Spring term report card: children’s pupil data privacy in England Q1 2017

In the first quarter of 2017 there have been a number of policy announcements and pieces of legislation passed that affect children’s data privacy in England. We have continued our work towards safe, fair, and transparent collection and use of national pupil data.

School census: Moving pupil data towards safe, fair, and transparent use

The UK Digital Strategy announced a committment to changes in National Pupil Data management. That will mean changes in the handling and secondary uses of data collected from pupils in the school census. Uses like public interest research, and national planning, and use by third parties. Third parties today include companies such as private tutor pupil matching services, and data intermediaries.  It includes journalists at the Times and the Telegraph. All uses that parents and pupils know nothing about. The UK Digital Strategy goes beyond changes in data management of only the National Pupil Database (NPD) but across the sector.

Access to the National Pupil Database via the Office of National Statistics (ONS VML) would mean safe data use for research purposes, in safe settings, by safe (trained and accredited) users. Identifying data would stop being handed out to third parties at national level for research purposes. But what about commercial use, especially with data intermediaries?
Another grey area on privacy and security remains: what is the intention for protections of pupil data in product development?
Further plans for the “Data Exchange” which will enable EdTech products to “talk to each other”. While laudible that DfE wants to make data collection less burdensome for schools, what are often seen as ‘barriers’ for schools to share data with local third parties, are in fact legal and ethical protections of children’s confidentiality.
The aim of changes in data access is to ensure that children’s data integrity and identity are secure.  The intention in the UK Digital Strategy that “at all times, the need to preserve appropriate privacy and security will remain paramount and will be non-negotiable” must apply across all closed pupil data, at local, regional and national levels, and not only to that which may be made available via the VML. Sensitive personal data cannot be managed abroad without explicit consent for example, and consent cannot be required in order to use the service or not get the serviec at all — such as sitting an exam — or it is not ‘freely given’.
The “All Education Dataset” is also something we are exploring as to its purpose, fair processing, governance, and plans for use.
We are still waiting for further information on commercial use of pupil data and working with the DfE what planned changes will mean in practice.
This pupil data strategy is still far from clear and there are no more details in the public domain. The DfE is ‘currently undertaking a review of data sharing governance and release practices’, to ensure consistency across data sets and we will be watching its development carefully, and stay in discussion with the Department.

School census: Pupil nationality data collection

The Department for Education has refused our FOI request to publish figures on the collection of nationality and country of birth data, and rates of return and refusal from the autumn census.
On January 10th, the Department for Education (DfE) released new school census guidance v1.5 telling schools what was announced in Parliament, in November. If parents or pupils wish to retract information provided during the autumn census, they should inform the school and the DfE will remove it using the code, REF or REFU ‘refused’. Schools should review their process.
Schools must offer pupils and parents the opportunity to retract nationality data if schools submitted data but had not explicitly asked parents, or wrongly said it was required. Guidance confirms: These data are optional and do not affect funding.
Together with fellow campaigners we are calling on schools to remember the three Rs when it comes to the school census nationality data collection: refuse, retract, and resist.
The collection of nationality data is not for education purposes, but was agreed in a compromise of Home Office measures in 2015. Since The DfE has failed to communicate this, Against Borders for Children supported by Liberty, sent information to all schools in England to explain the truth behind the collection.
Use of pupil data by the Home Office and police is still not included in the quarterly tracking published by the Department for Education. We will request this on a quarterly basis to have it in the public domain until it becomes routine as part of the DfE transparency objective. We await an internal review and return of information detailing the data sharing process.
School Governors’ data also continues to be collected without oversight or transparency and we continue our efforts to achieve this.

Parliamentary Questions

Questions answered in Parliament this quarter on pupil data sharing include:
Jim Cunningham MP who asked the Secretary of State for Education what the Department holds on the (a) nationality and (b) ethnic background of pupils, how many applications were approved in each of the last five years, and how many applications were refused in each of the last five years from the National Pupil Database. [57722, 57723, 57724] He went on to follow up and asked how many Home Office requests were approved in each of the last five years. [57640] The answer was somewhat misleading because the volume per release was not detailed in the reply, i.e. up to 1, 500 names in each request.
Steve McCabe MP asked about the National Pupil Database volume of data shared with (a) the Home Office specifically for immigration purposes, (b) media bodies and (c) other parties [56640] and about identifiable data shared from the National Pupil Database with journalists, and charges. The government responded that, “The data extracts are provided free of charge.”

In the House of Lords, Lord Judd asked about the Home Office use, specifically for immigration enforcement purpose, stigmatisation, and racial profiling. [HL4568]
Lord Storey asked which government departments have access to the National Pupil Database. [HL4486] Not all of these Departments appear in the third party register of data access so we are pursuing these differences.
Lord Ouseley asked Her Majesty’s Government whether schools are required to collect personal data about schoolchildren and to pass these on to the Home Office, either directly or through the Department for Education; and if so, for what purposes such data are collected and transferred.  [HL4514].  The answer suggested it has always been the case, that for ‘illegal immigration’, data including a pupil’s address and school details may be requested from the National Pupil Database. It did not state that the policy only began on a regular monthly basis in July 2015.
Lord Scriven asked, further to the Written Answers by Lord Nash on 4 November 2016 and 6 January 2017 (HL2515 and HL4240), why schools were not informed by the Department for Education of parents’ right to retract data submitted in the autumn school census in October 2016, until 19 January; and whether this right to retract the optional data already returned will be withdrawn, and if so, when. [HL5596] Of concern to us, the Minister’s comments in reply suggested this offer might be time-limited, because it will be reviewed at the end of the year.
Lord Scriven also asked why the communication on 10 January direct from the Department for Education to all state-funded school heads in England about the expanded school census collection did not mention the Home Office’s access to pre-existing or new school census pupil data in national databases; [HL5997] and  in question [HL5598] when and how former pupils who provided their personal data before 2010 for the purposes of their own education and who are now older than 19 will be informed of the new broader uses of their individual personal data by third parties since 2011. This received a wholly unsatisfactory answer.

Legislation

1. The Higher Education and Research Bill (HER Bill)

The government is in the final stages of passing the Bill without amendments to safeguard student privacy. Clauses 73 and 74 permit the broad use of applicant and student data at the discretion of the Secretary of State for Education. UCAS shared our concerns about the change to their existing consent processes which permit students to opt out of sharing with the Student Loans Company, and worry that the DE Bill will now revoke this.

2. The Technical and Further Education Bill (TFE Bill)

The government is in the final stages of passing the Bill without amendments to safeguard student privacy. Part 3 permits the broad use of TFE student data at the discretion of the Secretary of State for Education.
The Minister Robert Halfon assured us that this change was only, “owing to a technical matter” and would mean no substantial change of uses today. We remain unconvinced as these changes leave student data without sufficient oversight of uses, and open to scope creep as has happened with pupil data. There is no third party register tracking data uses.

3. The Digital Economy Bill (DE Bill)

The government is in the final stages of passing the Bill without amendments to safeguard children’s privacy in Clause 31, and Chapter 2 despite criticisms from across civil society organisations that government has failed to address since discussions in early 2016. We believe that combining the powers of the TFE and the HER Bills, together with the removal of horizontal data protections through this bill, result in weaker citizens’ privacy and data security. Part 5 permits broad use of all public data by other public and some commercial bodies, which will include that of schools and other educational institutions. Pupil data is the wrong model to copy. It is likley poor practices seen in pupil data will be duplicated across education, and other public datasets as a result of this.
We await to see the assessment of compatibility with human rights law under section 19(1)(a) of the Human Rights Act 1998.
This bill missed the opportunity to consider suitable age verification and parental consent measures ready for GDPR. We will be looking out for the consultation on codes of practice. We also look forward to the Green Paper on Children’s Internet Safety in Q2.

Reports of note

1. Research by the Oxford Internet Institute shared doubts on whether Internet filters are effective online at all. The research paper, published in The Journal of Pediatrics, says the effectiveness of internet filters is ‘dubious’ and suggests that resources would be better spent trying to develop the resilience of teenagers to such experiences.
2. The House of Lords Select Committee on Communications published its report, Growing up with the Internet, the 2nd Report of Session 2016–17. The recommendations were wide ranging and practical, including a call for a national Digital Champion for children. The report mentions our consultation contribution in which we called for change, increased transparency and greater attention to children’s rights, which we see ignored in discussions that focus exclusively on policy aims rather than the individual person it affects. In particular we support the main findings in areas of data privacy and child rights. However criticism was raised by the Internet Service Provider Association (ISPA) that considers universal filters on-by-default are disproportionate.  The report also calls for education about risks and responsibilities. [read more in our blog response]
   

Countdown to GDPR

In preparation for The General Data Protection Regulation (GDPR) there  must be an active UK decision before May 2018 about how younger children will prove they have parental permission to access ‘Information Society Services’. It’s to enable parental consent to their child’s data collection by the service. Whether that will end at 13, 16 or somewhere in between remains undecided. [read more]
The Information Commissioner’s Office (ICO) found in a survey that local authorities are unprepared for GDPR. according to the results, 26% of councils have still to appoint a data protection officer as they will be required to do when the General Data Protection Regulation (GDPR) begins to apply on 25 May 2018. [read more]  This is also reflected in conversations we have had with national and regional IT providers who say that schools and LAs no longer have Data Protection staff that they need to deal with when introducing EdTech into schools.
The ICO has had a consultation on consent and GDPR. Implied consent won’t always be appropriate as a lawful basis for processing under the GDPR and it is on this which schools’ data relies heavily. Legisation will be needed in this area, and a Green Paper on Internet Safety is expected before the summer recess.
We have sent a proposal on assessing readiness in schools in England and to help them prepare before May 2018, to the Department for Culture, Media & Sport, the Department for Education, and the Ministers responsible for the UK Council for Child Internet Safety (UKCCIS).  We have begun working on a report of the state of today’s data privacy in schools together with specialist input from across civil society organisations in key areas of technology in education. We expect to launch this in September.

In the press ahead of the Spring school census

February
Schools Week Government reviews pupil nationality check guidance after schools’ passport demands
January
Huffington Post blog by Green Party leader Jonathan Bartley, The School Gates Should Not Be A Border Checkpoint
BBC Boycott birth census, civil rights group urges parents
Schools Week ‘Refuse, retract, resist’ school nationality data collection
The Independent Human rights campaigners attack Government’s ‘foreign children list experiment’
Schools Week Human rights charity warns headteachers over pupil nationality data collection
i-News School governors forced to declare nationality to Government
City of Sanctuary guest blog “Let the little children come to me” – the school census boycott

What else?

We enjoyed talking to Open Rights Groups in Bristol and Manchester in February and March, and the successful Against Borders for Children event in January at SOAS in London, together with many of the ABC supporting organisations. Over 100 attendees came together to talk about the census in context, where it fails children’s privacy, what better data collection would look like, and workshops on action.
More events are planned later this year.