DfE refuses to release 2020 audit of national pupil records under FOI

What’s new: The Department for Education has refused to release its full 2020 ICO Audit—over five years later—claiming it would be prejudicial today, “to the conduct of public affairs” and specifically the Children’s Wellbeing and Schools Bill. This is despite its own June 2025 report stating the actions from audit findings were now “business as usual“ suggesting all outstanding matters have been closed.

How could public access to a past audit about data protection policy, reasonably prejudice a new and unrelated law today? And as it affects over 28 million people in England, how can it be in the public interest to keep secret? We have therefore asked for an Internal Review.

The DfE manages the identifying and sensitive personal data of millions of children and families and keeps it in identifiable format indefinitely, despite its own guidance on the Unique Pupil Number. It distributes data in bulk without any opt-out offered to past pupils, or the millions of children or their families, in state education today.

Since 2002, when the Labour government began collecting named pupil records—saying the data would only be intended for analysis— named pupil data has been used for ever-growing operational purposes: fraud detection by the DWP, linkage across datasets including HMRC, access by the Home Office, and bulk distribution to police. Identifiable pupil-level data is also given to commercial organisations at scale. Yet the DfE admits it does not track which companies have received which pupils’ data or in what volume, claiming that determining this would incur “disproportionate costs.” Our analysis suggests there have been more than 2,500 such releases of millions of people’s data.

The ICO’s audit found the DfE’s commercial department, “did not have appropriate controls in place to protect personal data,” and it was during the same time as the audit, that the LRS breach involving Trustopia and gambling firms came to light in the press.

A key ICO finding in 2019 was that “many parents and pupils are either entirely unaware of the school census and the inclusion of that information in the National Pupil Database, or are not aware of the nuances within the data collection, such as which data is compulsory and which is optional.” We have seen no evidence that any of the direct communication to families past or present, required to fix that, is happening.

The DfE since confirmed in 2024 that,“it is not possible for a parent/guardian or an individual child to opt out of the school census collection.” Because people do not know that they are in the National Pupil Database, they cannot know they are being denied these rights, about which they have not been informed [UIN HL2698]. There’s no way for families to correct inaccurate data, now being used for those operational purposes above either. Surely the audit made obligations on the DfE on fair processing, on communication of routes to meaningfully exercise children’s rights, on accuracy, and on indefinite retention in identifiable form?

These are some of the key issues that our legal case submitted to the ICO in 2019 raised. We cannot know if and how the audit addressed them without seeing it. Carrying on ‘business as usual’ leaves too many questions unanswered.

====

Here’s a timeline of significant events related to the audit, their context, and some of the outcomes so far.