What does the National Pupil Database hold about me?

What data do you hold and share with third parties about my children?

After I asked the Department for Education (DfE) in September 2014 how they looked after our school children’s data in the National Pupil Database (NPD) and was surprised by the response, I decided to find out exactly what data they held on my own children. So in April 2015 I made a subject access request (SAR), expecting to see the data they held about attainment, various school and personal data. They directed me to ask my children’s school instead and to ask for their educational record. The difficulty with that is, it’s a different dataset.

My school is not the data controller of the National Pupil Database. I am not asking for a copy of my children’s educational records held by the school, but what information that the NPD holds about me and my children. One set of data may feed the other but they are separately managed. The NPD is the data controller for that data it holds and as such I believe has data controller responsibility for it, not the school they attend.

Why do I care? Well for starters, I want to know if the data are accurate.  And I want to know who else has access to it and for what purposes – school can’t tell me that. They certainly couldn’t two months ago, as school had no idea the NPD existed.

I went on to ask the DfE for a copy of the publicly accessible subject access request (SAR) policy and procedures, aware that I was asking on behalf of my children. I couldn’t find any guidance, so asked for the SAR policy. They helpfully provided some advice, but I was then told:

“The department does not have a publicly accessible standard SAR policy and procedures document.”  and “there is not an expectation that NPD data be made available for release in response to a SAR.”

On the DfE website a Personal Information Charter sets out “what you can expect when we ask for and hold your personal information.” It says: “Under the terms of the Data Protection Act 1998, you’re entitled to ask us:

• if we’re processing your personal data
• to give you a description of the data we hold about you, the reasons why we’re holding it and any recipient we may disclose it to (eg Ofsted)
• for a copy of your personal data and any details of its source

You’re also entitled to ask us to change the information we hold about you, if it is wrong.

To ask to see your personal data (make a ‘subject access request’), or to ask for clarification about our processing of your personal data, contact us via the question option on our contact form and select ‘other’.”

So I did. But it seems while it applies to that project,  Subject Access Request is not to apply to the data they hold in the NPD. And they finally rejected my request last week, stating it is exempt:

I appealed the decision on the basis that the section 33 Data Protection Act criteria given, are not met:

“the data subject was made fully aware of the use(s) of their personal data (in the form of a privacy notice)”

And it remains rejected.

It seems incomprehensible that third parties can access my children’s data, that journalists would be given their data, and I can’t even check to see if it is correct.

While acknowledging section 7 of the Data Protection Act 1998 (DPA) “an individual has the right to ask an organisation to provide them with information they hold which identifies them and, in certain circumstances, a parent can make such a request on behalf of a child” they refused, citing the Research, History and Statistics exemption (i.e. section 33(4) of the DPA).

The refusal seems incorrect and out of touch. At a time when public confidence in data sharing is uncertain, government departments and other organisations should be doing all they can to be seen as trustworthy. Hiding things and sticking your head in the sand about known issues are unlikely to achieve that.

I believe pupils and parents, with the right safeguards in place as for other SAR processes, should be able to ask the DfE:

a) To receive a copy of the information they hold on us.

b) To be entitled to ask the DfE to change the information, if it is wrong.

c) To get a description of the data, the reasons why they’re holding it and any recipient they may disclose it to.

This would help children and parents understand what data is held, how it is used, who may access it and why. That is what we should be able to expect of good data management in the 21st century.

***

This post is mostly taken from an original post written in July 2015. The Information Commissioner’s Office has since taken up my case on Subject Access Request.