News / National Pupil Database

Twenty million pupils’ identifiable data handed out from the National Pupil Database

Mr Gove was Secretary of State for Education in 2013 when the legislative changes were made to permit the release of children’s individual level data from the National Pupil Database. Yet only 4 years earlier in 2009 he had said:

We will spend less on vast centralised IT databases which always go expensively wrong, such as the misguided effort to log every child in the country through the Contactpoint system.

“I say every child but of course the children of celebrities and MPs will be able to be excluded in case of security breaches. Well if the system isn’t secure enough for me it isn’t secure enough for you, so it must go.”

When we asked the question at the Department for Education last October, how many children’s data are in the National Pupil Database, we were told “eight or nine million.”

We asked for confirmation by email, but never received a reply. So we asked via Freedom of Information request [1] and 19,807,973 records since 2000 was confirmed.

Twenty million. (Or as near as, and another intake will push it over in Sept 2016). The Department hasn’t published that number anywhere to date we have seen. So much for transparency.

It is indeed a “vast centralised IT database.”

Twenty million individuals, who have ever been in school in England since 2000 aged 2-19 have their personal identifiable details stored on this vast centralised database, without knowing how their data are used, and with little oversight. None may ever be deleted.

The Department wrote, the “DfE does not have a documented retention period for the NPD records it holds. Initially, the data is used both for operational purposes (for example, to allocate funding or to enable effective operations in schools) and analytical purposes, after which it is retained over a longer timeframe for historical, statistical or research purposes. The Data

Protection Act contains an exemption (s33(3)) that allows us to keep the data indefinitely for historical, statistical or research purposes.”

The Department uses the Research exemption s33 of the Data Protection Act to keep data indefinitely. They used the same clause to deny parents subject access requests to understand what the NPD stores about our own children or check that it is accurate.

But The Department also knowingly fails to meet Fair Processing, principle 1 of the Data Protection Act. It’s own 2015-16 Department video to advise schools how to complete the census, fails to mention any onward sharing of pupils’ information to commercial third-parties or press. As does their template privacy notice for schools.

Everyone has the right to be informed who has their identifiable data given to whom for what purpose, and be told if that changes. There should be no surprises.

Parents and teachers are surprised to find out identifiable data since 2012 are being handed out to a wide-range of settings including Fleet Street [2] and television journalists, the desks of commercial third parties, charities, think-tanks, and ‘one-man shows’.

This is not practice or policy fit for the sensitivity and volume of identifiable data being released.

It shows loss of control of our children’s confidential records at massive scale. When we asked last July the Department had never done a single audit of any recipient [3]. There is no independent picture of whether data have been re-used, or sold, or lost, by any of the over 500 data recipients since 2012. At least one newspaper we know of that got given over 10 million children’s sensitive data hadn’t confirmed they had destroyed it over 18 months after when they should have done.

Will the National Pupil Database continue to grow indefinitely, giving population-wide personal data to commercial third parties without consent as long as the Department can justify it under purposes of ‘promoting the education’ and well being of children’?

The releases continue.
[1] Total pupil numbers in the National Pupil Database confirmed:
[2] The Times identifiable and sensitive data request:
[3] FOI confirmed zero audits pre-August 2015: