New review of school census data releases from the National Pupil Database
National Pupil Database pupil privacy transparency / April 11, 2017
Here is our review of the latest releases of pupil data disclosed from the National Pupil Database (NPD) as stated in the Third Party Register.
Of the 887 requests and releases of identifiable data that have been through the DfE request process in March 2012 – December 2016, only 29 have been for aggregated data.
334 Tier 1: individual level, identifiable and highly sensitive
368 Tier 2: individual level, identifiable and sensitive
29 Tier 3: aggregated but may be identifying due to small numbers including single counts
84 Tier 4: individual level, identifiable and non-sensitive
72 unclassified (include sensitive and identifiable data).+
Three were requested, but then not pursued by the applicant.
We have a high degree of confidence in these counts. However, there is a margin of difference in the numbers published in the third-party register and recent written Parliamentary questions.
The register states 887 requests were made to the Data Management Advisory Panel (DMAP). These are external requests. A PQ states over 1700 unique releases were approved and that “these include both the Department’s and external requests.” The register records 15 rejections. The reply to the question, states that more have been refused.
Each time data was released on ca 860 occasions, each time likely of millions of children in volume, these data were of identifying, individual pupil-level, data. These totals exclude police and Home Office. There is still no committment to publish these back office uses.
All the uses may include every child’s data collected in the school census. It is impossible to see the volume of data released in each request, but most are for several years worth. Millions of records at a time.
Data continues to be sent out to third party recipients, to their locations, outside safe settings. Identifying individual pupil data are divulged by the Department for Education to the data requestor. They in turn agree not to onwardly disclose identifying data through their use or publications in the press, research or commercial work. The DfE has, in practical effect, outsourced the responsibility for our pupils’ privacy to private third parties, to the press, to Arms Length Bodies (ALB), Charities, Data intermediaries, and other Government departments, under license agreements. There is no way of knowing if data have ever been lost, misused, re-licensed or sold from releases since 2011.
These data have often not been consented to for purposes other than direct schooling. There is ineffective and unfair processing. Schools cannot do it, because they don’t know or understand these third-party uses themselves. A privacy notice published on a school website, does not work. While at our suggestion, since spring 2016 the link to third party has been included in national privacy notice templates, the notices do not work at all. Personal data is not processed ‘fairly’. There is no attempt made by the DfE to explain to schools, pupils or parents, that data are given to commercial third parties and press. In fact, they explicitly told schools in instructions about submitting census data, that there is no need for pupil or parental consent – which is incorrect on optional data such as ethnicity, nationality and country of birth – and say schools are exempt from any breach of duty of confidence. The DfE video does not mention fair processing. It has since been taken down. Current guidance is not explicit.
In our small samples of 2015-16 research with schools, parents an pupils, only 1 in a 100 had even heard of the National Pupil Database. Parents simply expect their children’s personal data are used in their school, and that statistics are sent to the DFE. Are these identifiable releases necessary and legitimate for the child it is about?
From pre-2012 when the laws changed, no attempt has been made to tell former pupils how their personal data are now used. That is around 15 million adults. Data are never deleted. But now due to the direct pupil interventions school census data are used for, it may revoke the research exemptions the DfE data collection has to date made use of, retaining data forever and refusing Subject Access Requests. If you want to know what DfE holds, we think you should be able to ask them.
It is unclear from some new 2016 releases, why pupils’ personal and attainment data could not be obtained from families with consent, since the organisations have indirect care or relationships with contact with the children they ask for data about.
What gets requested and released includes sensitive data
The vast majority of releases are of sensitive and identifying pupil-level data. The aggregated data are least requested. These released data are not anonymous, but are of identifying personal data, and these releases are not of statistics. The answer to this question was inaccurate; the data are NOT anonymous on release. While name may be released only rarely, the data are identifying.
Tier 1 are the most identifying and highly sensitive and individual level. Tier 4 are also individual level and identifiable but less sensitive. See the NPD User Guide. (pp 19-21)
The data items released range from name, date-of-birth and address, through special educational needs health related data, to attainment, absence and exclusions and more can be seen in summary (pp 26-35). The NPD User Guide also says (p25), ‘the identity of a pupil cannot be discovered using anonymised NPD data in isolation‘ and this is misleading. While it may be true, releases also give access to named data and all releases are identifying. Anonymous “open data” and statistics are released separately from this process, not to be confused with these releases.
Sensitive data include SEN types which reveal a range of special needs and health conditions. Reasons for exclusion may be Physical assault, Sexual misconduct, Theft, Drug and alcohol related. Data are never deleted. These data are also opinion-based and may not be transparent to the individuals.
All these types of data are at individual pupil level. Ethnicity codings are highly detailed, and is a vast list covering six A4 pages on the School Census User Guide [pp 130-136].
All sorts of users can access sensitive data. This example below is from a television journalist requesting Tier 1 and Tier 2, sensitive and highly sensitive, individual pupil level data. Journalists receive multiple years and millions of children’s data. How many, the Department cannot confirm. At the time of asking, July 2015, they had never done any external audits but sent data under a ‘release and forget’ style approach. While the recipients agreements required destruction it was not followed up.
When we enquired, the Telegraph had received sensitive pupils’ data in 2013, there was no suppression of small numbers, and it had not confirmed its destruction past its due date. The Times Newspaper use was similar.
Data released includes school unique reference numbers, and other codes or abbreviations, which are in the public domain.
The Department began in 2016 to publish and confirm destruction dates in the Third-party-release register We await to hear if and when they will start a regular mechanism of audit or stop sending data like this out into the wild, so that audit of that process becomes unnecessary going forwards.
Examples of the data items the third parties receive published in agreements
Partial copies of a range of ten applications are here obtained via FOI. We then asked for the license agreements. There is little detail on precise data items, but most match census (personal) data with attainment (KS – key stage results) data. Exact data items are not listed in the third party register either.
The Good Schools Guide including Tier 1 and Tier 2 data. The Innovative Consultancy released from May 2016 and expires April 2019. Lucas Publications. Data includes Tier 1, 2 and more, with year and month of birth, ethnicity, FSM, Language data and sensitive SEN data. Alkemygold, extension of existing arrangements, expires January 2020. OPM purposed for a control group. School Guide UK, the ‘official school data provider to Mumsnet’. Data intermediary Julian Clarke Ltd. To make online heat maps, Tutor Hunt, were given month and year of birth and geolocators, Output area codes (OA), were added to children’s personal data, at pupil level. Journalists. And RM Education’s most recent contract was published here, for the handling of attainment data and linking to pupil personal data from the census. Their use of pupil data since 2012 releases is not mentioned in the register. Are there others who work on these types of contracts are have also been left off? The FOI reply omits our requested third party agreement example with FFT. The data intermediary website says FFT has “managed the National Pupil Database for the DFE since 2004. Working in partnership with RM.” They do predictive pupil-level data analysis. BBC Newsnight was granted highly sensitive and identifying, Tier 1 data, even though there is no clear legal basis for passing journalists individual level, sensitive data meeting Schedule 3 of the Data Protection Act 1998.
Summary split of types of third party recipients
While remembering this is not an indicator of the volume of how many people’s data from the roughly 23 million in the National Pupil Database has been released each time, we have categorised the share of the total requests for data into our own labels of recipient types. Note that ‘private’ could in its broad sense be higher, as we separated out Think Tanks and Press. Some recipients have dual private/commercial, and non-profit arms which we include in private. Academic-universities (357), Commercial / Private company based uses (247), Think Tanks (103), Charities (81), Arms Length Bodies (47), Government Departments including local government (44), and Journalists. (5)(Press) Note: This number (5) is higher (9 since 2011) according to the PQ.
Releases missing from this register
The third-party register includes the disclosures of the last 4 years March 2012 through to December 2016 but it has left out the releases to police, and to the Home Office Removals Casework Team, confirmed via FOI for the purposes of immigration enforcement.
We know that up to 1,500 individual pupils’ home address and school address may be made available to the Home Office on a monthly basis. Pupil data has been sent over since July 2015.
As the Guardian reported, after they had spoken to the Department for Education:
“The individual details of children’s schools and home addresses were supplied in response to requests from the Home Office’s absconder tracing team looking for parents who had disappeared after being told they faced deportation…”
If you are concerned about adding country-of-birth and nationality to this, you can take action. Write to your MP and join the voices of over 20 rights’ organisations who have written a letter to the Secretary of State calling for it to end, and data to be deleted. You can see multi language resources at the campaign Against Borders for Children and refuse. retract and resist. Parents and pupils can refuse and retract children’s nationality and country-of-birth data even if previously submitted. Using refused, schools overwrite the data submitted. Its collection is optional, and unconnected with funding, confirmed in DfE school census guidance published on January 10, 2017.
We continue to campaign for all pupil data to be made fair, safe, and transparent.
Disclosure: Coordinator Jen Persson was once invited to a DMAP meeting by DfE. It was postponed, and the invitation has been withdrawn until further notice. She is an independent member of the DfE National Pupil Database Steering Group which has met twice since November 2016 by phone. We do not have access to more information which is not in the public domain via FOI work. We have not yet seen the “review of Data Access arrangements which we expect to cover data request and access procedures and plans for data access for new data items.” The Digital Strategy included brief mention of plans. We eagerly await more information.