Call for action from the UK Information Commissioner to uphold children’s rights in the Hostile Environment
news / March 21, 2023
March 21st is International Day to End Racial Discrimination 2023—
Today, together with over 25 UK-based NGOs and human rights advocates, including, the Institute for Race Relations; Liberty; Privacy International; and Against Borders for Children — we have written to the Information Commissioner.
We are asking him as the UK Data Protection Regulator, to use his powers to protect children in the UK from the misuse of their national pupil records by the UK Department for Education (“DfE”) in England, for the purposes of immigration enforcement and furthering the policy aims of the Home Office Hostile Environment.
Educational settings send children’s personal data in good faith to the DfE daily, monthly and annually in over twenty-three collections. But the DfE has failed to uphold children’s rights with regard to the stewardship of their personal data, collected for the purposes of education.
In summary
- DfE failed to tell educational settings that the DfE started a new Home Office collaboration at all in July 2015 (see Fig.1 below);
- and the DfE fails to tell educational settings that it has changed the purposes for which it collects pupil data across all its twenty-three collections under education law;
- those education laws** under which data can be transferred from educational settings to the DfE do not grant the Department for Education nor the Home Office or its ALBs any lawful basis for operational (rather than say, statistical) re-use purposes and interventions in pupils’ lives, especially for purposes which are unforeseeable or incompatible with those for which it was collected;
- Educational settings are not told who controls the children’s personal data after it is handed over to the Home Office, or where it goes after that;
- Millions of families and children whose names will never be in the “looked for” lists will nonetheless have their records needlessly and disproportionately searched for this new purpose;
- and no families have been informed.
- The personal data handed over if they do find a match, can include five years of past home and school addresses and more, even a sensitive “adopted from care” flag;
- We do not know of any safeguards in place for accuracy, errors, or of any routes for redress;
- When asked, the Home Office did not appear to know or even care about its impact of using pupil data, and in answer to FOI the DfE said it did not know either. They don’t know what happens to the people, much less their data, despite that being an organisational duty to demonstrate accountability and records of processing under the UK GDPR.
The education laws governing the collection of pupil data intended here are the Education Act 1996 (clauses 537 and 537a), (that individual level pupil data can be collected at all and for what purposes “why”) the 2013 Regulations that amended it (expanding the data items, the “what” can be collected and on whom), and the 2009 Prescribed Persons Act amended by the Prescribed Persons 2013 Regulation (expanded who it can be passed on to and in 2(b) why). They all need read in conjunction with one another and the definitions of things like “information collator” must be read precisely, as defined in the legislation (often in footnotes). And it is important to consider that, “No information received under or by virtue of this [Education Act 537A] section shall be published in any form which includes the name of the pupil or pupils to whom it relates.”
A key point overlooked to date in any ICO review regarding re-use of pupil data for immigration purposes, is that data protection law is not of itself permissive and can only follow on from the primary legislation that enables the statutory gateway at the point of collection. That gateway which enables the DfE to require pupil data collection and creates the joint-controller relationship for the first time (between educational setting and the DfE) is as above; and it has limited purposes and limited prescribed persons attached to it for re-use by law. Those are not amended by other laws around data use, or data protection law that lays over the top to manage but not dictate that use beyond what is permitted in the primary legislation at the point of collection.
The action we want to see
The ICO is currently trialling an approach with greater use of discretion to reduce the impact of fines on the public sector. We are not asking for any penalty. We simply want the unsafe, unethical, unlawful policy and practice to stop.
The executive summary of the DfE audit in 2020 omits any comment on this ongoing DfE practice. We ask the Information Commissioner to review this, and to take action to protect the data rights of every child in the National Pupil Database and their family members, using the regulator’s powers under the UK GDPR 58(2)(f) to impose an immediate and definitive limitation on the non-compliant practice.
Background and the Direction of travel
The UN Refugee Agency, UNHCR, is profoundly concerned by the new developments in the UK approach to refugees and asylum, and new legislation introduced by the UK Government.
At Defend Digital Me we are also deeply concerned about these practices as the UK government seeks to re-write UK data protection law all over again. It’s this kind of unaccountable Home Office policy that (a) the drafting on loosening purpose limitation, for example, and its Henry VIII powers for the Secretary of State could seek to use to make justifiable with unrestricted compatibility in in Annex 2, and by changing initial purposes (‘purpose limitation’) in the UK GDPR in Article 5(1)(b) to the purposes for which the controller collected the data; which in a chain like this case, shifts the purpose limitation away from the point of collection; or (b) will be empowered through a weaker definition of legitimate interests in Annex 1, which chops off the rights-parts of it in current law. Today’s legitimate interests offers a legal basis for processing data in 6(1)(f), “necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” The new law cuts all that out, makes it only necessary for the Secretary of State to have regard for rights and children when making changes. The redrafting rewrites obligations on risk assessment and records of processing too.
These are changes to the application of the 7 key principles of data protection law. Failure to comply with the principles, are expected to draw a more significant effect when it comes to compliance, so these new Bill changes would undermine the enforcement of compliance as well.
Data regulation is necessary to protect people from being dehumanised and treated simply as numbers. No government can revoke our fundamental human right to privacy, as recognised in international instruments; even if a government might like to exchange that right for the promotion of economic aims, or to misuse the data rights of the many to hunt out the few in the current Hostile Environment. But if we cannot exercise our rights and the law is not enforced, they exist only on paper, not realised in practice.
This year we not only observe the International Day for the Elimination of Racial Discrimination on March 21st, but also mark the year of the 75th anniversary of the Universal Declaration of Human Rights, a ground-breaking document adopted by all UN Member States that guarantees all human rights to everyone, without any discrimination.
75 years later, it remains a challenge to convert those norms into reality. We call on the Information Commissioner to take action to ensure the Department for Education does.
Download the letter here.
Signatories
Against Borders for Children
Zita Holbourne, BARAC UK
Defend Digital Me
Duncan Lewis Public Law
Haringey Welcome
Cllr Maya Evans, Deputy Leader of Hastings Council
Liz Fekete, Director, Institute of Race Relations
Kate Adams, Kent Refugee Help
Kids of Colour
Gisela Valle, Latin American Women’s Rights Service
Ruth Ehrlich, Head of Policy and Campaigns, Liberty
Zrinka Bralo, CEO, Migrants Organise
Fizza Qureshi, Migrants’ Rights Network
No More Exclusions
No Police in Schools
Dr Remi Joseph-Salisbury (UoM); Northern Police Monitoring Project
Privacy International
Shadin Dowson-Zeidan, Project 17
Eiri Ohtani, Right to Remain
Selma Taha, Executive Director, Southall Black Sisters
West London Welcome
Prof. Floya Anthias
Dr. Ron Ayres
Prof. Giorgia Dona (UEL)
Prof. Gina Netto (HWU)
Dr. Victoria Redclift (UCL)
Dr. Rachel Rosen (UCL)
Dr. Ulrike M. Vieten (QUB)
#StandUp4HumanRights #UDHR #FightRacism
Fig.1 Extract from the original data sharing agreement between the DfE and the Home Office exposed in 2016.