Comment: “Secret deal lets benefit fraud squad snoop on pupil data.“

“Pupil data is being used to check for benefit fraud and pursue parents under a secret deal between the education and work and pensions departments,” Schools Week has reported.

Detecting welfare benefit fraud by adults may be a legitimate government aim but is using children’s school records to do so lawful, or right? Data that was collected under law only for the purposes of education and by prescribed bodies? In 2018 the DWP requested data on 185 pupils, in what was effectively a pilot exercise. Since then, a data-sharing arrangement has been formalised and requests begun based on it. Quite a lot has been redacted, but some of its statements are patently nonsense.

To be trusted with our data management, organisations need to demonstrate they are competent and trustworthy, but secret policies written like this, without scrutiny or checks and balances, undermine that.

Paragraph 8 of the MOU agreements states, “No Special Category data is being shared,” and 9 claims, “This initiative does not involve the processing of personal data relating to criminal convictions and offences.”

But read on, and you see paragraph 17 talks about,  “Where fraud has been identified”. These requests come from the “economic serious and organised crime investigation team”, or “Financial Investigations Unit” at the DWP. They cannot claim they are not processing personal data in the context of crime and offences and expect anyone to believe it.

Paragraph 12.5 tries to argue that, “The parties agree to only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them.” No family reasonably expects that their own or their children’s personal confidential data are used for any national DWP process when they provide it to a school. In fact, most don’t even expect it to be passed on to the Department for Education at all. And the millions of people already in this database long before this policy began, could have no way to expect it even if schools had been informed in their role providing the information to the DfE in the first place, as joint data controllers. The data protection principle of purpose limitation would mean people do not expect such incompatible reuses to further other aims, completely outside education, especially by any non-DfE bodies even if they’d heard of the database.

The NPD holds at least 23 million records if not more, as it constantly grows and its size is not published anywhere. All of these records could be in scope for searching, including ours, and almost none of them are necessary or proportionate to search for matches against, yet the MOU claims in paragraph 15 to respect, “the application of the data minimisation principle“.

But the icing on the cake is the claim that the Departments respect the law on the Right to be Informed (Article 12, 13, 14) in the table on page 13. “Existing DWP and DfE notifications are adequate“. This is not what the ICO found in 2019, or when its 2020 audit declared explicitly,“The DfE are not providing sufficient privacy information to data subjects as required by Articles 12, 13 and 14 of the GDPR,” and,“The DfE are reliant on third parties to provide privacy information on their behalf however, this often results in insufficient information being provided and in some cases none at all which means that the DfE are not fulfilling the first principle of the GDPR, outlined in Article 5(1)(a), that data shall be processed lawfully, fairly and in a transparent manner.”

That has not meaningfully changed in 5 years since the finding. That obligation on transparently processing everyone’s data all of the time, is not about tipping off individuals in particular cases. The DfE has done nothing to meet its fair processing duties and shows no political will to fix it. More than 8 million children attend state educational settings every day and have no idea they have rights in relation to the national processing of their personal records, or how to exercise them since there is no clear route to do so. Families interact with schools, not national government departments. Imagine if 8 million parents knew there was a process to make a Subject Access Request (SAR) and asked to find out what was held about them and to which third parties including commercial companies, charities, journalists or researchers it has been sent, or to the police, DWP or Home Office, or if they found mistakes and wanted correction as is the purpose of SARs under the law. Mistakes happen. A father in Wales who made a SAR to his own school, found not only had his son been wrongly labelled in their pupil information management system as having once been in-care, but every child in a Welsh region had been, when their system was upgraded. When we surveyed parents in 2018, over three quarters (79%) said if offered the opportunity to view their child’s named record in the National Pupil Database they would choose to see it. The DfE has no realistic workable process to handle this and makes no effort to communicate with families about it. The departments do not offer a route to Object to Processing (GDPR Article 21) despite the claims made in the MOU. And a privacy notice on a website you do not know exists and would never know to look for, cannot honestly be described as transparent. As a result, the DfE keeps expanding the scope of data collection and growing reuses without having any public awareness or a social license. Creating the infrastructure in school information management systems to respect rights would be similar to adding new fields for more data collection. The DfE has managed to do that every year in the last decade but not managed to create the tools to see your own record on request or to control its reuse. The next government must make it happen.

Otherwise, what’s next? Only last year Michael Gove suggested that the parents of pupils truant from school could have their child benefits stopped. How would anyone know if the named and soon-to-be compulsory twice-daily national attendance data collections were being used for that by the DWP too?

 

---

The original requests exchanged between the DWP and the DfE are available here. One form was removed from release after it was found to contain sensitive personal data.

Don’t miss other current plans: The DWP wants more powers to snoop on everyone’s bank accounts in the new Data Protection Bill currently being rewritten in Parliament. Where do we draw the line?