#LabelsLastaLifetime Are you concerned about children's privacy?

Help us challenge the Department for Education.

In September 2017 the government passed a new law to collect highly sensitive data for children placed in settings outside mainstream education.

"Pregnancy, mental health, young offender. Autism, disability, hearing impairment, and learning difficulties" are just some of the new labels that were added to individual records from January 2018. By June, new data from the Alternative Provision Census were ready for distribution to third parties. Although we stopped the very broad raw data distribution from the National Pupil Database, and secured assurance from the Department given to the Information Commissioner's Office that the new data will not be distributed, Alternative Provision census data continue to be listed on the data that can be accessed by third parties and nothing prevents its distribution and re-use.

Pupils and parents are still not offered any choice. There is no option to refuse. Most children are unlikely to be told at all. After a review of 152 Local Authority replies in 2018, we are yet to see any policies that explain the new data collection.

Each pupil’s information are sent to the Department, on a named basis, where the AP census data are linked to the school census data, in the National Pupil Database (NPD) available from June each year after their collection in January, according to the NPD User Guide (see page 8). We are concerned because from here, these identifying data can be given out to third parties; over 2,000 times as of June 2020, and our most recent analysis in 2020 showed over one third of access was for commercial re-use. Identifying and sensitive data is even given to journalists without a child's or parent's permission. Despite a new, safer research data access model in place since September 2018, raw data is given out at national and local levels.

We appreciate the reasons why it is important to understand these children's life stories. We are concerned about how those data are collected, distributed, and never deleted. #LabelsLastaLifetime. Every child has a right to privacy and confidentiality.

With the support of a great team, we have taken up a legal challenge – and with your help we funded the legal costs of the first stage of a complaint. We now continue the challenge to the Department for Education (DfE)'s new collection of children's highly sensitive personal confidential data that started in January 2018.

Timeline: Alternative Provision

June 2 RFC notice for the changes raised by the Department for Education

September 1 Statutory Instrument 807/2017 comes into effect. The Education (Information About Children in Alternative Provision) (England) (Amendment) Regulations 2017, after being laid on July 27, 2017. The Explanatory Note gives no explanation of the itemised content and sensitivity of the reasons for placement (transfer out of mainstream into Alternative provision education).

September 21 defenddigitalme writes to the Department for Education and Information Commissioner raising concerns on the sensitivity of the new data, including health, to be collected without consent and asking for clarifications on plans for distribution and the SEND (special educational needs and disability) data expansion.

October defenddigitalme writes again by email to the Department for Education and is told to expect a reply by the end of November.

October 18 Parliamentary question 108570 reveals the Department has not conducted any privacy impact assessment about the collection of data on pregnancy, health and mental health “reasons for placement.”

November 30 defenddigitalme receives a brief email at 7pm stating in effect that there will be no change in plans. Questions from letter of September 21, remain unanswered.

December 10 representatives of over 20 child rights advocates and organisations write to the Secretary of State for Education asking for safeguards to be put in place to protect children’s privacy and confidentiality. If the Department cannot end the distribution of data to third parties including for commercial third-party re-use, we believe the data should not be collected at all.

December 11 Peers in the House of Lords raise concerns on the national pupil database handing, and its suitability for the sensitive new data.

December 22 Parliamentary question HL4236 confirms that some data should be optional, but these do not include the new reasons for placement.

December 22 Further, the Department confirms that there are no plans for any national communication about its new collection and third-party uses, and it relies on Local Authorities to inform (a) parents and (b) children about the transfer of personal data to the Department in the Alternative Provision census from 18 January 2018, through a privacy notice.

December 24 A joint letter by the signatories is published in the Observer, accompanied by a news article.

January DfE AP Census Guidance 2018 v1.4 published – text change states that service children indicator should not be ascribed.

January Joined by Unlock, representatives of over 20 child rights advocates and organisations write to the new Secretary of State for Education, the Rt Hon Damien Hinds MP.

February Lawyers at Leigh Day have submitted a letter before action on behalf of defenddigitalme. We have launched a crowdjustice crowdfunder to raise the funds we will need to challenge the Department for Education on fairness, interference with privacy and family life, and tackle the distribution of named and identifying data.

May the BBC reports Sharing of school pupils’ data put on hold effective May 1, 2018.

August defenddigitalme receives a reply from the Office of the Information Commissioner, 11 months after we raised our concerns on lack of fair processing (four months ahead of the planned first collection).

September-December legal work continues for preparation of next stages of complaint to the ICO and the Department. Freedom of Information requests to every Local Authority establish little progress in fairness despite GDPR 2018 introduction.

December 13 Department releases External Data Shares for the first time under the new model. The distribution of personal data continues to be far too broad, with over two thirds of 2018 data shares, still sending sensitive and identifying personal data to third party settings. [For example, see pages 35-41 in which “Pupil level and exam level files will also be provided.”]

December 21 Next stage of second formal Department and ICO complaints sent.

May 31 Department for Education released the first ever published Alternative Provision Census summary Data Protection Impact Assessment (DPIA) and a separate summary National Pupil Database DPIA identified risks include, “Personal information will not be deleted in line with retention schedules and policies, in potential breach of data protection legislation,” and “The data subject will be unaware that we are still processing their personal information. If the data subject becomes aware, they may be reluctant to share their personal information in future with the department.”

In July 2019 we submitted a full regulatory complaint through our legal team, to the Office of the Information Commissioner (ICO) against the Department for Education. We await response and next steps.

November 2019 DfE facing action over ‘wide ranging and serious’ data protection breaches.

April The DfE is expanding the Alternative Provision Exclusion Reason Codes, to be in systems from autumn 2020 with the first collection of data Spring 2021 in school census, with the reasoning that without them, “data quality would not be as great” which we have argued was a flaw in the original data collection from the start, and likely lead to inaccurate data.

October The Information Commissioner’s Office (ICO) published the summary outcome of a compulsory February 2020 audit of the Department for Education (DFE). [see blogpost] It was undertaken in response to our legal team complaint and subsequent complaints by Liberty on DfE data sharing with the Home Office. The audit found that data protection was not being prioritised and this had severely impacted the DfE’s ability to comply with the UK’s data protection laws. A total of 139 recommendations for improvement were found, with over 60% classified as urgent or high priority. The full audit has been withheld and a Parliamentary statement is expected in autumn 2021.

Actions you can take

If your own record, or your child is affected, we suggest you email or write to your Local Authority and ask them for the information they intend to assign to your or your child's record. Ask for their privacy notice. You can contact us for support or to check who to ask.

Write to your MP and ask questions when children will be told what has been collected and how it wil be used. We are seeking to ensure that;

Regards national pupil data we call broadly on the government to improve policy and practice in systemic and sustainable ways:

  1. Communications: Actively write to inform parents and children how their data are used and retained from national pupil databases.
  2. Opt out: Introduce an opt out of national reuse of pupil data for indirect purposes (anything leaving the school and at DfE) that respects the GDPR Right to Object at national level.
  3. Subject Access Requests: Respect a child’s right to see and correct their own national pupil record and meet Subject Access Requests.
  4. Sector support: Develop a statutory Code of Practice for the education sector that will support schools and companies in applying data protection and privacy law with clarity, confidence, and consistency.
  5. Teacher training: Basic teacher training and CPD to include training in data, data protection, and privacy.
  6. Oversight: Introduce an Independent National Guardian for education data (similar to the NHS health data model) — this would include a public process and oversight for new data collections.

The signatories of our January 2018 letter to the Department for Education

On Social Media

Post this link so your friends can find out more on #LabelsLastaLifetime

Ask your MP for Support

Here's a quick guide (2018) to help you discuss the issues whether you meet your MP in person, write to them or send an email.

Contact your MP as below, and get in touch with us if you want to support our work and get involved.

Use WriteToThem.com and tell them why this is important to you and your family, ask your MP if they will ask a question – why are my sensitive data being given away for commercial re-use without my consent? – and tell them what you want to change. You might want to use something from our suggested text below.

You can download a suggested text, but it's better if you use your own words, and always include your name and address to show that you are in your MP's constituency.

SUGGESTED TEMPLATE CONTENT TO WRITE TO THEM [follow link to find your MP] [download draft letter text . pdf]

Background: Alternative Provision School Census expansion January 2018 -- little has changed this year despite the introduction of a safer data model, and much is still distributed

Assurances given need put into law, that the data collected will not be distributed to third parties. And every family should be written to and informed of which data label was added to their child's record.

Download collective NGOs letter [original as sent by post and email] January 11, 2018 following appointment of new Secretary of State for Education.

Download collective NGOs letter[original as sent by post and email] December 11, 2017 and email introduction below.

You can read some more background and read about our concerns in Schools Week. Download our briefing for more facts.

See the AP Guide 1.3 for the official background to the census.

This is a highly significant new national data policy, affecting some of the most vulnerable children in England. It vastly increases risk of loss of privacy without any reason why knowledge could not be collected in a more privacy-preserving method.

Based on current 2016 numbers, the new collection would affect around 22,000 children each year, but all 23 million records in the NPD are compromised each year. The Department appears to have no intention to tell providers or the local authority how to inform parents and children about the details of this expansion of the data collection. This is despite the Data Protection requirement to explain it with clear reasons to the pupils, when the information are collected.

Identifying and sensitive reasons for exclusion and SEN data (eg including profound & multiple learning difficulty, hearing and visual impairment and Autism) are already given away today to third parties from the school census collections once every term.

The data are identifiable at pupil-level, not anonymous, and stored forever. The information include name and address, date of birth, special educational needs, results across the educational lifetime from age 2-19 and more.

Data from the National Pupil Database, including sensitive special needs data (SEN) has already been passed on since 2012 to commercial companies, charities, think tanks, newspaper and TV journalists at an individual pupil level for millions of pupils at a time, without any suppression of small numbers. The Department doesn't even know how many children's records it gives away each time. (PQ109113)

Relying on journalists notpublishing the pupil-level data, as the Telegraph "assured" the DfE in 2013 for about 9 million records, handed out without hiding small numbers, is an utterly inadequate level of protection for pupils' sensitive data. The Department overlooks that the release from the Department is a release of data into the pubic domain -- charities, commercial businesses, the press -- releases that the public do not expect.

National Pupil data are also used today across government in Troubled Families — a risk without transparency in a programme that some academics see “any family could be made to fit”— , and are given to the National Citizen Service, and stored forever; without pupils’/parents’ knowledge, or self-verification for accuracy or correction. Pupil data from the school census are also used by the Home Office.

Requests to use national pupil data have also included for research for operational predictive policing.

Children and families are refused subject access requests, so there is no safety check if these data are accurate or need corrected before use, or for people to find out how their data were used.

The Department has done no Risk Assessment or Public Consultation

The Schools Minister claims it will not be any more of a privacy risk - despite the fact that these highly sensitive data will be added to a national, indefinite collection and given out to a whole new range of third parties without being made anonymous. The Department refuses to assess the risks (PQ 108570) and brought in the change of law in the summer holidays.

These data will potentially result in lifelong discrimination, and could harm children's development and restrict their flourishing to reach their full potential; used for direct interventions when linked with data across government, by police and released to other third parties at national level.

No consultation has taken place

When making arrangements about early childhood services, a local authority must have regard to such information about the views of children as is available and appears to them to be relevant to the discharge of those duties (section 3(5) Childcare Act 2006).The local authority is also required to consult such children as it considers appropriate when undertaking a childcare sufficiency assessment under section 11. So why is there no consultation on use of their personal data?

Principles

Regards national pupil data we call broadly on the government to improve policy and practice in systemic and sustainable ways

  1. Communications: Actively write to inform parents and children how their data are used and retained from national pupil databases.
  2. Opt out: Introduce an opt out of national reuse of pupil data for indirect purposes (anything leaving the school and at DfE) that respects the GDPR Right to Object at national level
  3. Subject Access Requests: Respect a child’s right to see and correct their own national pupil record and meet Subject Access Requests
  4. Sector support: Develop a statutory Code of Practice for the education sector that will support schools and companies in applying data protection and privacy law with clarity, confidence, and consistency.
  5. Teacher training: Basic teacher training and CPD to include training in data, data protection, and privacy.
  6. Oversight: Introduce an Independent National Guardian for education data (see NHS health data model) — this would include a public process and oversight for new data collections.

Last updated: August 24, 2021