What’s Next? Under 364 days to fix pupil data privacy.

After the General Election on June 8th, and machinery of government changes, we look forward to continuing work-in-progress with the Department for Education and government regards children and young people’s data privacy and digital rights.
We have been given commitments that:

“the Department is currently reviewing data access processes across the entire Department and the transparency of these.
“the aim is to be transparent about all requests not just the third-party access list for the National Pupil Database.”

We look forward to this, including the publishing of details regarding all pupil data sharing, including with the Home Office and Police after the school census expansion in 2016. While an exact date has not yet been set, we expect to see this new, regular transparency information, as soon as possible. But that’s just the start.
As a non-partisan organisation, we will continue to call on the government in the coming year, for change.

Seven areas for action

1. Safe data. Moving the National Pupil Database and more, to safe settings, as first outlined in the government’s UK Digital Strategy in March 2017, and to end giving raw, identifiable data out to 3rd parties, without pupils or parents’ consent. The DfE intent to “work with the Office for National Statistics to make research samples of the National Pupil Database available through the Virtual Microdata Laboratory (VML) service, and provide secure access to the service from multiple sites,” cannot however be a bolt-on service, but must replace the current use of identifying data by any third parties in the wild. Public interest research uses and exemptions from some aspects of Data Protection principles are in jeopardy due to the use of data for direct interventions; this needs to change. We will also be working with DfE to first fix the collection and design needs for local and national consent options, before proceeding with the Data Exchange programme — ignoring current failures to meet DPA legal obligations has the potential to create a Gremlin-like release of multiple problems, via for-profit companies using personal data for “EdTech products”. Schools will be held accountable for many of them to fix. But for others, DfE will be in breach of legal obligations, at the latest by May 2018 under GDPR.
2. Fair data. We are asking for an independent review of current consent and fair processing practices in state education data collection from children age 2-19 and the legal compliance with the duty to inform parents and pupils how their personal data from school records may be used. This includes the 15 million people who have left school and who must be told how their personal confidential data are being used.
3. Transparent policy and practice. We have asked the question whether the parent portal announced in 2016 might be designed to accommodate consent approvals of secondary data purposes and uses.  And how are data truly collected and used? What does the National Database hold about me? Policy must change on the citizens rights to Subject Access, and enable pupils and parents to see what the Department holds about us, and to whom it has been given, and why. A DfE level Privacy Impact Assessment (PIA) is needed of all school census and Early Years census data collection before the end of February 2018, ready to meet May 2018 GDPR legal requirements, and ahead of the Data Exchange rollout, “a major project to transform how data is collected for statutory purposes” with “massive impacts on how data is moved around the sector in the coming years”. There has never been any PIA to date on national pupil data, despite recognition as a mandatory minimum measure (4.4) across government.
4. A commitment to oversight and transparency of the Home Office and police use of school census data, to ensure accountability for children’s wellbeing, as well as the integrity of data and public confidence in its collection and use. This will include publishing the volume of data access on a regular basis.
5. An interim review of all national school and student data exchange with the Home Office, before January 2018, Spring census collection, with reference to the intra departmental agreement MoU v2.1, para 15.4.1.
6. An independent review of the Prevent programme across education is urgently needed, as recommended for schools by David Anderson QC (para 14), by the UN special rapporteur, as called for by the NUT, and for Universities by the Joint Committee on Human Rights (para 25). Data is being created in error and forming permanent records for people from an early age. How is it used? By whom, and why?
7. On GDPR and children: Urgent national discussion is needed on policy and the derogations of General Data Protection Regulation (GDPR) which affect children, enforceable from May 2018. With around 200 working school days left from now until then, and a comment in the Conservatives manifesto which would appear to undermine not enhance children’s rights to erasure by enabling it only for children at 18, this must be ‘what’s next’ at policy level. We will publish a free report in autumn 2017, to help schools take easy steps to understand and meet GDPR compliance.

---

There is lots to be done in the next year by both Her Majesty’s Government and Opposition after the General Election to make children’s confidential data safe, fair and transparent. Lots to be done to live up to manifesto commitments by all parties. We look forward to working with the new responsible DfE Director shortly.
Ultimately data privacy is not about the data. We want all children and parents to be able to trust that school is a safe place. To be able to trust that there will be no surprises as a result of how their personal information is used by central government, by commercial companies or schools themselves. Children must not be put at risk online and offline through careless use or misuse of their data. That includes the 3.7 million children who live in poverty who should not be technologically disadvantaged or exploited in education. We will work towards making children safer, and look forward to encouraging all parties, their policies and practices, to respect human rights to privacy and participation, using data wisely, for good.