Behind the Baseline Test
National Pupil Database / May 28, 2019
[updated February 27, 2020]
What should be done differently?
Remembering that these named scores are *not* intended to be seen by the teacher, the child, or their families, and *are* intended to be added to the national pupil database:
- data need not be collected by national government at pupil level, but can be aggregated totals
- families must be informed by letter, about the Baseline Test:
- exactly which data will be collected by the NFER and by the Department
- the specific, narrow purposes for its collection,
- exactly which third parties will process and use the data, and why, and
- of their child’s and their own data rights to object, to correction, erasure, subject access request and other rights
We raised concerns about the government guidance ‘Changes to assessments in primary schools‘ on the Reception Baseline Assessment (RBA), published on May 14, 2019. In the section on Using the Data the Department for Education suggest that they will:
- “collect the data from the assessments to create school-level progress measures for primary schools, showing the progress schools make with their pupils from reception to the end of year 6.
- use the data at the end of year 6 to measure pupils’ progress from reception to the end of key stage 2 (KS2).”
It also says that, “The RBA will not be used to track individual pupils or as a performance measure for early years providers.” [our emphasis] We will hold them to that.
But our concern started with the gap between that statement, and what was published in the Assessment Framework published in February, that said:
- “Raw scores will be recorded in the national pupil database and used to create a cohort level progress measure for schools at the end of key stage 2.” [our emphasis]
If the test results will be added to the National Pupil Database (NPD), then who has told schools, families and children exactly how their data will be used once collected by all of its end users and all of its purposes?
What is missing?
Will these be added to the National Pupil Database, but not used? Seems unlikely. No other data is. By contrast for example, the DfE says, that nationality data are not used, but they were not put into the National Pupil Database at all.
The privacy notice issued online by the NFER seems very careful in its wording, but may be inadequate to explain the lawful requirements for such notices with multiple hard-to-follow links to click down through.
It omits the all important, right to object that applies under UK data protection law and the GDPR. The question is, why?
The notice fails to be transparent and demands a certain level of curiosity and the thought that you might need to look in depth, take the time and have the ability to go online, to dig down into information not on paper handouts.
*If* it will be used like other data in the National Pupil Database, then perhaps the notice should include:
- ‘we can share these data with the following state and commercial bodies’, and list each of those bodies. Purposes must be explicit.
- ‘data are kept indefinitely, and may be used even beyond your death’.
- ‘DfE will link this with other data throughout your education, and others may link it with a wide variety of other data sets about you, including commercially bought records from data brokers. It could be used for risk profiling by a wide variety of commercial and public bodies including to create profiles and flight paths by companies that teachers will act on, or by the Home Office, Police, in Court Cases.‘
The NFER has determined how the test will be run and which data are necessary to collect for it. The NFER will pass the data over to the Department for Education and also keep it for some time itself, until 2021.
So while the notice may say the DfE is the data controller of the data, we believe the NFER is a joint-data-controller. It is for a Data Controller to ensure its legal obligation of fair processing (ie telling people about what data are collected, why, who will use and about each of their applicable data rights). The NFER and guidance claims the basis for processing is public task, but neither have set out any balancing test or Right to Object.
The processing of each data item, must be necessary. There would be ways to reasonably perform the data processing tasks in a less intrusive way, such as through sampling, or pseudonymising data before national collection. There is certainly no necessity for the child, for many of the NPD reuses. This lawful basis, is therefore open to challenge.
It is a legal challenge we are taking on. And we would welcome support.
A little bit about the National Pupil Database
How the NFER describes uses from the National Pupil Database might well be misleading, by what it omits, saying, “It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department.” What about the other ca. 60% of uses?
The National Pupil Database is, ‘the richest education dataset in the world’.
It is longitudinal, meaning it stores a child’s lifetime data from start to finish in their education: Early Years Foundation Stage age 2-4, Phonics at age 5, SATS at age 6 and 11, and every later exam are all sent for each child on a named basis, to the National Pupil Database.
Since neither the NFER or the DfE has explained this adequately for any pilot and trial data yet to date, it is our opinion that these have not been processed lawfully and fairly. Parents cannot understand the potential implications of this new data collection from that privacy notice.
What we do know, is how the identifying personal confidential data of over 25 million children, and adults under 36, have been used from the NPD since 2012. Around 60% in our 2012-16 analysis was for commercial and other reuses, not academic research, and certainly not commissioned by the DfE. Uses included journalists from the Telegraph who got almost everything but the name, BBC Newsnight (Tier 1 data, the most sensitive), The Times, and the FT. They were allowed to through a 2012 change of law under Mr Gove, without much input from parents, and no opt out.
These uses are not foreseeable at the point of collection, when data are collected without a child’s knowledge, and for the purposes of a school.
Although thousands of data users know how to apply to access the database, millions of families are left completely in the dark. 69% of 1,004 parents asked in our commissioned survey last year, said they had not heard of the National Pupil Database. And there is no meaningful communication where children’s data go to from there.
The Data Protection Impact Assessment (DPIA)
Since the ‘raw scores will be included in the National Pupil Database‘, we can only assume that they will be used exactly as other NPD data are, or may be n future, which means it may also be distributed to the same third parties who get pupil data from the rest of the National Pupil Database. By default this means additional processing of the data to link data with other records, but this is not explained in the privacy notice.
There is *nothing* in place to stop it being given away as the rest of our children’s records are, and not anonymised, but as raw data from the NPD.
The DfE hasn’t confirmed or denied it plans its distribution.
So in trying to find out, we requested the Data Protection Impact Assessment for the Baseline Test via FOI.
It was written in May 2018 before the trials of the reception baseline assessment in autumn 2018, and the Standards and Testing Authority says in the document, that they will be updating it ahead of the large-scale, national, voluntary pilot, starting in September 2019.
We are worried it is using weasel words to hide that these data will be available widely to third parties, as the rest of the National Pupil Database is today, or may be in future.
“There is no current intention of using this data for any other purpose within the DfE, and it will not be published anywhere,” they say.
Not publishing the identifying pupil data, was something the ten Telegraph journalists had to agree to, before being given access to millions of pupils’ records in 2013. But a user ‘not publishing’ the data, is not the same as DfE not releasing it, to third parties.
The DPIA also says that, “Data will be stored by the DfE in the National Pupil Database for use 7 years later when the pupils reach the end of Key Stage 2 in order to calculate the progress measure. NFER will not store the data.”
But what it does not say is as important. It will be stored in the National Pupil Database but makes no mention of what that means in terms of linkage, secondary re-use, and safeguards on scope creep of future uses of the data, or how it will comply with indefinite retention requirements under GDPR, such as pseudonymisation, since it will be kept forever.
It also conflicts with NFER’s own statements, and privacy notice, claiming that the NFER will not store the data, when the privacy notice says the NFER will retain the data, until Jan. 2021.
Which is true?
This risk assessment fails to measure any risks.
They conclude, “This project does not present any significant change from the data schools are accustomed to giving for the Key Stage 1 tests – it only brings an assessment earlier to reception rather than the end of Year 2. No data is collected as part of the reception baseline assessment that should give rise to significant impact upon individuals.”
No impact? Its use could create a very early (and potentially mis-)perception of a child’s ability and failures. It will be, if added to the NPD (since the NPD is a linked set of ca. 25 databases), potentially linked with a whole range of other data increasing its own and the other data’s sensitivity.
Did you know that today some Local Authorities may be using all your child’s education records to rate you as a family whether you pose a risk of sexual abuse, or domestic violence? Or that National Pupil Database records about individuals have been linked to Met Police records? Do you know who has a copy of your own or your child’s national record, where it has gone, or how accurate it is? [You have the right to find out for free if you want to. We can help with questions.]
In 2002 politicians assured the public that collecting names for the National Pupil Database posed no risk to privacy. Ten years later, the Home Office first trialled using NPD data, and then started using it monthly in 2015, to match their records for immigration enforcement. Children have been removed from school as a result, and misuse of school census data collected for the purposes of education, damages both professional and public trust.
No risks from adding new data to the NPD? Hell yes, it poses risks.
In 2018, the Department for Education made important and expected progress on its data management improvements, with support of the ONS.
DfE reduced the risks of *distributing* data by cutting down how often they give it away raw, and instead they started to grant access to the data for researchers to come to use the data in safe settings, rather than give it away.
In 2019, it seems to have slipped back to below the expected standard.
They are still sending out raw data to far too many users. Including millions of records to processors scoring children, such as Fischer Family Trust, who then resell those processed data back to schools.
In fact, the DfE is in the middle of passing a new law to enable every child’s full pupil records, not only to be given away to the Office for Students, but through them, potentially to Pearson Ltd, to the Student Loans Company, to the Tax office, and HMRC, among a named list of 13 organisations. [The House of Lords will debate those new Regulations on June 5th.] Forever.
No risk? That Baseline Test Data Protection Impact Assessment is either uninformed about the facts how pupil data are used, or it is deliberately misleading. Neither is enough.
There are conflicting statements on data retention being made.
There are statements which could be misleading due to telling only part of the truth.
Families and children need to know how their pupil records are used by companies, charities, the press, think tanks, and academic researchers. And how they might be used for the rest of the child’s lifetime.
We must be told if personal data from Baseline Tests will be given to businesses like other data in the National Pupil Database are — because what parents are not being told right now, smacks of cover up.
Our concerns are compounded by the fact this is not the only expansion going on.
An equally inadequate risk assessment of the Multiplication Tables Check leaves out completely, that it will collect any personal data at all. But reasons for not taking the test, such as, ‘just arrived EAL‘ will be included alongside name and more.
Remember that the Home Office still gets monthly handovers of information from children’s records entrusted by schools to the DfE, and misuses it for immigration enforcement and further purposes, of the Hostile Environment. How might ‘just arrived’ be a useful indicator, after collective action beat the collection of nationality data. Think about it DfE. No way.
- The data risk assessment standards of these new tests are weak.
- There is still no sign of the long overdue Data Protection Impact Assessment of the National Pupil Database.
- The internal DfE group that decides on data expansions ‘the Star Chamber Scrutiny Board‘ publishes an ‘annual report’ in name only, devoid of meaningful content (2016-17 didn’t mention the disaster of the school census nationality data expansion.)
- The internal DfE group that decides on data releases to third parties publishes no minutes or reports at all.
- Transparency, safeguards and oversight of current and proposed data handling are inadequate for all data processing, and are poor for the MTC and Baseline.
The government has added new tests, new items to the school census, new data collections and snuck through database changes on its use, year on year since 1996. The collective impact on our children’s and family life is enormous, and much of it is hidden, or remains yet to be seen in future.
Schools and parents have rejected Baseline on principle. It is high time to reject the Department for Education’s ongoing flawed data practices too.
- SATs and scores that last a lifetime March 2, 2019
- SATs are not just like going for a health check, Minister. April 28, 2019
- The Multiplication Tables Check (MTC) May 10, 2019
- Multiplication tables check admin guidance missing vital information April 3, 2019
Note: 28.05.2019, 21:00:
The original version of this post published earlier today, included further information, with references and links, but our site experienced technical issues since posting, and the page was corrupted. We have been unable to restore it as was, but have uploaded a full copy as a .pdf here for reference.
Blog and our review of the Baseline data protection impact assessment [download .pdf 2.3 MB]