Grading and Admissions Data for England 2020: opinion

Yesterday Ofqual announced that accredited researchers will be able to apply to access the GRADE (Grading and Admissions Data for England) dataset through the Office of National Statistics.
This agreement means researchers can explore, analyse and study a linked dataset of information controlled by three different organisations with reference to 2017 to 2020:

• Ofqual – GCSE and A level exams and qualifications data collected from awarding organisations
• Department for Education (DfE) – the National Pupil Database, providing a rich set of background information on GCSE and A level students
• UCAS – data from the university application system

We welcome that such personal data will be securely accessible only through the Office for National Statistics Secure Research Service safe settings.
However we are still waiting for the parties to respond to questions we asked in May about this data linkage. We wrote to the Department to ask:

• How have the parties ensured that the Department for Education has met its lawful obligations as regards the pupil and student data involved in this processing?
• How has each Data Controller informed each person of these plans and its scope?
• How has the DfE approached this differently from historical mistakes made to date, since the DfE has the opportunity to avoid such in any new project, given any ICO audit learnings?

This is set against the background of

• the ongoing ICO audit of the Department for Education begun in 2020 that found unlawful practice.
• Data Controllers’ lawful duties to inform people about the processing of their personal data at the time of collection, as well as the obligations this brings for processors. This includes any purpose limitation for which data may be used.
• Significant questions that remain unaddressed on the lawfulness and appropriateness of joint controllers’ practice as regards student communications.

It matters to understand if people in charge of the current approach have learned and changed anything since the DfE audit, not only for this one project, but for any future new data distributions.
Safe data processes are important to know what data has been accessed.
Remembering that in 2020 we found gambling companies had access to Learner Records that the Department for Education said it didn’t even know was going on, the use of secure data in a selected and controlled safe setting should be the only front door how researchers of any kind should access pupil data.
We also want to know if changes have been put in place on who can access national pupil data. We must remember that the DfE considers think tanks, charities, commercial businesses, press and even the MOD, police and other government departments “researchers” in their permitted users of millions of identifying and sensitive records in the national pupil database.
The key remaining question is how the Department, UCAS, and Ofqual can demonstrate personal data are processed lawfully, fairly and in a transparent manner. Or has this agreement ignored data subject rights yet again?
After all, even a privacy notice on any website if that’s what they might point to, is inadequate since it does not inform anyone of anything that they do not know exists, cannot know to go and look for, nor has capacity to do so. As the ICO set out as key in the DfE audit:
“The DfE are not providing sufficient privacy information to data subjects as required by Articles 12, 13 and 14 of the GDPR. There is also some confusion within the DfE and its Executive Agencies about when they are a controller, joint controller or processor and whether as a controller this is at the point of collection or as a recipient of personal data. Equally there is no certainty whether organisations who receive data from the DfE are acting as controllers or processors on their behalf. As a result, there is no clarity as to what information is required to be provided. The DfE are reliant on third parties to provide privacy information on their behalf however, this often results in insufficient information being provided and in some cases none at all which means that the DfE are not fulfilling the first principle of the GDPR, outlined in Article S(l)(a), that data shall be processed lawfully, fairly and in a transparent manner.“
These are not only questions of practice, or policy, but legal principle. We will continue to challenge the Department to meet the rule of law across the use of all pupil data, no matter its purposes or intent.