Ten-years after National Pupil Database commercialisation: ICO reprimands the Department for Education over “woeful” misuse
Campaign news / November 6, 2022
Ten years ago today, on November 6th, 2012, Michael Gove announced plans to open up the National Pupil Database for commercial re-use.
He changed the law to let the Department for Education distribute identifying pupil-level extracts from the National Pupil Database “for a wider range of purposes than currently possible” to “maximise the value of this rich dataset”. He said, “We want to give organisations greater freedom to use extracts of the data for wider purposes, while still ensuring its confidentiality and security.”
Ten years later, “confidentiality and security” do not appear to be working.
Today, nearly 3 years after the Learner Records Service breach was exposed in the press (the DfE enabled access by gambling companies through its lack of oversight of LRS users) the ICO has announced it has reprimanded the DfE over the incident. Recommendations include improving transparency and enabling people to exercise their data rights, that the DfE should review all security processes regularly, updating internal staff information and data protection training, and ensuring a risk assessment is done properly prior to new data processing. But the ICO will not issue the £ 10 million fine it might have.
We believe light touch enforcement isn’t enough here. And it’s not about the penalty. The ICO need not fine the public sector to enforce the law. The Regulator’s findings identified that the people in the database could not object or withdraw from the processing and that the DfE is failing to uphold their rights. The ICO could therefore have chosen to protect the rights of 9 million children in school immediately, by using its powers to demand the DfE and its thousands of third-party data recipients stop processing until they are compliant. It could use the GDPR 58(2)(f) to impose a temporary or definitive limitation on all of the non-compliant practice, and/or order the DfE to communicate the personal data breach to the data subjects. We welcome the remarks that the DfE should improve, but this reprimand, despite finding practice “woeful” seems to have done little to meet the first of the ICO25 four strategic objectives, safeguarding and empowering people.
In its (lack of) monetary penalty approach, the ICO offers no meaningful alternative form of enforcement to secure accountability appropriate to the scale of the breach, and no redress for us, the people affected.
Company owners have changed company names, declared them insolvent only very recently [in May and August 2022 this year, though the Irish owning venture was sooner], and avoided adequate due diligence by the Department for Education. The multi-million-pound directors seem to have escaped any consequences at all, able to carry on with their other businesses. The Department has enabled gambling companies access to learners’ records, and yet 28 million plus people’s identifying records –including an overlap with the National Pupil Database–carry on being given away, a decade after it began, without any Ministerial accountability.
As we have exhausted all other routes, it seems that Judicial Review is now the only hope we have left of restoring data subjects’ control of their rights. defend digital me is taking legal action after we first made a complaint to the ICO in 2016 because the DfE was handing out identifying pupil data with no audit or adequate safeguards–first, the ICO said there was no case. We worked with the DfE. Then there was the nasty business of the School Census nationality and country-of-birth expansion. The Director General at the UK Statistics Authority worked with the DfE, requesting changes in 2017 and again in 2018. After submission of our regulatory complaint in 2019 by our legal team, the ICO carried out their audit and found that the DfE commercial department in fact still, “did not have appropriate controls in place to protect personal data being processed on behalf of the DfE“. Mid-way through the audit, the LRS breach was exposed.
The ICO found that the DfE policy on learners’ records was, “designed to find a legal gateway to ‘fit’ the application”. There were insufficient controls, oversight, or lawful basis. And “the DfE are not fulfilling the first principle of the GDPR, outlined in Article 5(1)(a), that data shall be processed lawfully, fairly and in a transparent manner.”
But the full audit details have never been published so we do not know if everything in our 2019 lawyers’ complaint was even addressed at all and both regulator and Department have declined to publish it or give us an update*. Government Ministers have ignored the Regulators for a decade and are carrying on as if the rules only apply to other people. So has that company involved in this case, and there may be many more. Has anything changed then, after the ICO audit and LRS breach?
It seems not substantially, if at all, in terms of any intention towards learners’ rights being met. The DfE began a further real-time pupil data expansion this year in February and when the ICO requested it should stop, the DfE refused. Coming in January 2023, the DfE now plans to collect a “young carer” label that the school can add onto records, again without telling families how it will be given away to commercial companies among other third parties. It’s unbelievable that they may carry on expanding these sensitive national pupil data extractions that will affect millions of children, while ignoring the law, and the ICO does not intervene. Informing people: how our data is collected, used, and of our rights, is a legal obligation, not an optional extra.
The UK government approach to public administrative data handling and the new ICO approach to its regulatory enforcement, fail to meet the public test of their data handling by authorities: there should be no surprises. There is no effective remedy at scale, and we are deviating from consistent monitoring and enforcement. EU data policy-makers considering UK adequacy might well take note that the effective high data protection standards they would expect across Member states, cannot be assured here. And the upcoming changes to UK data protection law, will further tip the balance of power between the people whose personal lives these data are about, even more strongly in favour of government and commercialisation.
We are grateful for any support of our JR legal work crowdfunder here https://www.crowdjustice.com/case/labelslastalifetime/ and donations in general support of our work via https://defenddigitalme.org/donate/
Abuse of trust: Families entrust our children’s security to schools to get an education, but the government has turned a generation of learners’ records into a product without our permission, and with no thought for the price we might pay in identity theft, risk of use for blackmail, stalking, or giving or selling access on to any further third parties. How many more there might be, we don’t know. There has never been a full audit of all pupil data external users.
Failure of accountability: The Department takes all our children’s records each term, but fails to take responsibility for its role in recklessly commercialising them for the last ten years.
Prolonged failure to comply with, and disregard for the law: Not only has the Schools Minister failed to prioritise fixing the breaches of law over a decade, but a lack of enforcement action in education from the Regulator appears to have encouraged the DfE to think they’re above the law. The ICO told the DfE to stop the new real-time attendance tracking it started in February this year. The DfE declined and carried on, business as usual. The DfE appears to have changed nothing despite significant ICO concerns.
Prolonged negligence: Leaving Department for Education negligence as Data Controller aside, it seems that the ICO believes it cannot pursue any of the multi-million pound former company directors from Trustopia. They appear to be able to carry on with their other businesses as if nothing has happened. We believe that they should be able to be held accountable for the breach at that point in time. But this company is of further significance, if we understand this failure not as a single issue of CEO breach of trust, but repeated failure to do due diligence at the DfE and its arms length bodies as FE Week reported in 2020.
What we want to change at defend digital me
- Safe settings use only. The DfE must stop giving away millions of children’s (and former pupils, now adults’) identifying data for commercial re-use, distributing data, and instead only permit distributed access for accredited research in regulated safe settings.
- The DfE must tell families of the 9 million children in school today, where their children’s records have gone, and are going, to every third party, how long they will have it for, and why.
- The DfE must tell adults who have left school since 2012 where their records have gone to which company, or other third party and how long they have it for and why. (Anyone who was born in 1985 or later and was in state education or sat exams like GSCE and A-levels in independent schools. Even Adult Education classes in the Learner Records Service.)
- An opt-in choice for families to choose in future if their child’s record is used for anything beyond their own education and how. (The DfE has withdrawn the Right to Object in the Learner Records Service, see below). These records contained highly sensitive health data, details of SEND and adoption, service families and more. The right to object must be honoured and start with opt-in to ensure privacy by-design-and-default.
- The Department must stop new expansions without public consultation (such as adding sexual orientation and religion collected from equality monitoring in student UCAS applications, to named national records).
What pupil data are we talking about?
Children’s highly, detailed, highly sensitive (including disabilities, children at risk) lifetime school records have been turned into a product and passed around by the million, thousands of times to businesses and other third parties by the DfE. Some they are clearly not even aware of because once data is distributed, you’ve lost control. What data this is over a child’s lifetime, is we mapped in our State of Data 2020 report (see below Fig 1 A National Pupil Database Record over a child’s lifetime).
The personal data when released by the DfE are not anonymous, but identifying and sensitive. You can see the table of levels of identifiability and sensitivity definition here in the first tab “Classification of data” in the register of DfE external data shares. The register of releases in other tabs corresponds to these classifications. You will see they are all identifiable and most are identifiable and sensitive releases. (DfE has said they cannot tell you which one has got your/your own children’s data in the thousands of releases as they didn’t track it.) The DfE third-party register is generic and split into twelve archived documents which means no one can see the scale of the distribution at a glance — the table is chaotic and has changed format several times over the years.
ICO Audit (2019-20)
Executive summary (it has never been published in full)
Defenddigitalme key audit findings in a blog (one year after publication, October 2021). https://defenddigitalme.org/2021/10/07/the-ico-audit-of-the-department-for-education-one-year-on/
Nick Gibb promised updates to Parliament that never happened https://defenddigitalme.org/2022/10/07/the-ico-audit-of-the-department-for-education-two-years-on/ In January 2021 the DfE published a limited update on the ICO audit with a promised further update in June 2021. It omitted any mention of commercial reuse. Or anything on how it will address rights or actions to address access to the 28 million learner records. In April 2021, the Schools Minister Nick Gibb said that the Department had “undertaken to publish an update to the audit in June 2021 and further details….of the full audit report will be contained in this update.” Later, a statement said it was delayed to the end of July 2021. No update was published.
We are already nearly three years after the audit, and it is all smoke and mirrors, but to what end? Neither parliament nor the public know what is going on. The full findings must be published with an accountable timeline by when ICO recommendations or demands will be met.*
LRS 2020 breach
Our detailed 2020 response to the LRS breach (gambling companies access) including 12 specific questions and concerns https://defenddigitalme.org/2020/01/19/comment-on-sunday-times-story-gbg-use-of-national-learner-records. The LRS issues Unique Learner Numbers (ULN) and creates Personal Learning Records across England, Wales, and Northern Ireland, and is operated by the Department for Education (DfE) in England.
LRS Objection and opt out
Everyone used to be able to object to the use of the Learner Record but the DfE appears to have withdrawn it — defend digital me wants every child and family whose data this is, to be able to choose if they agree with its reuse. DfE must restore this opt-out process, and create a route to honour the right to object with opt-in for commercial re-use to protect privacy by-design-and-default.
Research on what children and parents want — no commercial re-use of pupil records
Professor Sonia Livingstone and Kruakae Pothong (LSE, 2022) New research that shows pupils do not want their school records used by commercial companies https://digitalfuturescommission.org.uk/blog/what-do-children-think-of-edtech-or-know-of-its-data-sharing-read-our-survey-findings/
Our survey of parents in 2018 commissioned via Survation found over 69% had never heard of the National Pupil Database and did not know their children’s data could be passed on by the DfE to companies. https://www.survation.com/1-in-4-parents-dont-know-child-signed-systems-using-personal-data/
Sentence edited later in the day after first published at 7am on November 6, 2022.