News / National Pupil Database

#DataProtectionDay 2016: Five steps to improve pupil data

On Data Protection Day the news for children in England is that you appear to have very little. And when things go wrong there is next to no recourse.

Yesterday the DCMS had an evidence session in the “Cyber security: Protection of personal data online inquiry” with the Information Commissioner Office, to discuss the loss of personal data from

TalkTalk. The commission and Parliament have both discussed TalkTalk, involving 160,000 UK customers.

If MPs are concerned with the loss of personal data from TalkTalk, and concerned by breach of confidence, they must look on behalf of the 8+ million children in England, at Department for

Education policy and practices.

The third-party releases of children’s confidential, sensitive, individual-level identifiable personal data by the Department for Education (DfE) to Fleet Street and television journalists, commercial companies, and charities, breach confidence. All these releases are made without informed public consent.

While the breach of VTech Toys of 4.8 million parent accounts and 6.3 million related child profiles worldwide made the news, nothing has been done that helps children restore their digital integrity, or recourse for the ongoing harm affecting Christmas for many families in the UK**.

The Information Commissioner discussing TalkTalk suggested that consumers have the choice to withdraw from services and loss of reputation can harm a company.

What recourse is there for citizens whose data and digital identity are compromised through obligatory national government policy?

Five things the Committee might consider for protection of personal data

1. Start by making pupil data safe, restricting individual, and sensitive, and identifiable data access to safe settings for the National Pupil Database.

2. A national independent audit should be made of releases to date of data from the National Pupil Database and the reports published. As was a helpful and transparent starting point for improvement in health data use.

3. The transparency and consent recommendations of the Science and Technology Committee 2014 Report “Responsible Use of Data” should be enacted;
 “the Government has a clear responsibility to explain to the public how personal data is being used. The Government needs to lead the conversation around security of personal data.”

4. Consider a tool for individual audit to make transparent the state uses of personal data: a cross department data usage report, in effect a “bank statement” of personal data uses to build trust through transparency and involve us in understanding how our digital footprint fits into creating public benefit.
5. Independent privacy impact assessments should become a mandatory process step and published before children’s personal data are extracted and shared with new third-party projects at national or regional and local levels.

Steps must be taken in security, transparency and public engagement to shore up public trust to bridge the private and public interest. Trust is vital as the foundation for future datasharing as part of the critical infrastructure for any future digital strategy, whether for public or commercial application.

The Department has been aware of concerns around this sharing for some time, choosing to ignore them. Growing public awareness and disquiet on use of personal data makes the status quo unsustainable. New EU law sees the importance of consent, UK lawmakers must too.

Transparency improvements will not be enough. Not enough to make data safe.

Academics propose on child digital rights: “a new framework for child protection, provision and participation online that results in clear and effective policy that is born of real needs, targets specific and evidence-based risks, and includes measurable goals on which policy implementation is independently evaluated.

We also agree with the ODI, “in such a fast-moving world as that of online services we know that things will change. There should be a continuous and informed public debate about the legal limits on the use and sharing of personal data.”

This can and must be better. Informed public debate must start now.

**The commercial November 2015 breach of VTech Toys lost 4,8 million parent accounts and 6.3 million related child profiles worldwide; 560,487 (parent) and 727,155 (children’s) UK registered accounts. The commercial loss at VTech reportedly includes child profile photographs, personal details and location data.