News / National Pupil Database

Scope creep in National Pupil Database now means names released

In case you ever wondered what scope creep means, and why it matters so much to pin it down, look at the National Pupil Database in England.
Scope creep means the expansion of what information can be collected or accessed, scope creep can also be in the purposes why people may use data or for what, and scope creep may mean the expansion of who can access data, the types of users.
In 2002 MPs in the House of Commons were assured on the “Central Pupil Database”:

“The Department has no interest in the identity of individual pupils as such, and will be using the database solely for statistical purposes, with only technical staff directly engaged in the data collation process having access to pupil names.” [Hansard, Jan 28th 2002]

Fast forward to 2014, and look at releases. Data released are not ‘statistical’ but fully identifiable names, in the clear.  Not only ‘technical staff’, but a range of third parties using children’s names extracted from the database. And The Department and Cabinet Office are ‘interested in the identity of individual pupils’, examining data with other programmes like Troubled Families and National Citizens’ Service.
For example, in June 2011, and 2013 the Cabinet Office extracted the names and addresses of 16-18 year olds, for piloting an approach looking at the completeness of the electoral register.[missing from release register but comment in FOI, p8/36]

October 2013 Key stage 2 data (juniors) were matched to information on examination performance held within AQA’ databases, using a candidate’s name and date of birth. [line 209]

In February 2014, the IoE got the names of year 7 pupils (age 11) in England given to researchers for a named maths survey, and to measure prior attainment of children at Key Stage 2. [line 288]

And NPD data have been matched with health data, for a named survey What About Youth. Created by extracting named pupil data, and matching it with HSCIC held data in 2014 for an intensely detailed questionnaire social survey mailshot to the homes of 15 year old pupils. Almost 300,000 of them according to the published report. “Parents or carers of the selected sample were sent a separate pre- notification letter at the same time as the selected respondents, giving them the opportunity to opt their child out of the survey.”

Overall, these case studies are not to show harm resulting from the release of names from the National Pupil Database, but scope creep.

Scope creep of WHAT data may be accessed, in this case, name.

Scope creep of WHO may access data. From having no interest in names, names are now given out to third parties including government Departments, without consent.

Scope creep of WHY they may access data. What has crept from being for ‘statistical purposes’ is now much broader, to “research” meaning commercial releases and press given access to ‘highly sensitive’ personal data.

Harm may not have been identified, and without audit it is hard to know whether there may or may not have been misuse, but risk is clear. Risk of named data and identifiable data being compromised is increased especially when released outside a safe setting. And the more data you release to more people, for wider purposes, to more settings, the more that risk increases.

What could future scope creep include, why, and to whom?

Data held indefinitely, on a central database of 20 million people that is ever growing, on which scope creep has apparently no limits, needs transparency and oversight.

Disclosure in identifiable form to third parties, including name, continues without consent and outside safe settings.


The text below is taken from Hansard January 28th 2002 :col 109 -111

Central Pupil Database
“Mr. Lidington: To ask the Secretary of State for Education and Skills (1) which organisations and individuals will have access to the personal details of pupils stored on the central pupil database; [29372]

    • (2) who will have responsibility for approving requests for access to information held on the central pupil database; [29373]

(3) if it is her policy to destroy files on the central pupil database which relate to pupils who leave the state education system. [29370]

Mr. Timms [holding answer 22 January 2002]: The central pupil database will contain statistical profiles of pupils in England, built up over time from the “Pupil Level Annual Schools Census” (PLASC) returns which maintained schools will provide each January from January 2002, plus details of Key Stage assessment and examination results obtained separately from schools, marking agencies or examination boards. In order for these profiles to be accurate pupil names are needed to help ensure that all data relating to the same pupil are collated correctly.

Access to the personal details of pupils
The Department has no interest in the identity of individual pupils as such, and will be using the database solely for statistical purposes, with only technical staff directly engaged in the data collation process having access to pupil names.

Any disclosures of personal data (ie data including names or other details that would enable the recipient to determine the identity of individual pupils) will have to comply with the Data Protection Act 1998 and any other legislation relevant to the particular case. Subject to this proviso, organisations or individuals who may have access to personal data are as follows:

  1. the pupil (or their parents or guardians) will be able to request a copy of their own record in order to confirm its accuracy;
  2. in the case of a child in local authority care, the local authority social services department will, as the child’s “corporate parent”, be able to obtain a copy of that child’s record;
  3. schools and LEAs will be able to obtain information about their own pupils to which they have a statutory entitlement but may be missing (for example as a result of pupil mobility);
  4. requests from research organisations will be considered by the Secretary of State if, for a specific research project, pupil names are needed in order to link information from the central database with other information obtained by the research organisation via a separate survey

Approval of requests for access to personal data.
No disclosures of personal data beyond those listed above are anticipated at this time. Should future developments indicate that further disclosures may be appropriate, these will be considered by the Secretary of State on their merits, subject to the overriding requirement to comply with the Data Protection Act and any other relevant legislation.

With respect to (4) above, requests from research organisations, the precise arrangements for considering whether or not to approve such requests have yet to be decided. However the factors likely to be taken into account are:

  • the bona fides of the research and the organisation undertaking it;
  • a demonstrable need for information including pupil names (in many cases anonymised information may be sufficient);
  • a willingness by the research organisation to take all reasonable steps to inform schools of the research and involve them in it;
  • satisfactory assurances from the research organisation with regard to storing the information securely, using it only for the approved research purpose, disposing of it when that research has been completed, and not passing it on to any other person or organisation.

In cases of doubt on any of these points, the Department would expect to err on the side of caution.

Policy with respect to pupils leaving the state education system

28 Jan 2002 : Column 111W
The Department does not intend to delete the records of pupils who leave the maintained schools sector, either at age 16 or 18, or before then.

Information for these pupils remains of statistical and research value—for example to analyse young people’s progression from school into further education and training, higher education and the labour market.

The Department will be using information on past pupils for statistical and research purposes only, and any disclosures will be for those purposes only. On this basis section 33 of the Data Protection Act allows personal data to be retained indefinitely.”