Where do your exam data go? Children’s Right to Know must be respected
National Pupil Database / August 14, 2018
This week thousands of young people will receive their A-level exam results, and a week later GCSE results come out on August 23. But who else will get to see them and why?
defenddigitalme is calling on the Department for Education to ensure children and families are told how exam results will be used, which organisations the Department will give copies of personal confidential information to, and who will have access, for how long, and for what.
GCSE and A-level results are recorded in the National Pupil Database along with hundreds of pieces of personal data telling the story of a child’s education from age 2-19. A child’s national record starts with details from the Early Years Foundation Stage, Phonics and SATs scores, and includes their name and date of birth, ethnicity, gender, home postcode, special educational needs, health and disability, and includes sensitive opinions and facts, such as reasons for leaving school, theft, violence, and pregnancy. The National Pupil Database is a melting point of over 20 various different education data collections.
How are children’s personal data and exam results used today?
Hundreds of organisations still have copies of millions of pupils’ exam results and other personal information, three months after the Department for Education (DfE) put a temporary stop on the distribution of children’s personal confidential data from the National Pupil Database, collected since 2002.Everything is collected and kept indefinitely at the DfE on a named basis, and have been given away for free to commercial businesses and a wide range of users since 2012.
Children’s personal data including their unique combinations of exam results, have been copied and passed on by the DfE to thousands of ‘researchers’, including for linking information at pupil level with other datasets, including Police National Computer data, and developing predictive tools.
Commercial re-use by data analytics firms, think tanks and charities, account for more than 40% of use by hundreds of third-parties, in over 1,000 separate releases of data across the UK since 2012. GCSE exam providers for example, get access to link with students’ prior achievement Key Stage 2 scores.
Schools Minister Nick Gibb confirmed in January 2018 that, “According to centrally held records at the time of writing, from August 2012 to 20 December 2017, 919 data shares containing sensitive, personal or confidential data at pupil level have been approved for release from the National Pupil Database.” [PQ120141]
The data released to third-parties, are not anonymous, but are detailed, sensitive and identifying.
No one knows how many children’s data have been given away in each approved release, because,“the Department does not maintain records of the number of children included in historic data extracts.” (PQ109065) The national pupil database in England contains over 23 million named records.
The DfE is moving towards using processes that meet expected industry standards around the ‘5 safes’ model and better public communications. We welcome this progress and recognise that the DfE has to start change somewhere. In the mean time, everyone should be able to find out where their data have gone.
How can I find out how my data are used?
Young people, and their parents where support is needed, can make a Subject Access Request in most circumstances, about the processing of their personal data, asking how it is used, why and for how long. It is free of charge, under the 2018 UK Data Protection Act, and EU General Data Protection Regulation.
The Department for Education does not yet have an entirely suitable process for completing requests despite the lawful requirements to do so. Requests can still be made, and parents at defenddigitalme obtained partial information on behalf of one of our children, for the first time this year. Complaints about unsatisfactory replies can be passed on to the Information Commissioner.
You can find out what’s in your record too. We want Subject Access to work well for everyone, and to ensure children’s rights are respected. Every use of pupil data across the sector, must be made safe, fair, and transparent. #MyRecordsMyRights
 A-level results on Thursday 16th August 2018, and GCSE results come out on Thursday 23rd August 2018.
 Data analytics include Mime Consulting who boast that they can “track a child in England, anywhere they go [in the school system]” https://www.mimeconsulting.co.uk/sectors/school-improvement/ See case studies: https://defenddigitalme.org/wp-content/uploads/2017/03/MimeConsulting.pdf or Angel Solutions https://defenddigitalme.org/wp-content/uploads/2018/02/Angel-Solutions-Ltd.pdf
 The Secretary of State can share data from National Pupil Database under terms and conditions with third parties who for the ‘purpose of promoting the education or well-being of children in England are conducting research or analysis, producing statistics, or providing information, advice or guidance’ but today’s uses linking with multiple data sets and from multiple sources enables an invasion of privacy that goes far beyond what the legislation intended.
 In a 2018 survey of 1,004 parents of school children in state-education in England commissioned by defenddigitalme and carried out by Survation, 69% say they had never been told their child’s data are given away from the National Pupil Database, and 50% said they do not have enough control of their school data.
To keep a young person’s identity and history safe, personal data from exams and a young person’s entire school history must not be distributed to third parties without parental and individuals consent, and left without oversight, at thousands of unknown organisations. We are campaigning for data to be used only under secure access conditions. Parents and children should be fully informed who has their data and why, and of any right to object and correct errors, in line with UK Data Protection law, on a regular basis.