In the Year of GDPR, what progress have we made towards safer, fairer, more transparent use of children’s data in education in England?
Here’s a look at highlights from twelve months of work by us, and by others, and some hints of what lies ahead for 2019.
1. January 2018: The Fight for Fairness
In some ways we end the year, as we started, just when the Education Department had a new Secretary of State. We began with the fight for fairness in the Alternative Provision Census data collection, and #LabelsLastaLifetime campaign.
It is vital that it is made transparent why school exclusions are rocketing. A TES investigation last year found that the number of permanent exclusions in some areas rose by as much as 300 per cent in a year. PEx is one of eight reasons or transfer, alongside pregnancy, mental health and more, now assigned by the Local Authority. But why will no one tell the families which one has been recorded on each child’s record, how long it is kept, and who will have access to it?
On January 17, 2019, Local Authorities will again assign the labels that parents may never see. We are still challenging Local Authorities and the Department to treat families fairly. Children and families must be told what these records about them say, before it is shared.
Also in January, we kicked off our participation in over 12 public events this year, by talking to teachers on Key Steps Towards Better Pupil Data and Why we Need to Take Them, at the Equalities Conference in Oxford.
2. February 2018: Digital Footprint control
In February we commissioned a poll through Survation of parents of state educated children (5-18) in England. We found that only half of parents agree they have enough control of their child’s digital footprint in schools. Coming only 3 months before the enforcement of the General Data Protection Regulation (GDPR), this pointed to a widespread problem of lack of transparent information available to children and families.
Over the last ten years, state collections of children’s and staff personal data have increased incrementally. Access to pupil data by commercial companies through schools has increased in parallel. Both have had little external scrutiny. Expect this to change in 2019, and enforcement as GDPR expectations become embedded.
3. March 2018: Recommendations for Policy Makers and Data Protection Bill
We organised an event in Parliament, against the backdrop questions over apps in education, of cyber security threats in schools on the rise, and news of UK school CCTV set up so insecurely that it was live-streaming on US websites. We recommended the development of a statutory Code of Practice in Education, for the Data Protection Act. Although it was debated at the closing stages of the Bill, the government did not accept the amendment.
There is however a growing acceptance that clarity, confidence, and consistency in data sharing practices concerning children in schools are necessary. We expect more debate and a Statutory Code of Practice for Schools to come in 2019.
We went on to publish the State of Data 2018 report, and copies were sent to MPs thanks to the Lush Charity Pot. A look at the breadth of the education data landscape in England is still to come in 2019.
Events included speaking to local authority staff in Preston at the IRMS North event, with thanks to the hosts for their undying enthusiasm for data protection and privacy.
4. April: a win for Against Borders for Children and #BoycottSchoolCensus
In April the Department for Education ended the divisive pupil nationality data collection.
The expansion of the school census in 2016, to collect country-of-birth and nationality “immigration data” from every child age 2-19 ended after a disastrous breach of trust between schools and government. Our timeline tells the full story in detail.
The #BoycottSchoolCensus campaign continues in 2019 led by Against Borders for Children, calling for the data collected to date to be deleted, and regulations revoked.
Children’s personal data, collected in the school census for education purposes, continues to be used for immigration purposes monthly, under ongoing data sharing arrangements. And the scandalous Data Protection Act exemption the government introduced will be used for school pupils’ records, to find family members according to Victoria Atkins.
Jen spoke at the British and Irish Law, Education and Technology Association annual conference, in Aberdeen, Scotland.
5. May: A Safer National Pupil Database
The sharing of identifying pupils’ personal data with third parties was put on hold. The Department for Education halted the distribution of personal information about school children in England, to align with a Five Safes model, according to the Office for Statistics Regulation recommendations. This was a huge step forward for safer pupil data.
This will continue to be a focus for us in 2019.
Our Director Jen, went to RightsCon in Toronto, to discuss a rights based approach, youth autonomy and surveillance culture, with thanks to IFEX for the invitation, and CRIN, the Child Rights International Network.
6. June: Legislation loosened Higher Education Student and staff Data Controls
New secondary legislation was introduced to permit the Office for Students (OfS) to share data with third parties such as Pearson, the education company, as well as the Student Loans Company (SLC), HMRC and the Competition and Markets Authority. The Commons legislation committee went on to debate the changes for a half hour in July after little chance for up front scrutiny. This type of lawmaking in unsuited to national data collections without any impact assessment of data protection or human rights.
The purposes written into legislation were left wide open based on the ‘company articles’. But Minister for Higher Education, Sam Gymiyah, assured the committee that the OfS, “will certainly not share personal data with Pearson for Pearson’s profit”.
It became clearer only later through FOI, that while there are few limitations in the law, the agreed purposes behind the scenes was focussed on fraud detection. We await updated information on this from various providers including the SLC in 2019.
It was also fun and a privilege to take part in the Cheltenham, FestABLE National Festival of Specialist Learning, listening to, learning from, and talking to fantastic families interested in the collection and use of Alternative Provision and SEND data.
7. July: #MyRecordsMyRights
We worked together with students at the UCL ActiveCitizenship Strand Global Citizen summer programme over the course of two weeks. They created a short animation, about how to find out how your personal data are collected in education, #MyRecordsMyRights. The DfE cannot support Subject Access Requests at any scale yet, and it needs to change.
Capita SIMS — information management supplier in the UK to 21,000 schools — announced that it had a national schools’ data and IT issue affecting potentially hundreds of thousands of children’s records in England and Wales created by a patch months earlier, and needed manual fixes, exposing some of the problems with data correction at scale.
We welcomed others’ work to champion children’s rights in the digital environment. The Council of Europe Recommendation to member States provides comprehensive guidelines for action by European governments, on privacy, freedom of expression, and participation, building on international and European legal instruments
8. August: A Hot Summer, including the Hostile Environment and Human Rights
As the exam results drew closer we found little available information how personal data were handled by exam providers. In particular boards were not keen to release details of how informed candidates and settings are of board policy and how if at all, the papers may be a) processed in or outside the UK and b) for any secondary purposes.
Exam providers are not a public body for the purposes of the Freedom of Information Act 2000 and as such, are not subject to it.
Events included a talk at Electromagnetic Field Camp in Wales, on the Age Appropriate Code of Practice for Design Online, and chairing a panel of human rights champions and journalists at Byline Festival back in Sussex, on Data Rights in the Hostile Environment.
9. September: Back to Schools
The DfE reopened data extracts from the National Pupil Database (NPD), School Workforce, Individualised Learner Record and Higher Education Statistics Agency. The intention is for most applications to be met though the ONS Secure Research Service.
We held a meeting of children’s charities, digital and child rights’ advocates, to contribute to the preparation of submissions to the ICO Statutory Age Appropriate Code of Practice (Data Protection Act 2018) consultation. The draft Code is expected in 2019.
And at ResearchEd we contributed a session on GDPR with a working Q&A Drop-in, and a whistlestop tour of the changes in national pupil data management and its implications.
10. October: Battles for audience attention
Researchers at Oxford warned that data harvesting and sharing by mobile apps is “out of control”, after their study of nearly a million apps. They found that apps aimed at children were among those that shared information with the largest number of trackers.
The Education Select Committee evidence session on October 30, 2018, with the Student Loans Company (SLC), drew our attention once again to the new secondary legislation on Higher Education data sharing between the OfS and SLC. The “KGB tactics” outed in the Student Loans surveillance model demands ongoing review in 2019 for its implications of data sharing across government for the purposes of fraud detection.
Jen had a terrific time on a panel with Bernadka Dubicka, Julia Hobsbawm and Ken McLaughlin to debate whether Social Media was Corrupting Young Minds at The Battle of Ideas in London. It was party conference season. And supported by EPIC, she wrapped up the month in the European Parliament in Brussels, at the 40th International Conference of Data Protection and Privacy Commissioners.
11. November: Policy calls
Together with Against Borders for Children we wrote a letter to 1,000 MPs and members of the House of Lords to raise awareness of the ongoing national pupil data sharing by the Department for Education with the Home Office for immigration enforcement purposes, which began in secret in 2015. We asked for support of a three point plan in 2019.
The Children’s Commissioner published the report Who Knows what About me which begins to show how children’s data is routinely collected online, and highlighted that today’s children are among the first to be ‘datafied’ from birth, including in schools. She made recommendations for the Centre for Data Ethics and Innovation, for Government, and companies, including the need to review and refine data protection legislation for children.
The Surveillance Camera Commissioner called on government to expand his remit to incorporate education where systems under Section 29(6) Protection of Freedoms Act are used. But “This has not been accepted [by government] at this stage.”
Other discussions included our participation in the APPG Data and Technology Ethics Inquiry roundtable on Education. We delivered a talk to the engaging School Data Conference 2018 in London, and travelled to Rotherham, for the first of DfE EdTech roadshows, after the Secretary of State for Education, Damian Hinds challenged the tech industry to launch an education revolution for schools, colleges and universities.
12. December: Where are we now?
The first publication of external data releases tracking the distribution from the National Pupil Database, came out, since the September introduction of the new safe setting model. It showed that while progress is positive, many releases still outside the five safes, and that much work remains to be done for change in 2019. This includes work on Subject Access rights.
Predictions for 2019
For National Pupil Data, there’s further challenge ahead on the retention of nationality data, on #LabelsLastaLifetime, and more broadly on the lack of communication and fairness of the collection and distribution of pupil data at national level.
In Higher Education, the Augur Review expected in early 2019, may or may not challenge the capability of the much caveated, but more often misunderstood Longitudinal Educational Outcomes (LEO) dataset.
The use of data analytics in Higher Education will also no doubt get further review, under the APPG data analytics consultation closing in January.
Predictive uses of children’s data and data analytics from a social justice perspective will be areas of increased scrutiny in 2019. Councils, citing grounds of national security, unreasonably refuse any transparency at all about the transfer of personal data from the education sector, under safeguarding purposes. We will be challenging some of this.
More broadly, there will be continued scrutiny of apps and edTech and third parties processing children’s data.
Two publications will affect children’s digital rights, the balance of participation, protection and privacy on social media and beyond. The ICO will publish its Age Appropriate Code of Practice, and the government will release a White Paper on Online Harms. There is great potential here for good, and also great risk of getting it horribly wrong for children, with wider unintended consequences. We hope that constructive answers to meaningful questions of what better looks like for children online, will come out of the documents, rather than only addressing the current set of symptoms, or politics.
So, that’s only up to April. And who knows how an adequacy decision may fall, or how the use of children’s data in the pursuit of immigration control may hinge on political change, and developments in the UK withdrawal from the EU.
Thank you to our funder the Joseph Rowntree Reform Trust, our Directors, all our supporters and volunteers, seen and unseen for your work, collaboration, support and trust through 2018. Thank you for your donations and to our crowdfunders. To you and all the academics, board members, companies, civil servants, school staff, parents, parliamentarians, providers, young people and anyone else we’ve worked with over the last twelve months and not mentioned so far, we wish everyone a very Happy New Year.
Here’s to a more safe, fair and transparent 2019.