News / pupil privacy surveillance

Pupil privacy in schools survey in response to national pupil policies

We are conducting an anonymous survey on schools use of web monitoring and knowledge of the National Pupil Database. If you wish to take part, 5 questions are here.

Please contact us if you have any questions on the subjects. Thank you.


What is the National Pupil Database (NPD)?

The total of individual pupils named in the NPD at 28/12/2015 was nearly 20 million, at 19,807,973. No data have been destroyed since it began. It is population wide, growing, and is forever.

These identifiable data are shared with a range of third parties including commercial companies, charities and journalists, in addition to bona fide academic research groups.

The national database contains school pupils’ full educational record from age 2-19, since 2000 in England and Wales, created from all the named and individual personal data given to schools by parents, and the pupil data created in schools, from testing and tracking; that includes attainment, absence, exclusions, sensitive data like ethnicity and date of birth, SEN and indicators of children in care or armed forces and more. It is “one of the richest education datasets in the world’ according to the Department for Education (DfE) NPD User Guide.

See our FAQs for more information and our case studies sheet.

An updated privacy notice template for schools to provide to pupils and parents was  published in May 2016 by the DfE and includes a link to the third party release register showing who the DfE has given identifiable pupil data since 2012.

Mandatory web monitoring in schools opens a slippery can of worms

A version of this article was first published at Schools Week.

While the compulsory retention of every website visit for every person in the UK was recently debated and passed in the House of Commons in the Investigatory Powers Bill, the plans for statutory surveillance of every child’s Internet use; in schools and at home, has gone unnoticed.

Without Parliamentary or public discussion, our children’s Internet use will be monitored by third parties from September 2016. This is despite widespread associated programme concerns – including choking off free speech, religious freedom, and staff feeling vulnerable – presented to the Joint Select Committee for Human Rights by experts in education, and security legislation.

The brief paragraph 75 in The Department for Education (DfE) “New measures to keep children safe online at school and at home” statutory guidance Safeguarding in Schools, will impose a change from a duty ‘to consider’ to one that ‘should ensure’ web monitoring for educational establishments, excluding 16-19 academies and free schools.

The supporting advice to which the Government response points, suggests actively monitoring all screen activity during a lesson from a central console using appropriate technology as a solution, even in circumstances that suggest low risk. And it says that logfile information should be able to identify an individual user, and be reviewed regularly. Pro-active monitoring is suggested where alerts are managed by a third-party provider.

This means lots for schools to think about.

“Whilst considering their responsibility to safeguard and promote the welfare of children, and provide them a safe environment in which to learn, governing bodies and educational establishment proprietors should consider the age range of their pupils, the number of pupils, how often they access the schools IT system and the proportionality of costs vs risks.”

The Department for Education’s summary response and advice however offers little practical support to school leaders how to concretely take these things into account, and meet human rights legislation. This is especially important on BYOD (Bring-your-own-device) policy so that there is explicit clarity on the practice of monitoring personal electronic devices not owned by the school but used by pupils in school. Without clarity on software monitoring of pupils own devices, we risk a slippery descent into schools made complicit in a privacy invasion of family life.

The Government said in the consultation it wants to “test the expectation that these monitoring practices are already widespread”. If so, these potentially highly invasive policies must be properly scrutinised, in order to secure safeguards and transparency, and avoid potential legal challenge.

The 310 original consultation submissions have not been published. Concerns raised by experienced academics on human rights, and cyber security, as well as civil society, have not been addressed. These include questions on safeguards, calls for independent scrutiny of the plans, need for public engagement and parliamentary debate to achieve the transparency, oversight, and public trust needed before implementation.