‘Researchers’ overreach will put public trust at risk

Who is a “researcher”? and what are “research purposes”?
These are questions we have asked in recent discussions in the last two weeks to move forward the changes needed to make 20 million individuals in England’s personal confidential and sensitive data safe, and its use transparent.

Unconnected, the call by Tom Steinberg, for “a public technology Hippocratic oath” is timely.

Researchers this week risked jeopardising public trust in the academic worthiness and trustworthiness of bona fide research. Using publicly available data, they show how using information and techniques beyond the capability of most in the public, they could infer, mathematically, the likely identity of an individual who has tried to keep his identity private.

Good practice in handling data about people is guided by ethics and data protection principles. Just because data are in the public domain does not mean they are a free for all to use for whatever purposes you fancy.  Data Protection law applies to all personal data, and purposes matter.

“The requirement to process personal data fairly and lawfully is set out in the first data protection principle and is one of eight such principles at the heart of data protection. The main purpose of these principles is to protect the interests of the individuals whose personal data is being processed. They apply to everything you do with personal data, except where you are entitled to an exemption.”

Who has access to personal data about us directly from the National Pupil Database and why is all the more surprising then, if you consider that access to the very same data about our children, is currently more restricted elsewhere for other users; considered ‘bona fide researchers’, to keep data and pupils, safe.

Who is “a researcher”? What does the public reasonably expect?
To take one example, to become a qualified researcher to access ‘de-identified’ and linked public administrative data inside safe settings, there is a stringent process that includes training in safe data handling.

By complete contrast, untrained individuals, outside safe settings, are being given the confidential personal data of 20 million people without the public’s knowledge or consent.

Anyone can apply for 20 million individuals’ identifiable data and many people have been given data from the National Pupil Database who are not qualified researchers.

Further, contrasting two different processes for NPD releases, ethics committees review research projects to consider what impact and effect the project may have on people and their lives during and as a result of public interest research.

There is no trained ethics committee review for the releases of data directly from the National Pupil Database.

Just because you can do something, does not always mean you should. Why are these processes not consistently adhering to the highest possible standard?

Research access to Personal Data without consent is a Privilege
Information which parents give to schools for the specified purposes of children’s education and its administration – as well as that which schools create about pupils and staff – are given by the DfE to third party commercial companies, press, think tanks, and charities for other purposes without telling pupils and staff. This does not meet the fair processing required in Data Protection law.

This requirement was underlined by the CJEU ruling in 2015, on the duty of public bodies to ensure fair processing.

How this will tie in with the government’s new data sharing plans  open for discussion in the consultation closing on April 22nd 2016, remains to be seen.

Access to this national dataset has been exploited by the Department for Education through a combination of legal changes that expanded the purposes for data release and who data can be given to. But those purposes are not what pupils and parents expect. The public does not expect journalists or commercial users, charities or think-tanks to access data under the same umbrella of support we give academic research in the public interest. Many polls show this red line.

And while it seems the government may have outsourced some of the statistical analysis of the National Pupil Database to Fleet Street if DfE considers journalists who produce league tables and press stories ‘research’, they cannot outsource their responsibility for secure handling, confidentiality and fair processing.

Qualified researchers are privileged, to be granted access to that data without consent, for purposes the public would reasonably expect. This research while exempt from aspects of Data Protection law, is not given blanket exemption.

Academic researchers and the bodies that support them and ensure their ethics reviews must not lose sight of this, fundamental to public trust, while they strive to achieve their research objectives and publication.

It’s not only about who accesses our data, but the thinking behind its use.

When public bodies lose sight of this, and mislabel ‘research’ the result is selling our Higher Education data and giving away the personal data of 20 million people to Fleet Street papers, “to pick interesting cases/groups of students.“