What will GDPR Privacy by Default and Design mean for national pupil data?
National Pupil Database pupil privacy transparency / September 13, 2017
When parents give their children’s information to school, do they expect it could be passed on to commercial companies? Or to journalists? Or charities? Or used against them by UK immigration and visas or Border Force Casework Removals?
No.
The truth about all these uses of our children’s personal data by third parties, is that each is an invasion of privacy.
The commercial uses began after the law was changed in 2012-13 but the interference with our most basic human right, took a more damaging turn one year ago, when a new law came into force, before any possible parliamentary or public scrutiny. The Statutory Instrument that made it legal for the government to collect nationality and country of birth on children in England, at national level.
Three months later, in December 2016, the truth came out that the new nationality data had been intended, “once collected” to hand over to the Home Office Visas and Immigration (UKVI) and Border Force Casework Removals Team.
They use the named data, home and school addresses for direct interventions with individual children and their family members, in an agreement with a range of strategic aims including to “create a hostile environment”.
That is an invasion of privacy and of family life.
The Department for Education told the Secondary Legislation Committee in September 2016, however, that it was not.
“The additional pieces of information do not present any new privacy risks”.
Somehow, the Department had managed to decide this all by itself, without doing any assessment of the impact on privacy. Chicken meet egg. Or poacher posing as gamekeeper? They wrote:
Pretty much, trust us, ‘we’ve always done it this way’. And it’s true.
It’s exactly what happened in 2013 too. The Department presented the change of scope, opening up the National Pupil Database to a broader range of third parties as “minor amendments” to the Regulations. It was in fact a hugely significant change in what can be done with children’s identifying and often highly sensitive personal data.
Fifteen years after the Department started to collect names in the school census, things have changed enormously.
MPs in the House of Commons were assured on the changes to the “Central Pupil Database” in 2002 by then Minister of State for Education and Skills, Stephen Timms, that, “The Department has no interest in the identity of individual pupils as such, and will be using the database solely for statistical purposes, with only technical staff directly engaged in the data collation process having access to pupil names.”
But today, the school census presents an invasion of privacy in exactly the ways human rights campaigners foresaw and warned about; names are used by other government departments, sensitive data handed out for commercial use, and data copied to third parties.
Each incremental expansion has meant scope creep from when a few core pieces of data were recorded in 1996, to now, with around a hundred of pieces on any one child at one point in time. A record which grows longitudinally over their school lifetime turning into a record so detailed, that it now shows the exact property position in a block of flats, also added in autumn 2016. (All the better for an Immigration enforcement team to know exactly which door to knock on?) A record is attached to a unique pupil number that lasts a lifetime, (which is supposed to lapse but in practice doesn’t) together with reasons for exclusion (assault, theft, drug related) that read like a rap sheet, that are permanent. Lasting impacts on privacy, potentially each time the data are released, each time the data are used for interventions in the Troubled Families programme, matching in the National Citizen Service, or sent to journalists, for long after any actual criminal convictions would have been expunged.
Far from being empowered “able to request a copy of their own record in order to confirm its accuracy” as was proposed in 2002, parents and children in 2017 refused Subject Access Requests. It’s no longer used just for public interest research. Or even by for-profit businesses. But for the UKVI to “initiate contact” and to “effect removal” “to depart the UK.” How much more invasive could it become?
The General Data Protection Regulation demands change. It insists on assessment of giant databases like this.
Privacy impact assessments will be legally required in some circumstances under GDPR. Find out more: https://t.co/phO4K86nI1#ukbizlunchpic.twitter.com/57ijygZexq
— ICO (@ICOnews) September 12, 2017
Under the Data Protection Act, privacy by design has always been an implicit requirement of the principles such as limited purposes, and data minimisation. The General Data Protection Regulation requires data protection by design and by default.
Privacy Impact Assessments were supposedly a “mandatory minimum measure” in government and its agencies since 2008. According to the document, Cross Government Actions: Mandatory Minimum Measures, 2008, Section I, 4.4: All departments must “conduct privacy impact assessments so that they can be considered as part of the information risk aspects of Gateway Reviews.”
Yet the National Pupil Database continues to grow without either assessment or review. The National Pupil Database is “one of the richest education datasets in the world” using records from every child in state education, and some independent schools, currently growing upwards of 23 million named records.
Now that the Home Office teams can use it to knock on doors, the database use has far overstepped any notion of nominal privacy risk. It’s not an abstract risk on paper. The uses of this database affect real lives, jeopardise children’s digital integrity, and put them potentially at increased safeguarding risks.
If we leave the protections of the CJEU and the government waters down our inadequately met rights still further, what state will we be left in? We need to know our children are protected from predatory practices, and invasions of privacy.
This is why we are calling for change and due attention given to children’s data rights in the coming Data Protection Bill (GDPR exemptions). The National Pupil Database is in desperate need of assessment and transparent oversight.
Background: Legislation and decision process on School census expansion to incl. nationality data collection
- Version 1.0 Memorandum of Understanding (MOU) between the DfE and Home Office, effective between 18/12/15 and 06/10/2016 [download .pdf 538 kB]
- Letter to the Lords Secondary Legislation Scrutiny Committee – SI 808/2016; school census expansion [letter .pdf 143kb]]
- Government response to the SI 808/2016 letter [response .pdf 707kB