20 years on: children’s names in national pupil data
Blog Campaign / January 4, 2022
Twenty years ago this week, the BBC reported that, “A large amount of personal data about individual pupils in England is about to be collected by central government”.
Head teachers and school governors raised concerns about the new annual school census, starting in January 2002.
The obligation to include pupils’ full names, along with their home postcodes caused most alarm. The Department for Education (“DfE”) said that this information was needed, “only by technical staff and anything that is passed on to other agencies will be anonymous.”
(We now know it wasn’t. It’s identifying, sensitive and confidential records that are given away.)
One 2002 chair of school governors quoted, said, “Parents at our school would not support us passing on information about their children on a specific, individual basis to an agency who cannot specify to what use such information may subsequently be put.”
(We know that parents don’t today either, as we found out when we polled parents in 2018. Sixty-nine per cent of parents said that they had not even been informed the DfE may give out data to third parties.)
A 2002 Chair of an education authority, summed up, “The difficulty is, where do you draw the line in terms of any kind of data which has names on it”…”In my experience the issue is not whether it’s held but the use it’s put to, and particularly whether it’s combined with data from other sources … for example by other government departments, to discover more than was originally intended.” But he said, “the Data Protection Act gave people the right to know what was held about them and who had access to it.”
What happened after pupil names were collected, was that it enabled school census details to be linked using the pupil names, with details in over 25 DfE controlled databases, including later on, with highly sensitive equality monitoring data, to create the National Pupil Database.
Just ten years after they began collecting pupil names, Michael Gove, then Education Secretary, changed the law in 2012 to routinely give away identifying, individuals’ personal confidential data from the NPD to journalists, businesses, charities, think tanks and researchers. While that more often excludes name, it is certainly not anonymous. Parents are not told who has access to it. The level of detail in each termly school census alone is phenomenal (See Annexes H and G.) The fifteen million named individuals in the database at the time, in 2012, were not informed. They never have been since. Now the NPD holds over 23 million people’s named records.
All of the fears about the school census expansion and none of the assurances given on safeguards, are now the reality.
In 2015, and without telling the Star Chamber Scrutiny Board for pupil data expansions, the DfE started giving away pupil names to the Home Office, for purposes including furthering the aims of the Hostile Environment. It also intended to collect and hand over “(Once collected) Nationality” through the 2016 school census expansion. The data passed on includes home addresses for up to the last five years, and is not anonymous. No one was told, it was a nasty policy, only exposed through campaign work. And those pupil data handovers continue monthly, albeit without nationality. In the first three quarters of 2021 the Home Office requested matched data from 309 school children’s national records at the Department for Education, according to new figures released in December 2021. And 110 pupils‘ personal data was handed over in the first three quarters of the year.
The ICO carried out an audit in late 2019-20 of the DfE, and found policy on learners’ records was, “designed to find a legal gateway to ‘fit’ the application”. There were insufficient controls, oversight, or lawful basis. And “the DfE are not fulfilling the first principle of the GDPR, outlined in Article 5(1)(a), that data shall be processed lawfully, fairly and in a transparent manner.”
The NPD is now “one of the richest education datasets in the world,” holding a wide range of sensitive information about pupils and students dating back to 1996. Named records are retained indefinitely, long after children leave school, and the ICO audit raised lack of weeding and disposal as an issue. Between March 2012 to June 2021 we have calculated there have been over 2,000 releases containing sensitive, personal or confidential data at pupil level, each release of millions of records.
The promise twenty years ago that names would only be used for statistics was broken. Ten years ago Michael Gove said, “Organisations granted access would need to…fully protect the identity of individuals.” Identifying data is given away. Gambling companies were using the Learner Records Service to onboard new customers in 2020.
Our children go to school to exercise their right to education, not to become a digital product to pass around an unlimited number of strangers.
New UK legislation is going in the wrong direction to defend children’s right to privacy. The Data Protection Act has offered pupils little protection, and is about to get weaker. The planned rewrite of the UK Data Protection Act will undermine children’s rights. The Policing Crime Sentencing and Courts Bill will enable the intentions for wider collection, reuse and linkage of education records, including with health and criminal justice data for policing purposes, without clear oversight or safeguards. Already in 2019, Merseyside police got all 2,136 pupils’ records from just one school out of the National Pupil Database.
In the Online Harms current fingerpointing at social media companies, the government keeps very quiet about its own role in exposing our children’s confidentiality and creating risks at scale.
With your help, we’re changing it. But we need our institutions to do their part too. The UKSA intervened in 2018 and despite starting good new things in addition to what was going on, like introducing safe settings access, [because they want users to get continued access to the data, let’s be honest], the bad stuff didn’t stop. The ICO Audit happened in 2019-20. But the DfE and ICO have both declined to release the full 139 findings, or any timeline of remedial actions, or even release in detail what was in or out of scope. And as far as we know, the bad stuff didn’t stop.
In 2022, it seems everyone wants access to exploit our children’s education records. No one wants to be held accountable. We understand in the pandemic, some things are made more difficult. But the government seems well able to bring in new policy to exploit our privacy, but not any policy to protect it. As we welcome John Edwards in his new role as the UK Information Commissioner today, we wonder if we will finally see regulatory enforcement. As the New Zealand-British singer Daniel Bedingfield, sang in his 2002 Number One, we “Gotta Get Thru This”. But three years since the ICO audit began, over seven years since our first complaint, and twenty years after children’s names started being collected and used at mass scale without parent’s knowledge, something’s gotta change. The bad stuff must stop. And individuals and organisations must be held to account.