News / National Pupil Database

Multiplication tables check admin guidance missing vital information

National Pupil Database / April 3, 2019

Published on April 1, 2019 this wasn’t an April Fool. The Standards and Testing Agency (STA) appears to be ignoring the lawful requirements for new data processing, having missed them out completely in new guidance for the Multiplication Tables Check (MTC).

In 23-pages of Technical Guidance and 13 further pages in the Admin Guide for the June 2019 national pilot, there’s nothing at all on the data protection obligations of schools.

The STA and Department for Education must ensure changes are made before they begin any new national data gathering exercise.

We would advise schools to steer clear unless the systems and guidance are made fit for purpose. It appears that in the ever expanding accountability regime, there is ever less accountability from national bodies.

The STA could solve this quickly

  1. The STA would be wise to publish both their risk registers for new projects and the Data Protection Impact Assessments (an obligation under GDPR for schools and themselves, that the STA cannot avoid under their accountability duties). This should deliver much of the ‘what’s missing’ below.
  2. They need to set out all the relevant rights and responsibilities associated with the data processing in an appropriately child-friendly manner, in effect the terms and conditions of the data collection, its necessity, purposes, and onward processing.
  3. The rights of the individual depend in part on the lawful basis for processing. Has it got a basis in law, if so which? Or is it going to operate under legitimate interests? The STA has not set that out. Regardless of which it is, they in effect need a three-part test:
  • identify a lawful basis under Article 6 of the GDPR; and principles of 5,
  • show that the processing is necessary and proportionate to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.
  • The likely lawful basis for processing includes a Right to Object. The STA has missed this off their screen choices suggesting *every* child must be entered. That might explain why they fail to set it out in the Guidance.

What’s missing?

Schools have legal obligations to fulfil to children and families when administering this and any other test. None of this is explained, and schools won’t know the answers.

  1. The collection purposes must be ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis. This check may be doubtful in point of principle at all. The STA must demonstrate a test of necessity.
  2. The General Data Protection recognises expressly in the legislation, that children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.
  3. Data Protection and privacy need respected by design and default. Purpose limitation and data minimisation using technical means are both key here.
  4. Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR, and requires a range of facts about the data processing to be made clear, before the collection.
  5. Rights in respect of the processing post collection must also be made very clear, including the Right to Object where it applies, and about Rights of Access.
  6. The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
  7. How does this timed test, without flexibility in response times, test knowledge and fluency for all, and meet the Equality Duty especially for children with Special Educational Needs or EAL needs and if it doesn’t, can it meet the necessity test?

What risks?

Without these information to provide to families, schools will be processing data unfairly and in breach of the Data Protection Act 2018 and the GDPR.

HIGH RISK: Families have no idea at the moment how SATs scores are used including for creating personal predictive risk scores, and commercial companies’ access to NPD today may be a future indicator. Confidentiality and security cannot be guaranteed at all.

HIGH RISK: 69% of parents asked in 2018 had no idea the National Pupil Database existed, and how children’s details are given away from its multiple data sets.

HIGH RISK: The scope creep of data distribution at individual and named levels, means the existing pupil data from over 23 million people already held is not fairly and lawfully processed. If families and schools do not expect school census data and any personal information sent by schools to — whomever it concerns; the NFER, STA, or Department for Education — also to be handed over the Home Office, to journalists, charities and commercial businesses, or used by Local Authorities to risk score every family in their area for computer-led decision making on risks of child abuse and similar projects — sensitive, identifying data from multiple school data collections — then it’s not safe for schools to hand over even more, to third-parties schools cannot control, or even see.

Since the Testing Standards Agency has failed to provide the most basic of information in these MTC guidance documents, we think it is a large RED WARNING FLAG. We are writing to them, the Department, and teaching Unions to recommend changes.