Rights and obligations under the Data Protection Act for processing sensitive data

When ten journalists at the Telegraph newspaper received over 10 million children’s sensitive personal data in 2013 how were the legal requirements of the Data Protection Act 1998 met and whose responsibility would it be, if they were not?

The conditions for processing take account of the nature of the personal data in question and the conditions that need to be met are more exacting when the information being processed is sensitive personal data, such as information about an individual’s health. SEN, special needs data, fall into this category for example.

If the information is sensitive personal data, at least one of several other conditions must be also met before the processing can be said to ‘comply with the first data protection principle’ of fairness. The processing must also be necessary.

We will now ask the question on what basis were the data processed fairly not only by recipients, but by anyone they passed data on to? And how in practice, has it changed?

Will the Department understand and accept how important fair processing is, and that their responsibility for this lies beyond publishing a privacy template on a website?

The steps towards transparency are positive and thanks to the Department’s progress here, pupils and parents are able to see more clearly what happens to their personal data from schools. Now they need to be told effectively to look at and understand it.

Will the Information Commissioner’s Office accept that these sensitive data released are most certainly not ‘no longer personal data in any event’ as previously described by the Department for Education?

We re-publish below a summary of the reponse to the Freedom of Information Request we first made in November 20th 2015 through whatdotheyknow.com. Having had no response for 6 months, we sent it for internal review last week.

The response received in quick response, is revealing. In summary:

• In 2013 The Department gave The Telegraph millions of individual children’s identifiable sensitive personal data, including single counts. (This practice continues.)
• These included special needs (health) data and ethnicity among other sensitive data. (This practice continues.)
• There is no written evidence available of the condition for processing under Schedule 3 of the Data Protection Act that the Daily Telegraph relied on.

These are sensitive personal data. They must be processed fairly, which includes meeting the criteria of  being ‘necessary’ to share with third parties. And people must be informed.

The Department appears keen to point out that “we did not require the requestor to inform us of the conditions for processing that they relied on.”  The Department first needs to ask itself on what conditions its own processing and release rely on. 

***

21 June 2016

Ref: 2015-0054037

You asked the following questions about the previous FOI response (2015-0048682) and associated letter:

You have confirmed that in the release of 5 years’ worth of data (2008-2012) from the National Pupil Database the Department for Education released children’s sensitive personal data including SEN and FSM indicators, ethnicity and language, in February 2013 to The Telegraph.

These identifying and sensitive items, or identifying data items were matched at individual pupil level with census data for KS2, KS4 and KS5 datasets before release at individual level.

Please can you provide:

1. The legal basis (in form of written legal advice used at the time if available, or anything relevant and similar) that met Schedule 3 of the Data Protection Act 1998 to permit the release of sensitive data. If no past evidence is available, please provide what is currently used to make similar decisions.

At the time of this request (February 2013) we did not require the requestor to inform us of the conditions for processing that they relied on.

The requestor signs an agreement which confirms that they will process the data in accordance with the Data Protection Act (DPA) and it is the responsibility of the requestor to ensure this is the case.

As such there is no written evidence available of the condition for processing under Schedule 3 of the Data Protection Act that the Daily Telegraph relied on.

In February 2015 we introduced an additional level of scrutiny where we ask requestors to confirm the DPA conditions for processing they rely on to link data to the NPD. The latest version of the NPD data request application form (question 6b) specifically asks about the conditions for processing on which the requestor is relying.

If the request includes sensitive personal data, the answer to this question must convince the Department that the processing of the data is fair and lawful, the latter requiring a condition for processing under Schedule 3 of the DPA. If there is any doubt as to the validity of the response, the legal advisor’s office is consulted for advice.

2. The written business case used to ascertain why these particular data were necessary, and that less identifying and sensitive data would meet the requirement. (If nothing more than the application form already provided is available, there’s no need to provide again.)

As previously noted during the assessment of this request the data requirements were discussed with the requestor and their application was moved from a Tier 1 to a Tier 2 request. This significantly reduced the amount and sensitivity of the data requested as a number of highly sensitive and identifiable variables were removed from the request.

There is no further written business case for the approved Tier 2 variables other than what is included in the application form.

After a telephone discussion with the Daily Telegraph, the Tier 2 variables requested were subsequently approved as they were required to differentiate between the different intakes that schools have. To effectively compare schools, the Daily Telegraph wished to factor in the “different types of pupil” who are present at different schools.

Information on pupil characteristics related to prior attainment: gender, ethnic group, language group, FSM eligibility and SEN provision status were deemed by the Department to be appropriate as these are seen as important factors in levels of pupil attainment.

The approved Ethnic Group Major and Language Group Major variables are the least sensitive versions available of this data. The Daily Telegraph did subsequently confirm destruction of this data.

3. Please can you confirm what small numbers suppression, if any, was applied before this release. (Not what the users may have applied before their statistical publication, but what was applied to the data before providing to them.)

There is no suppression applied to data extracts from the NPD before release. Instead, Requesters are required to sign up to strict terms & conditions covering the confidentiality and handling of data, security arrangements, retention and use of the data. These include that no individual will be identified in published data. The Daily Telegraph requested pupil-level data and so suppression was not applicable.