News / news

Autumn term school census 2024

Today the autumn 2024 school census window opens. Schools across England will send hundreds of pieces of personal data about all of their pupils’ on roll to the Department for Education, telling the government all about families and children’s lives. But schools and the Department won’t tell families.

It is the first time that the Right to Object is mentioned in the communications and online privacy notices to schools and parents, but no one will know about it.

Mainly because schools and families do not know the data processing happens at all. Families do not know the National Pupil Database exists on a named level, collecting data termly, or from every assessment or that records are added to it throughout a person’s lifetime in Higher Education, or that it is kept forever and given away. Or that it is linked to lots of other datasets to create new information about people. Schools don’t get told by the Department how the data once submitted, is used.

There is still:

  • no mechanism for schools to communicate and explain what the DfE means by a Right to Object “in certain circumstances” and what it does not (there is no “fair processing” in legal terms);
  • no route to exercise rights, because the DfE hides it away in the Personal Information Charter which links to a contact form, which has no mention of “right to object” or cease processing in the pick list, and no way for schools to do so on a parent’s behalf;
  • no accountability at the Department for Education that as data controller of the school census, this is their legal obligation.

The school census is an administrative task that no parents are contacted about, except to chase pupils to take school meals that day, so that there is a maximum count for pupil premium (a daft process requirement too).

Legal obligations in data protection law to fair processing require dynamic actions in response as data processing changes. But parents are not told termly what has changed, if they were ever informed about the census at all. The purposes to which the DfE puts national pupil has changed many times since the data may have been collected for the purposes of a child’s education, and the third parties who which the data may be sent has changed many times to include for example commercial reuses (since 2012),  Home Office immigration enforcement (since 2015), and DWP fraud investigations (2021).

What personal data is collected has been expanded annually, again without telling families that sensitive reasons for moving into Alternative Provision would be collected at national level in 2018, or that in January 2023 the DfE added a “young carer” label that the school can add into records, or that records of child-on-child abuse for example are collected nationally (all named). Some years the DfE make multiple changes and add new fields all without public or parliamentary consultation.

What about enforcement?

The DfE closed its actions on the ICO audit in October 2023. but failed to make any mention of the failings the ICO found on fair processing, Articles 12, 13 and 14.

The DfE only acknowledgement was, “To improve transparency, DfE is reviewing our privacy information to improve usability and ensure they are user/child friendly“. Well it’s still not done that.

The Department was reprimanded in 2022 after enabling an age-verification firm data for gambling companies to “onboard” new customers while the Trustopia directors got away with it but there’s been no enforcement actions about the crux of the audit, which was not about Trustopia at all.

Four years on from the ICO DfE Audit in which the data protection authority found failure to communicate to data subjects, why is the Regulator simply ignoring this biggest failing to 28 million people, 9 million of whom are in educational settings today?

“The DfE are not providing sufficient privacy information to data subjects as required by Articles 12, 13 and 14 of the GDPR.”

Six years ago, we polled parents through Survation and found, the majority of parents (69%) polled said they had not been informed that the Department for Education may give their child’s information to third parties, while only 31% said they had been informed of this. Almost 4 in 5 (79%) said, if they had the opportunity, they would choose to see their child’s named record in the Database.”

The latest research from the goverment itself with parents found that, “Both parents and pupils felt they should be enabled to make free and informed decisions about how pupil work and data is used.”

The DfE is ignoring this and there is no informed processing nor a choice to make a ‘free and informed decision’ about the commercial or third party re-uses.

The ICO is ignoring its own findings on failures on fair processing, and what the law requires.

What about DfE claims about practical terms?

It’s too hard to contact people, claim the DfE? In September the DfE stated (p.18) in a new impact assessment, that “DfE considers it would involve disproportionate effort to directly communicate the privacy notice to individual data subjects, and not practically feasible, as DfE does not hold direct
contact details for all data subjects and/or their parents which would enable it to do so.”

Well it seems the DfE can pick and choose when that suits itself, because now it has begun using the records it has operationally to contact parents for its own other purposes, like the PPMV survey.

The PPLV survey is answered by secondary school pupils (years 7 to 11) and parents of primary, secondary and special school pupils (years 1 to 11) who have agreed to participate in short, regular research surveys on topical education issues. We select parents and pupils randomly using records from the National Pupil Database (NPD) and invite them to take part in an online survey. For the first survey of the academic year we send invitation letters to households.”

If the DfE can use the NPD for a survey it chooses to carry out, why is it not using the NPD home addresses to fulfil its legal obligations?

The Department for Education is ignoring its own public engagement findings on what parents want, “to make free and informed decisions about how pupil work and data is used.”

The DfE chooses to make privacy notices that do not spell out, “we give away your children’s identifying and sensitive data for all sorts of things we know you’d never agree to if we asked you”.

Now there’s all sorts of emerging plans across government as to how pupil data may be re-used. Who knows what might be next?

What about plans to tell parents and children (aside from everyone who’s left school) how their personal data is being given away by the Department for Education, well beyond the remit of the purposes for which it was collected and any privacy notice they ever sent out at that time?

Perhaps it’s time parents and competent children ask to use that right to object, and test what it means.

 

Footnote: For the record, these are not criticisms of the DfE data protection team, but of the lack of political will for over a decade to support necessary change, and the normalisation and acceptance of bad practice by the Regulator and Senior Leadership where accountability fails.


Download our factsheets:

About the National Pupil Database page 1 and page 2.

Access your school records page 1 and page 2.

Object to data processing (where the form says add details you need to address to your school for your child).

A request can be made to the Department for Education to access your own or a pupil’s national records here.