as desirable“.
Should this not have been made explicit on the face of the Act? Or explicit in this negative Statutory Instrument? It is shocking that these purposes are so opaque, given its implications for scale and privacy invasion. There was no Human Rights Assessment, or Data Protection and Privacy Impact Assessment made, of the Act or the Regulation regards its datasharing intent. If they are primarily for the purposes of NOT the OfS but the other bodies this puts much more significance onto what are those other bodies purposes, and their limitations or lack of them?
Given the revelations around the Student Loans Company attitudes to data surveillance, its understanding of data use in law, and its implications for creating and sharing misinformation, denigrating reputations and really significant lifetime harms, this needs urgent review not only and most urgently for the purposes of fraud, but to prevent any other hidden or unexpected purposes now, or in the future.
The Statutory Instrument (SI) [link to download] 36.5 kB .pdf
Explanatory Notes [link to download] 778 kB .pdf
We have written about this previously, but summarise the issues again below, for those interested in the background.
What data can be shared is undefined and needs narrowed
In June, the Minister confirmed via PQ156350 that Section 63 does not place limitations on the type of information that may be shared, and therefore it could include any personal data sharing between the OfS and these bodies, or from these bodies to the OfS, relating to both Higher Education staff and students.
WhY data can be shared and or what purposes is undefined and needs narrowed
The regulations 607/2018 have fundamental flaws and trash fundamental rights to privacy. The purposes for which these data may be used are open and vague, set out loosely in 7.6 the Explanatory Notes as connected with the Articles and Objects of the prescribed persons, but are missing a great deal of information.
There are no safeguards in place to protect anonymity. There is no public transparency or accountability or oversight of its purposes or use. They have chosen not to publish the data sharing agreements.
Who data can be shared with is undefined and needs narrowed
It further permits in the information duties of Clause 64 of the Act, for the bodies to share data with the government, as the Secretary of State for Education. For example, for data about students’ attendance to be passed over from Pearson or the Student Loans Company or any of the other named bodies, to other government departments. Which ones are not clear.
This vagueness of the Instrument should be corrected. Its purposes should be explicit, and with regards to their functional capacity as relates to a public body — for example Pearson as a provider of HNC and HND exams, the weights and measures (trading standards), and SLC and HMRC similarly should be narrow and set out their necessity. The direction of information flow should be explicit, transparent, and “the information” should be defined.
What will it mean?
These new powers fundamentally change in law the way students’ and staff personal data can be shared with other government departments, public authorities, councils trading standards, and with commercial companies explicitly named; including Pearson Ltd and the Student Loans Company among the others.
Understanding how our data is used and for what purpose not only matters but is generally required under the GDPR and UK Data Protection Bill. The Explanatory Notes (EN) say the users of the data have defined among themselves (8.1) what those uses will be, but they are not listed. On the contrary, it states explicitly that no guidance will be issued. (9.1) So what will students be told?
This change to the Higher Education and Research Act 2017 means:
- Students and staff won’t have any control over the personal data they share with their university or during their university application process and it will be handed over without consent.
- Unidentified and unaccountable people at the controversial Office for Students will decide why students’ data is shared, when and how.
- Officials from a broad range of bodies will be able to get hold of that personal info.
- They won’t ever have to ask permission for using it with the new list of bodies.
- This will effectively remove students’ consent rights in England and Wales (including any students from anywhere, studying in those universities).
Gordon Marsden in 2016 spoke in debate about; the risk to student data protection rights in the development of the Higher Education Act, https://goo.gl/KkpDZQ “these clauses would give the state access to all university applicants’ full data in perpetuity, for users who would only be defined as “researchers” and without “research” being defined at all; that might be capable of being changed under the direction of the Secretary of State.”
We predicted this risk to rights during the Higher Education and Research Bill in 2016 and submitted evidence to the Bill committee.
Pearson Ltd is already among the recipients of over 1,000 releases of confidential school pupil records from age 2-19 approved by the Department for Education since March 2012. Anyone aged state educated and under 36, is one of the 23 million names stored in the National Pupil Database since 1996. Unlike Higher Education, the Department publishes details of the releases of data from nursery through secondary school in an online tracking register.
- third parties further distributing the data directly, or selling it as part of a company asset, as Pearson has done so in the past
- potential uses to develop products that limit students’ life chances in their choices and access to institutions, courses, funding, and employment, once these data are distributed without public oversight
- knowledge gleaned from the data, may give any single company, a sizeable and unfair commercial competitive advantage in the sector over others,
- there is no transparent oversight or accountability for its future potential uses and scope creep.
Data sharing is necessary for education, but this is not for the direct purposes of education, because an SI in those cases would not be necessary. These appear to be further secondary uses, not directly for your education. Almost every day we hear how data we have shared has been stolen, breached, lost or hacked. As JISC reported, the increasing number of cyber threats reported in the UK aren’t just newsworthy, they’re also very real.
Commercial exploitation of personal confidential data should only be done with explicit consent, to respect young people’s fundamental rights and freedoms under GDPR Article 6
The problem was identified before the regulations were made public and we became aware but pointed out the problem of Pearson singled out for extremely favourable terms.
Questions must be asked, and the Instrument annulled so that safeguards are put in place.
- What are the boundaries of the new purposes and its limitations? These must be set out in the legislation.
- Why will HMRC and the Student Loans and Health Education England get access to identifying data and with what transparency and oversight, now and of future changes?
- Why has Pearson been given this preferential treatment and commercial competitive advantage over other companies?
- Can there be no conflict of interest between the Chair, his previous role of 5 years with Pearson, and the new data receiving body?
- There has been no human rights assessment and therefore measure of its privacy implications. The Explanatory Notes (10.4) that the OfS has the responsibility for any privacy impact assessment. This is an abdication of responsibility, to create powers before understanding its significant effects.
- If this is purposed as fraud prevention, what is the extent of the problem, and is this a necessary and proportionate solution that will not infringe on the rights and freedoms of individuals?
Help us defend students’ rights and put an end to the government’s assumption it can trample over students’ digital and data protection rights without debate. Support the call for its annulment and for scrutiny and safeguards to be put in place, in a revised version.