News / National Pupil Database

Student data rights packaged up for Pearson

Update June 27: The Minister has confirmed Section 63 does not place limitations on the type of information that may be shared, and therefore it could include personal data sharing between the OfS and these bodies, relating to both Higher Education staff and students.
July 2, the Commons Delegated Legislation Committee will consider the Higher Education and Research Act (Cooperation and Information sharing) regulations 2018 (SI 607/2018).
The purposes for which these data may be used are open and vague, set out in the Explanatory Notes as connected with the Articles of the prescribed persons. The Explanatory Notes show only page 1 of these for Pearson Education Limited, but there are 4 pages — and the further articles include lending money, pensions, and promotion of other companies.
It further permits in the information duties of Clause 64 of the Act, for the bodies to share data with the government, as the Secretary of State for Education. For example, for data about students’ attendance to be passed over from Pearson, to other government departments. But which ones, and how will the personal confidential data be used?

Original post June 18, 2018:
Just weeks after making a fanfare about the new UK Data Protection Act 2018, supposed to give people more control over their data and how it is used, the government has passed a new law that rides roughshod over students’ data rights.
The Telegraph reports that a statutory instrument came into effect today, that gives powers to the controversial Office for Students (OfS) to hand over student data from Higher Education institutions in England and Wales to other third-parties, by adding detail to s63 of the Higher Education and Research Act 2017.
Corporate education giant Pearson Ltd, is just one of the selected recipients named in the new list including the Student Loans Company, and HMRC.
There are no safeguards in place to protect anonymity. There is no public transparency or accountability of its purposes or use.
90% of 37,000 student asked in a 2015 UCAS survey said they do not want their data to be handed to commercial companies without consent.
The change has been rushed through in less than 3 weeks and without debate, under the eye of Sam Gyimah,  joint Minister for Higher Education (HE) at the Department for Business, Energy and Industrial Strategy and the Department for Education. This week as he got his own avatar, the Minister called for social media giants to have a ‘duty of care‘ to young people. It seems the government does not think the same duty applies to their own practices and respect for young people’s privacy and human rights.

What will it mean?

These new powers will fundamentally change in law the way students’ personal data can be shared with other government departments, public authorities, councils trading standards, and with commercial companies explicitly named; Pearson Ltd and the Student Loans Company.
Understanding how our data is used and for what purpose not only matters but is generally required under the GDPR and UK Data Protection Bill. The Explanatory Notes (EN) say the users of the data have defined among themselves (8.1) what those uses will be, but they are not listed. On the contrary, it states explicitly that no guidance will be issued. (9.1) So what will students be told?
This change to the Higher Education and Research Act 2017 means:

  • Students won’t have any control over the personal data they share with their university or during their university application process and it will be handed over without consent.
  • Unidentified and unaccountable people at the controversial Office for Students will decide why students’ data is shared, when and how.
  • Officials from a broad range of bodies will be able to get hold of that personal info.
  • They won’t ever have to ask permission for using it with the new list of bodies.
  • Pearson like other private companies, is not subject to Freedom of Information, and is not keen on transparency. Will you know where your data has gone? How will anyone know if policy changes? Their privacy policy leaves a lot to be desired.
  • This will effectively remove students’ consent rights in England and Wales (including any students from anywhere, studying in those universities).

Gordon Marsden, Shadow Minister for Higher & Further Education and Skills, spoke in debate about; the risk to student data protection rights in the development of the Higher Education Act in October 2016: “these clauses would give the state access to all university applicants’ full data in perpetuity, for users who would only be defined as “researchers” and without “research” being defined at all; that might be capable of being changed under the direction of the Secretary of State.” 
Pearson Ltd is already among the recipients of over 1,000 releases of confidential school pupil records from age 2-19 approved by the Department for Education since March 2012. Anyone aged state educated and under 36, is one of the 23 million names stored in the National Pupil Database since 1996. Unlike Higher Education, the Department publishes details of the releases of data from nursery through secondary school in an online tracking register.

Students and universities have been excluded from this decision

Risks include

  • third parties further distributing the data directly, or selling it as part of a company asset, as Pearson has done so in the past
  • potential uses to develop products that limit students’ life chances in their choices and access to institutions, courses, funding, and employment, once these data are distributed without public oversight
  • knowledge gleaned from the data, may give any single company, a sizeable and unfair commercial competitive advantage in the sector over others,
  • there is no transparent oversight or accountability for its future potential uses and scope creep.

Data sharing is necessary for education, but this is not for the direct purposes of education, because an SI in those cases would not be necessary. These appear to be further secondary uses, not directly for your education. Almost every day we hear how data we have shared has been stolen, breached, lost or hacked.  As JISC reported, the increasing number of cyber threats reported in the UK aren’t just newsworthy, they’re also very real.
Commercial exploitation of personal confidential data should only be done with explicit consent, to respect young people’s fundamental rights and freedoms under GDPR Article 6
We predicted this risk to rights during the Higher Education and Research Bill in 2016 and submitted evidence to the Bill committee.

What happens next?

The Shadow Leader of the House of Commons asked for an annulment and debate. [col 1100] and Early Day Motion 1383.
We support the call for its annulment and for scrutiny and safeguards to be put in place, in a revised version.
It is very rare for a Negative Instrument to be annulled; 1979 was the last time an SI was annulled in the House of Commons, in the House of Lords it was 2000.
But few have such a significant impact, as little understood before becoming law, as this one.
Questions must be asked, and the Instrument annulled so that safeguards are put in place.

  • What are the boundaries of the new purposes and its limitations? These must be set out in the legislation.
  • Why will HMRC and the Student Loans and Health Education England get access to identifying data and with what transparency and oversight, now and of future changes?
  • Why has Pearson been given this preferential treatment and commercial competitive advantage over other companies?
  • Can there be no conflict of interest between the Chair, his previous role of 5 years with Pearson, and the new data receiving body?
  • There has been no human rights assessment and therefore measure of its privacy implications. The Explanatory Notes (10.4) that the OfS has the responsibility for any privacy impact assessment. This is an abdication of responsibility, to create powers before understanding its significant effects.
  • If this is purposed as fraud prevention, what is the extent of the problem, and is this a necessary and proportionate solution that will not infringe on the rights and freedoms of individuals?

Help us defend students’ rights and put an end to the government’s assumption it can trample over students’ digital and data protection rights without debate. Support the call for its annulment and for scrutiny and safeguards to be put in place, in a revised version.

The Statutory Instrument (SI) [link to download] 36.5 kB .pdf
Explanatory Notes [link to download] 778 kB .pdf
August 13, 2018: Minutes from the background meetings between the parties that will receive data [link to download .pdf] via the consultation outcome refered to in the paragraph 8.1 of the Explanatory Notes above.
Consultation took place between the DfE and HEFCE during Autumn 2017, and from within both the Department for Education and the bodies themselves between January and March 2018. The government recognised that there was “a problem with including Pearson in the reg[s[ulation] that could be “got round” because there was a precedent for sharing data with Pearson. [p.26]
January 2020: the Office for Students does not know how many higher education students’ personal confidential records the OfS has given away to third-party recipients, and it does not publish a register.