The National Pupil Database refered to on this website, covers only pupils in state (or partially state-funded) schools in England. For a simplified overview see pages 19-22 of the User Guide.
The National Pupil Database is “one of the richest education datasets in the world’ according to the DfE’s own National Pupil Database (NPD) User Guide. From age 2-19, since 2002, each state school pupil’s full educational record has been transferred from schools to the Department for Education. Each record is made up of:
i) personal data given to schools by parents including name and address and sensitive data like ethnicity and date of birth, and
ii) the pupil data created by the school, and test scores and exam results.
It is a melting point of over 20 various different education data collections.
This is a lifetime record of testing and tracking; attainment records, absence, exclusions, SEN special educational needs and health data, indicators of armed forces, indicators for adoption or children in care, and much much more.
Early Years census data, Phonics screening, Alternate Provision at individual child level data are included. The data from Key Stage One and Two from primary school and Key Stages Three to Five are added from secondary education. Data transferred from schools and stored in the NPD include: Unique Pupil Number, Surname, First name, DOB, Full home Address including Postcode and Standard UK address codes, Ethnic group, Gender, SEND. The new Baseline Test will soon be added too.
The full national code sets of all the items of data that can be collected on individual children can be downloaded here.
Pregnancy, mental health, young offender, autism, hearing impairment, and specific learning difficulties, are just some of the new labels added to individual, named records since January 2018. Reasons for Absence and Exclusion and very detailed level, Number of hours of funded provision per week are included, and much more.
From autumn 2016 until autumn 2018 country-of-birth and nationality data were collected from every child for the first time, to be sent to the Department. That has now ended, but the data are still held by the Department, and locally, and you can read more here. We want to seem them destroyed at national level, because it should never have been collected and was done so, on false pretenses.
All English providers of funded early education in the private, voluntary and independent (PVI) sectors are within the scope of the early years census. It is mandatory to collect the data for the Early Years census at individual child level for children taking up a funded place.
Ethnicity is optional and parents must be given the right to withhold this from submission.
Higher Education data (HESA) going back to 2012 may also be added in and linked to individual school records.
BuzzFeed News revealed in summer 2019 that the Department for Education holds sexual orientation data on almost 3.2 million people, and religious belief data on 3.7 million people. The records go back to 2012/13, so include both current students and those who have finished university.
—
Similar systems operate however, across the rest of the UK. Here is a comparison of UK national databases of pupil data, access rights, transparency and data stored [download 118 kB]
The NPD covers pupils in schools maintained by local authorities, academies and free schools in England. Pupils who have never interacted with government-funded education will not be included, for example, those who have only ever attended independent schools or been electively home-educated. Full linked records are held for each pupil since the academic year ending 2002. The Individualised Learner Record (ILR) and Higher Education Statistics Agency (HESA) data are included for the academic year ending 2003 to the academic year ending 2015.
In addition, there will be other adults in the dataset.
Further education colleges must send data for all learners, including those that are not funded by the government. Consequently, some learners who are not funded by government are included in ILR data, such as those undertaking learning subcontracted-in to the college by a local authority or on behalf of another training provider, for example, adult education programmes that help people gain sustainable employment and courses that form part of an apprenticeship.
All higher education institutes must return ILR data for learners funded through Advanced Learner Loans. These are adults who receive loans to cover tuition fees for a range of courses including A levels, general and vocational qualifications, and access to Diplomas of Higher Education.
In addition to academic researchers in the public interest, those given children’s highly sensitive and identifiable data include charities, think tanks, journalists on Fleet Street papers and TV journalists, data consultancies, even a private tutoring company, and ‘one-man-bands.’ Home Office access for immigration enforcement purposes began in 2015, and originally included nationality data, but was changed. Other data sharing for these purposes, continues monthly.
The Department for Education is now (from September 2018) working with the Office for National Statistics (ONS) to enable access to de-identified individual level data for research, from the National Pupil Database (NPD), School Workforce, Individualised Learner Record and Higher Education Statistics Agency.
For academic applications, DfE controlled data will mostly be provided though the ONS Secure Research Service.
Anyone who needs to access the Secure Research Service will also need to be accredited under the ONS approved researcher scheme.
This is a huge step forward towards safe settings access for all pupil and learner and workforce data. However there are still plenty of exceptions and caveats.
According to the government, the Department had released sensitive, personal or confidential data to third parties at pupil level over 1,000 timesbetween 2012 and December 2017, before the new secure service was begun.
There is a list of third parties who get given identifiable data is published on rolling basis. It currently includes the releases since 2012 up to and including April 2018. (note split in May 2017, and before 2016 is archived, link on DfE page.)
Our enquiries have found Home Office and Police have also been granted access to data which, until we started asking in 2016, was not published in the third party register. Who else is missing, we may not yet fully know.
See our latest review and analysis of the releases. Of the majority of the releases — 1000+ requests for identifiable data that have been through the DfE request process in March 2012 – December May 2017, only 30 have been for aggregated data. [July 2020: 1603 releases 2012-2019 currently under further analysis]
Here are some case studies to download of data releases 2012-14, of when journalists have been given identifiable and sensitive personal data, and where named data have been used. This also lists how many releases have been of individual level data, and where the DfE Fair Processing notice fails to mention releases of identifiable individual level data, or commercial and press access. In 2016 The Department started to update their release register more regularly.
We have been told that most requests are population wide; that’s 23 million children and growing, 15 million of whom are now adults. We hope that more information will shortly be included in the release register for future requests, to know the volume of data given away in each release. The Department is unable to tell you which releases give away your own child’s data as they do not track this. “The Department does not maintain records of the number of children included in historic data extracts, “so we do not know exactly who has it for which purpose.
Schools are obliged to send pupil data including names to the Department for Education. The 2013 regulations also require that the pupils name is provided. [see p17] Our research so far with over 350 schools, shows that the Department for Education fails to adequately inform schools who they pass data on to, so schools fail to tell parents. Schools are required to ask for it and submit what they receive. Parents and pupils can choose not to provide country of birth, nationality, ethnicity and first language information.
In February 2018 we commissioned a survey through Survation who asked 1,004 parents of state-educated children age 5-18 about their understanding of data used in schools. 69% of parents said they had not been informed the DfE may give out data from the National Pupil Database to third parties.
Cumulative changes to laws by successive governments up to and including the 2013 changes have enabled the release of individual and named data. The Department for Education has a duty under the Data Protection Act 2018 to ensure Principle 1, fair processing is met. We are campaigning for transparency from the Department to properly inform pupils and parents how their data are used by third parties. We also suggest the legislation should be reviewed, including by the Parliamentary Joint Human Rights Committee for breach of privacy. Scope expansion has not been communicated to any of the data subjects (pupils) unless schools updated their privacy notice after the 2013 Act enabled identifiable individual data to be released, and as far as we are aware, no one who left school since 2012 when the law was changed has been contacted to be informed of the use of their personal data in these ways.
No. But we believe you should be able to, and are campaigning for this. Ask that question of your schools, governors, MPs or write to the Department for Education, and Information Commissioner if you have no adequate response. Here are some of the recipients of sensitive and highly sensitive identifiable data; BBC Newsnight, The Times, Telegraph, FFT Education. [sourced via whatdotheyknow.com]
We have been told by DfE that National Pupil Database data are given away for free to third parties, however HESA (Higher Education data) including workforce data, are sold. We asked for more information about this from the Department for Business and Innovation and Skills.
We support safe use of data for researchers. Today it’s no longer acceptable to pass sensitive data around on CDs and for similar reasons, data should not be given out to third parties. Best practice is for data to be managed in safe settings, where bona fide researchers can come to the data and take out their findings, but not the raw data.
In addition, we believe the level of identifiable and sensitive data given out is inappropriate for anyone other than accredited researchers, and data should be anonymised and minimised wherever possible. Today’s users are given too much data that parents feel is a breach of privacy.
Bona fide research is in the public interest and generally has public support. But a wide range of recipients get individual level, sensitive and sometimes highly sensitive items – special needs, and exclusions for example from the National Pupil Database. These are not anonymous or statistical data, but pupil-level identifiable data releases.
Some of these third parties don’t meet the public’s expectation of what a ‘researcher’ should be and how data should be handled. Journalists have even been sent out the most sensitive tier 1 data to their own site. Where appropriate for all accredited users we would like to see them have safe access, in safe settings and can take away knowledge, not identifiable data; and we want pupils and parents to know about it.
All secondary data uses should be with consent, and shared with respect to the Data Protection principles. And that our children’s data are used for a wide range of purposes without our consent shouldn’t be a secret, pupils must be told.
Here, in the third party release register. Note it was split into two lists in 2017, and older releases archived here. We have campaigned for a regular and frequently published list to improve transparency. We have also asked for more information about the releases and how long the data may be used for by third parties, as we have shown that data has not been destroyed as should have been after use. This destruction due date was added to the register and published in May 2016 for the first time. This transparency may help reduce the risk of errors going unnoticed for a long time.
Forward dates for publication are here in the “Forthcoming Publications” section.
Forever. The Department for Education uses the Data Protection Act exemption (s33(3)) to keep the data indefinitely for historical, statistical or research purposes. This means the database will grow indefinitely to become population-wide, and is now giving away adults as well as children’s data; from anyone in education since 1994 (HESA) and 2000 (NPD).However, given the use for interventions, the Information Commissioner’s Office has informed the DfE this research exemption should no longer be applied.
“The total number of Unique Pupil Numbers (UPNs) in the NPD as at 28/12/2015 was 19,807,973. This covers pupil records since 2000.
“The total number of individuals in the further education (FE) and HE data held by the DfE as at 28th December 2015, in addition to the number of UPNs already identified in the NPD in the previous answer provided, was 1,422,659.
“However, the DfE only holds a subset of FE and HE data – if you require complete information on the total number of individuals held in further and higher education databases by Government you should approach the Department for Business, Innovation & Skills (BIS).”
The Department for Education (DfE) has refused Subject Access Requests for National Pupil Data in the past but there is an obligation for parents or pupils to be able to check their own data is accurate. The process needs changed and this remains part of ongoing discussion for the DfE to fix, but for now, follow these steps.
HESA data’s main student stream dates back to 1994/95 and detailed individual level school records to 1996.
Yes, the National Pupil Database has released names on numerous occasions.
NPD data are used in surveys: a named survey What About Youth was created by extracting named pupil data and matching it with HSCIC held data in 2014 for an intensely detailed questionnaire social survey mailshot to the homes of 15 year old pupils. Almost 300,000 of them according to the published report.
Similarly the IoE used it to get all Year 7 pupils’ data and send them named tests for completion in 2014.
From Higher Education data, names are supplied to Statutory Customers for record linking and in support of audit processes. Access to names within HESA and its Statutory Customers, HESA says, “is restricted to essential staff who have received the appropriate training in data protection.”
Names are also released in bulk at pupil level data for operational purposes by benchmarking companies and other third parties.
In April 2018, Schools Week broke the news that the DfE wil end the collection of country of birth and nationality and we campaign for them to scrap the Statutory Instrument 808/2016.
The collection of children’s personal data and its use at national level changed in autumn 2016, affecting all schools, related to ethnicity, nationality, country of birth, English as an additional language, as well as home address. These data are extracted through schools information management systems (SIMS) either directly or via the local authority in the school census and early years censuses [read our summary] [read the LSE parenting blog] and see the legislation:
What was added in 2016?
• NEW: country of birth (Pupil country of birth 100565) added and collected at national level
• NEW: Nationality collected at national level
• EXPANSION: ethnicity and nationality, expanded to all children regardless of age (Nationality 100564)
• EXPANSION: multi-level detail expanded on English as an additional language, coded in five tiers and new national extraction of measures of fluency.
• EXPANSION: pupil home address may add a unique property identifier using BS7666 address format, in addition to the 5-line home address, and in addition to postcode which is already mandatory.
• EXPANSION: age of pupil from which data may be collected has been lowered to under 2, and previous restrictions on collecting ethnicity on under 5s have been scrapped.
While the government has backed down on collecting country-of-birth and nationality from pre-schoolers ethnicity and language began to be collected for the first time, and more personal data than ever before from this age group. The MOU to transfer nationality data to the Home Office was amended on October 7, 2016, to stop doing so. You can download a full briefing here. [updated March 6, 2017]
