National Pupil Data, the ICO audit, and our work for change: a timeline

Here’s a timeline of significant events, their context, and some of the outcomes so far between Defend Digital Me and the UK Department for Education (DfE).


1996

The Department for Education (“DfE”) begins to collect pupil level data for the first time, expanding what had been collected for many years as aggregated data and statistics. School Census data. This is information on pupils attending state funded educational settings in England.  It was known as the Pupil Level Annual Schools Census (PLASC) until 2007.The Education Act 1996 as originally passed actually prohibited the collection of pupils’ names. Section 537(5) said: “No information provided [by schools] in accordance with regulations under this section shall name any pupil to whom it relates.” But this was amended in 1998 to read at 537A(7): “No information received under or by virtue of this section shall be published in any form which includes the name of the pupil or pupils to whom it relates.”

2002

The Department for Education (“DfE”) begins to collect names to add to the pupil level data for the first time, with the promise that, “The Department has no interest in the identity of individual pupils as such, and will be using the database solely for statistical purposes, with only technical staff directly engaged in the data collation process having access to pupil names.” Campaigners raised concerns about possible misuse which will be proven well founded ten years later, with the use of the database for individual interventions.

2011

In ever-broader use of national administrative data without consent, David Cameron announced in 2011, that the government would open up access to anonymised pupil data. In practice, it would be identifying data.

2012

On November 6th, 2012, the Minister announced plans to open up the National Pupil Database for commercial re-use. He changed the law to let the Department for Education distribute identifying pupil-level extracts from the National Pupil Database “for a wider range of purposes than currently possible” to “maximise the value of this rich dataset”. He said, “We want to give organisations greater freedom to use extracts of the data for wider purposes, while still ensuring its confidentiality and security.”

The responses to a brief consultation over the Christmas holidays 2012, concluded that press and others getting raw data would be a mistake, and made no effort to involve under 18s, or the people whose data it was. The release of individuals’ identifiable data was updated by two 2012-2013 changes to legislation. These changed what data could be handed out (individual pupil level), to whom, and why.

Extract from the Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009 (Amended 2013).

Paragraph 6 (b) was amended from:
persons conducting research into the educational achievements of pupils and who require individual pupil information for that purpose;

to

persons who, for the purpose of promoting the education or well-being of children in England are—
(i) conducting research or analysis,
(ii) producing statistics, or
(iii) providing information, advice or guidance,
and who require individual pupil information for that purpose.

For the purposes of these Regulations, ‘well-being’ has the meaning referred to in sections 332E and 507B of the Education Act 1996 in relation to those sections. Section 332E was inserted by section 1 of the Special Educational Needs (Information) Act [10]2008 (c.11) and section 507B was inserted by section 6(1) of the Education and Inspections Act [11]2006 (c.40).

In our view at DDM, this should still not mean data should be given to just anyone. The amendment above was made to this law from 2009, listing prescribed persons. The Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009.

Prescribed persons

3.—
(1) For the purposes of section 537A(4) of the Act, the following are prescribed as persons to whom the Secretary of State may provide individual pupil information—
(a )any person referred to in paragraph (5) below;
(b) any person falling within any of the categories referred to in paragraph (6) below;
(c) any person having access to a database established and operated by the Secretary of State under section 12 of the Children Act 2004(4); and
(d) any local authority which has reasonable grounds to believe that it is a relevant local authority in respect of the pupil to whom the individual pupil information relates.

(2) For the purposes of section 537A(5)(b) of the Act, the Secretary of State prescribes as a person to whom an information collator may provide individual pupil information—
(a) any person referred to in paragraph (5) below; and
(b )any person falling within any of the categories referred to in paragraph (6) below.

(3)  The individual pupil information which an information collator may so provide, in accordance with section 537A(5)(b) of the Act, is any such information—
(a) specified in Schedule 1 to the Education (Information about Individual Pupils) (England) Regulations 2006(5);
(b) relating to the educational achievements of pupils in any National Curriculum assessment carried out for the purpose of assessing the achievements of pupils in the first, second or third key stage;
(c) relating to the educational achievements of pupils in any external qualification approved under section 98 of the Learning and Skills Act 2000(6), for the purposes of section 96 of that Act.

(4) For the purposes of section 537A(6) of the Act, the Secretary of State prescribes as a person to whom any person holding any individual pupil information may provide that information—
(a) any person referred to in paragraph (5) below; and
(b) any person falling within any of the categories referred to in paragraph (6) below.

(5) The persons referred to in paragraphs (1)(a), (2)(a) and (4)(a) are—
(a) the Joint Council for Qualifications;
(b) the Office for Standards in Education, Children’s Services and Skills(7)
(c) the Higher Education Funding Council for England;
(d) a relevant local authority;
(e) the governing body of the relevant school;
(f)the management committee of a pupil referral unit at which the relevant pupil is or was registered;
(g) the Training and Development Agency;
(h) the States of Guernsey Education Department;
(i) the States of Jersey Education Department;
(j) the Isle of Man Department of Education;
(k) the Welsh Ministers;
(l) WJEC CBAC Limited(8);
(m) the Student Loans Company Limited;
(n) the University and Colleges Admissions Service(9);
(o) the Higher Education Statistics Agency(10);
(p) Ufi Limited(11);
(q) the British Educational Communications and Technology Agency (Becta);
(r) any person with whom a relevant local education authority has made arrangements under section 68 or section 70 of the Education and Skills Act 2008(12);
(s) any person who, either alone or jointly with others, awards or authenticates any qualification accredited by the Qualifications and Curriculum Authority;
(t) the Learning and Skills Council for England(13);
(u) the Qualifications and Curriculum Authority(14).

(6) The categories referred to in paragraphs (1)(b), (2)(b) and (4)(b) are—
(a) institutions within the further education sector;
(b) Primary Care Trusts(15);
(c) work-based learning providers;
(d) persons conducting research into the educational achievements of pupils and who require individual pupil information for that purpose;
(e) learning providers registered with the UK Register of Learning Providers(16);
(f) institutions within the higher education sector.

2015

July: our first FOI to the DfE request the Data Protection Impact Assessment and TOR, and research and ethics assessment criteria, about the National Pupil Database.

Coincidentally in July 2015, and without telling the Star Chamber Scrutiny Board responsible for pupil data expansions, the DfE started giving away pupil names to the Home Office, for purposes including furthering the aims of the Hostile Environment. The data sharing agreement included the item, “Nationality (Once collected)”.

December: FOI request to ascertain the size of the NPD. The total number of Unique Pupil Numbers (UPNs) in the NPD as at 28/12/2015 was 19,807,973. (ca. 20 million). This has pupil records since 1996 so many people in the database are now adults, who have never been told their personal data is given to third parties without consent.

Recipients of the data being given away included journalists. An email obtained via FOI in 2015, showed the Department sought “cast-iron assurances”, that the data the Telegraph would publish would not identify children. The data the journalists were given are from Tier 2, identifying and sensitive data, including special needs, free school meals, ethnicity and attainment, longitudinal records for about nine million children across multiple years of their education. If the data had not been identifying, the newspaper wouldn’t need to give such an assurance.

December: A revised Memorandum of Understanding (data sharing agreement) in place since July 2015, v1.0 is finalised on December 18th 2015, to share the individual confidential data including nationality “(once collected)” of up to 1,500 children a month from school census with the Home Office. This did not become public knowledge until December 2016, and published on whatdotheyknow in February 2017.

2016

April: First ICO opinion received in response to complaint that the DfE refused Subject Access Requests applying a ‘research database’ exemption to do so.

June: FOI request revealed, “There is no suppression applied to data extracts from the NPD before release” …”The Daily Telegraph requested pupil-level data and so suppression was not applicable.”

Spring/Summer 2016- Expansion of the School Census nationality and country-of-birth announced to begin in September 2016, and with it our long-running parallel collaborative campaign efforts. (see State of 2020 Report 2.4.8.2 Timeline: expansion of the school census 2016)

October 6: late afternoon, FOI Ref: 2016-0042333 confirms Home Office access to previously collected school census pupil data includes name, home and school address.

DDM has challenged why names are being released when the law precludes it, “no information received under or by virtue of this section shall be published in any form which includes the name of the pupil or pupils to whom it relates.” We argue this implies names and linked personal data, cannot be released by the Department for Education.

2017

February: Letter sent from the UK Statistics Regulator Ed Humpherson (Office for Statistics Regulation) to DDM.

May: The Information Commissioner’s Office issues a Decision Notice on FOI in favour of the release of the Star Chamber Scrutiny Board (SCSB) meeting minutes from November 2015. Parliament had been told in July 2016 the SCSB, “approved the collection of country of birth data via the school census in November 2015.” The Government response in a letter to concerns raised at the Secondary Legislation scrutiny committee on the SI 808/2016 also stated, “Should there have been concerns regarding these changes, SCSB would have raised these for discussion requesting clarification or amendment before providing their formal decision to accept or reject the changes.” Our questions and letters had gone unanswered whether the Board knew when they made the decision on the school census expansion, that pupil data was already being passed on a monthly basis to the Home Office and that “Nationality (once collected)” would be given to the Border Force Removals Casework Team as per the HO-DfE agreement in place between July 2015 and October 2016.

September: Another sensitive pupil data expansion. The government passed a new law to collect highly sensitive data for children placed in settings outside mainstream education. “Pregnancy, mental health, young offender. Autism, disability, hearing impairment, and learning difficulties” are just some of the new labels that were added to individual records from January 2018 without telling families. By June, new data from the Alternative Provision Census were ready for distribution to third parties. Although we stopped the very broadest raw data distribution from the National Pupil Database, and secured assurance from the Department given to the Information Commissioner’s Office that the new data will not be distributed, Alternative Provision census data continue to be listed on the data that can be accessed by third parties. Nothing prevents its distribution and re-use. We begin legal action to challenge this change of law.

October: Parliamentary Question: Personal Records UIN 108573, Minister claims that the DfE National Pupil Database is not required to fulfil Subject Access Requests and Parliamentary question 108570 reveals the Department has not conducted any privacy impact assessment about the collection of data on pregnancy, health and mental health “reasons for placement,” in the AP Census.

November: DfE releases a selection of original copies of the licensing agreements between the DfE and the recipient / recipient’s organisation for the use and terms of agreement restrictions on the data sent or requested. The 2013 application from the Institute of Criminology cannot be found.

December: We lead a coalition to ask the Secretary of State to ensure safeguards, and communicate well to affected families.

2018

DWP / NPD Data sharing agreement. DfE are seeking to enrich their Pupil Data with related household income and benefit data. DPIA reference number: 1019.

January: Parliamentary written question | 120141: According to centrally held records at the time of writing, from August 2012 to 20 December 2017, 919 data shares containing sensitive, personal or confidential data at pupil level have been approved for release from the National Pupil Database.

March: Letter sent from the UK Statistics Regulator Ed Humpherson to the DfE. Also in March, the Department has destroyed the nationality and country-of-birth data collected from millions of school children since 2016. One of our three asks, to stop collecting it, to destroy what had been collected, and to revoke the 2016 Statutory Instrument that changed the law to allow its collection.

March: Survation poll on behalf of defenddigitalme in March 2018 of 1,004 parents with children in state schools https://defenddigitalme.org/2018/03/only-half-of-parents-think-they-have-enough-control-of-their-childs-digital-footprint-in-school/  69% of parents said they had not been informed the DfE may give out data from the National Pupil Database to third parties.

March: A Code of Practice on the processing of education data, was proposed to add to the UK Data Protection Act but not accepted by government.

November: DDM requested the DPIA for both the NPD and the Alternative Provision Census but they are withheld but we believe it should have answered, not held (i.e. did not yet exist in any published form).

2019

In 2019, Merseyside police got given all 2,136 pupils’ records who attended just one school in a four year period, out of the National Pupil Database, confirmed via FOI in September 2022. To date they refuse to release why this was necessary at national not school level.

May: The DfE publish the first ever summary Data Protection Impact Assessments for the National Pupil Database and the Alternative Provisions Census, in response to FOI. This reveals that equality monitoring data is being retained on a named basis by the Department, and added to Higher Education students’ school records. We propose ten changes, including that only statistics, not named data should be passed around and kept as records, of religion and sexual orientation in particular.

DfE publishes guidance on UPNs, “the UPN must lapse when pupils leave state funded schooling, at the age of sixteen or older.”

June: Our legal team submitted a comprehensive case in a 118-page bundle to the Information Commissioner’s Office about pupil data practices at the Department for Education with a request that the Commissioner commence a thorough investigation into the concerns raised about the DfE’s processing. It also raised issues about the Alternative Provision Census data, in which a new collection had begun in January 2019 for which there was no data protection impact assessment or any communication to families.

September: Letter sent from the UK Statistics Regulator Ed Humpherson to DDM.

October: The ICO wrote to us more broadly on connected issues as part of their work into our detailed case and other prior joint-complaints against the DfE on nationality pupil data processing. They found wide-ranging and serious data protection issues. It backed our defend digital me findings from our 2018 parents’ survey, that parents and pupils don’t know national pupil databases exist. “This investigation has demonstrated that many parents and pupils are either entirely unaware of the school census and the inclusion of that information in the NPD, or are not aware of the nuances within the data collection, such as which data is compulsory and which is optional. This has raised concerns about the adequacy DfE’s privacy notices and their accountability for the provision of such information to individuals regarding the processing of personal data for which they are ultimately data controllers.”

We have not seen any actions as of May 2023, that demonstrate these failings have been rectified.

November: The ICO met with key senior-level data protection professionals at the DfE’s offices in London in November 2019 where the possibilities of a consensual audit were discussed.

December: On 19 December 2019, an ICO Assessment Notice was issued to the Department for Education (DfE)

In parallel and unconnected, a company called GB Group plc had published a website article claiming it has “exclusive access to data that can empower businesses to verify and onboard millennials with confidence,”and that “Since using GBG UK Education Data Set within our ID3global product, a major gambling operator saw a 15% uplift to a 2+2 on customer refers, while a digital currency wallet business saw a 9% uplift.” “The identities of consumers aged 23 to 38 are among the hardest to verify…This creates a challenge for anyone trying to verify their identities because their credit history will be much more limited, or perhaps non-existent. Without credit reference data to draw on, businesses are having a hard time verifying millennials’ identities and turning away potentially good customers.  The page was live at least between December 11, 2019 and Friday January 10, 2020, after which it was amended, and then taken down. It was coincidental timing with the ICO audit already underway.

2020

January: On January 19, 2020, the Sunday Times reported that, “betting companies have been given access to an educational database containing names, ages and addresses of 28 million children and students in one of the biggest breaches of government data.” It went on, “The Sunday Times has established that GB Group, one of the country’s leading data intelligence companies, had a confidential contract through another company to access the Learning Records Service for age and identity verification services it provides to clients, which include 32Red, Betfair and other gambling companies.” According to the Sunday Times, “The DfE said the government had given access to the database to a London employment screening company called Trust Systems Software (UK), which trades under the name Trustopia. It is investigating whether this firm had in turn provided access to GB Group.” “When confronted with the findings of a Sunday Times investigation, the Department for Education (DfE) disabled the database and referred the breach to the Information Commissioner’s Office, which regulates data protection.

There were many outstanding questions as Nigel Nelson and Jo Phillips asked on the BBC Papers the day the story broke: “This is an absolutely shocking story”. “You would expect it would only be used for educational purposes.” “Do we know whether these people could get data about disabilities or special educational needs?” “12,000 organisations have access to this database.” “Who are these people, and why?”

FebruaryMarch 2020: The ICO audit field work was undertaken at DfE Offices in London, Coventry, and Sheffield between 24 February and 4 March. The DfE agreed to extend the scope of the audit to include the sharing of data contained within the Learning Records Service (LRS) database to assist an ICO investigation following the reported [LRS] data breach.

July: FOI request to the Department for Education about pupil data of 2,136 children passed to police in 2019.

October 7, 2020: The ICO published the high-level Executive Summary of their audit findings (it has to date, never been published in full),  stating that The Commissioner’s Enforcement team ran a broad range investigation in 2019 following complaints from DefendDigitalMe and Liberty and their concerns around the National Pupil Database (NPD)” […] However, due to the risk and scale, and ages of the data subjects, the audit was made compulsory. (The National Pupil Database is another joined up set of databases of over 23 million named records, like the LRS, and there is an overlap of the individuals in both.)

November 27, 2020: DDM received a letter from the ICO about the summary audit findings and in response to our case. Previous Case Reference – RFA0853691 / New ICO Case Reference – INV/0534/2020.

2021

28 January: The DfE published a limited written response to the audit findings, with a promised further update in June 2021. Paper reference DEP2021-0072. This update omitted any mention of the repurposing personal data for commercial reuse, or Home Office Hostile Environment aims, or police use. Or anything on timing for when it would address the data protection rights of the people in the NPD like Right-to-Object, Subject Access Requests, or even be told their named data is among the 28 million people’s learner records, or the rest of the DfE’s datasets (that include children at risk and highly sensitive records on abuse for example) and to whom it has been given away and for how long.

4 February: Over a year after the news broke about the LRS data breach, a company connected to some of the Trustopia directors, Trust Systems Software Limited, (registration number 631227 in Ireland) was dissolved. The company’s final director had been the director of 17 other Irish companies at the time of its insolvency and shared a director with its UK registered counterpart.

March 31: DDM face-to-face meeting with DfE and data team

April: The Schools Minister promised Liberal Democrat MP Daisy Cooper in a parliamentary question that an update on the ICO audit would be published in June 2021, and said that the Department had “undertaken to publish an update to the audit in June 2021 and further details….of the full audit report will be contained in this update.” 
Later, a statement said it was delayed to the end of July 2021. No update was published. We have asked both the ICO and the DfE to publish the full findings with an accountable timeline by when ICO recommendations or demands will be met. A further commitment to an update was made by the end of 2022, and again, nothing was published.

July: Pupil Parent Matched dataset data sharing agreement. The PPMD BAU Process is a regular exercise of sharing data between DfE and DWP which also uses HMRC data held by DWP for the purpose of creating linked datasets which enable the analysis of education data by household income and benefit status.

28 July 2021: We asked the DfE by email with regard to promised updates that remain unpublished (also made to Parliament in written questions). We are told the decision was made to pull the June/July update in favour for a more detailed update after Recess which will detail nearly all of the recommendations  ie September 2021. This remains outstanding in May 2023.

November: The Department for Education and ICO have both refused FOI requests to publish the full audit findings.

December: The Longitudinal Educational Outcomes (LEO) – Business as usual (BAU) process Data Sharing Agreement.

2022

January: A new issue. The DfE launches a twice-daily “real time” pupil attendance and absence data tracking.

February: We wrote to the ICO and received an acknowledgement on February 15, 2022 Case reference: IC-153627-B2Z0. Through FOI in May 2022, we obtained the correspondence between the DfE and the ICO in July revealing extensive concerns exchanged between February and March. There had been no DPIA completed and no prior consultation with the ICO even though in communications to schools, the DfE said both had been done in collaboration with the Information Commissioner. In July, DDM sent an initial letter before claim dated 28th July 2022, and received a response from GLD dated 31st August 2022 about this expansion of pupil data collection. The communications and documents that the Information Commissioner’s Office (“ICO”) subsequently released in response to our Freedom of Information Request in July, show that at that time, and when the data collection started, the DfE had not in fact worked with the ICO on its DPIA, contrary to the DfE’s initial communication to schools (which the ICO subsequently asked it to edit /retract). Nor had the DfE had a Data Protection Impact Assessment (“DPIA”) signed off before processing began, as required by law. The ICO asked the Department to pause the high risk data collection, and carry out the risk assessment. The Department declined to pause. The ICO went on to document a wide range of concerns described in over ten A4 pages (at the end of the bundle), including about the excessive 66-year data retention period (just like the Schools Bill), and the DfE’s failure to demonstrate the necessity of the data processing, but the Regulator has taken no public action.

May: Twenty-eight months after the news story broke, but only six months before the published outcome of the ICO investigation, Trust Systems Software (UK) Limited Company number 11506793 (trading as Trustopia) was dissolved. Its ‘person with significant control’ was Trust Systems Software Group Limited (company number 11933401), and prior to that (dissolved in February 2021) Trust Systems Software Limited (registration number 631227 in Ireland)).

16 August 2022: Thirty-one months after the news story broke, but just 3 months before the published outcome of the ICO investigation, the same Trust Systems Software Group Limited (company number 11933401) was dissolved. The termination of the appointment of one director had been filed electronically on January 20, 2020 (the day the Sunday Times news story broke) but according to the Companies House filing was dated effective as of 29 November 2019. Two of the Trustopia Directors had remained Directors of this ‘parent’ company, according to the register at Companies House, until the company was dissolved on August 16, 2022.

September: various data sharing agreement copies released for the Pupil Parent Matched DWP dataset, and LEO. Issues identified by the Department include a potential interference with Article 8(2), but describe why they believe it is justified. Page 5 (para 23) includes justification of purpose (non)limitation; and retention of the unmatched records for 5 years. The justification to not permit SAR, is because the fuzzy matching may create inaccurate data.

September: the DfE document “Explanation of Privacy Notices” is updated  (but doesn’t say when in September or what changes were made). The website is also updated with, “Information on how the Department for Education (DfE) and its executive agencies share personal data.”

November 6, 2022: Nearly 3 years (34 months) after the Learner Records Service breach was exposed in the press on January 20, 2020, the ICO announced it had reprimanded the DfE over the incident. This remains the only public statement made by the ICO on DfE practice , since their summary audit  of the DfE was published in October 2020 and no more follow up on that audit has been published to date. On the Learner Records Service breach it said, “The Information Commissioner’s Office (ICO) has issued a reprimand to the Department for Education (DfE) following the prolonged misuse of the personal information of up to 28 million children. An ICO investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trust Systems Software UK Ltd (trading as Trustopia), an employment screening firm, to check whether people opening online gambling accounts were 18.”“The DfE confirmed that Trustopia has never provided any government-funded educational training. By granting LRS database access to Trustopia, the DfE failed in its obligations to use and share children’s data fairly, lawfully and transparently. It also failed to prevent unauthorised access to children’s data, have proper oversight of the data or stop the data being used for reasons not compatible with the provision of educational services.”

Recommendations to the DfE included improving transparency and enabling people to exercise their data rights, that the DfE should review all security processes regularly, updating internal staff information and data protection training, and ensuring a risk assessment is done properly prior to new data processing. But that the ICO would not issue the £10 million fine to the public body that it might have. Setting aside the new ICO public sector approach, what about the commercial companies involved? How did the timing and process of the ICO investigation of the LRS data breach allow the company Directors involved to be able to dissolve their relevant companies, without any enforcement action?

November 16: School privacy notice templates updated to indicate that, “Removed ‘Privacy notice: how we use employee information’ and added ‘Privacy notice: how we use children’s social workforce information’. We are told by DfE letter 17/11/2022  Your ref: SDH/CPE/00171048/2 Our ref: Z2210679/EEP/JD5 Para 5. and Para 6 that there is, “Further work on the privacy notice”. Parliamentary questions follow, UIN 79287 tabled on 4 November 2022 https://questions-statements.parliament.uk/written-questions/detail/2022-11-04/79287 “As at 9 November 2022, 15 of the original 139 [ICO audit] recommendations are outstanding.”

November: Our legal team issue a Letter Before Claim to the Department over the ongoing failures identified in the ICO audit. GLD on behalf of DfE asked for an extra 14 days to respond (i.e. from 3rd November 2022 to 17th November 2022). Ongoing legal exchanges begin.

December 2022: The Department for Education says in answer to parliamentary question that it was advised not to pursue a Trustopia breach of contract pending the ICO investigation.  (See Parliamentary Question UIN 113179, tabled on 19 December 2022)

2023

March: DDM together with over 25 organisations and individuals call for action from the UK Information Commissioner (The ICO) to uphold children’s rights in the Hostile Environment. We are asking him as the UK Data Protection Regulator, to use his powers to protect children in the UK from the misuse of their national pupil records by the UK Department for Education (“DfE”) in England, for the purposes of immigration enforcement and furthering the policy aims of the Home Office Hostile Environment. We believe it is unlawful, since the legal basis does not exist at the point of collection for that purpose, and for criminal investigation the use of the entire database monthly is neither necessary nor proportionate.

In the first six months of 2023, more regular requests were fulfilled monthly to police than ever before, albeit at small numbers.

Acknowledging the progress the DfE claims to have made on the 2020 ICO audit recommendations, we have been in ongoing contact and follow up between legal teams following our Letter Before Claim issued to the Department in November 2022. The Department agreed to face-to-face discussion and arbitration. On October 6, 2023 they have pulled out of this offer. The only remaining steps to ensure the enabling of a route to exercise and uphold the legal obligation to offer a Right to Object, and fair processing to every person in the databases, appear to be Judicial review.

October 19, 2023 the DfE published a response to the Information Commissioner’s Office (ICO) audit and reprimand letter, published nearly a year earlier (The ICO issued a formal reprimand of DfE in November 2022). It omits the failure to fair process, identified in the audit or any steps to remedy it. (Page 4) “The DfE are not providing sufficient privacy information to data subjects as required by Articles 12, 13 and 14 of the GDPR”…” there is no clarity as to what information is required to be provided. The DfE are reliant on third parties to provide privacy information on their behalf however, this often results in insufficient information being provided and in some cases none at all which means that the DfE are not fulfilling the first principle of the GDPR, outlined in Article S(l)(a), that data shall be processed lawfully, fairly and in a transparent manner.”

2024

Given the current legal landscape in England, and potential for change under the next new government, in Spring 2024 we decided to discontinue our legal challenge. We continue to work to change and improve this through other routes and in our work as a whole.

July

Since July 2015, the cumulative total number of pupil records asked to be matched monthly by the Home Office with pupil records, reached 7,176. The Department for Education has handed over 1,801. We have since requested copies of the latest data sharing agreements, including for the purposes of the Home Office or UKVI with regard to data sharing for the purposes of furthering the Hostile Environment, or eligibility checking for free school meals or pupil premium. We expect to receive these by the end of 2024 at the latest.

August

The findings of the Responsible Technology Adoption Unit public engagement work together with the DfE in 2024, backs those of our own Survation poll in 2018, and shows parents do not know that the DfE already holds named pupil records without their knowledge or permission and that the data is given away to be reused by hundreds of commercial companies, DWP, Home Office and police:

“There was widespread consensus that work and data should not be used without parents’ and/or pupils’ explicit agreement. Parents, in particular, stressed the need for clear and comprehensive information about pupil work and data use and any potential risks relating to data security and privacy breaches.” (Ref. 5.4)

“In order to give permission for their child’s data to be used, parents need more clarity and reassurance about how data will be collected, stored, used and shared.”

“Concerns about privacy and data breaches were prevalent among parents, many of whom had questions about how and where their child’s data will be stored and shared. They were also concerned about the potential longevity of data, and the extent to which it could “follow their child through life” and affect their employment and further education opportunities. There were also concerns about potential data sharing between government departments. Parents of pupils with SEND in particular were concerned that the data could affect their child’s eligibility for state-funded benefits.” (Ref 4.3)

November

The Department for Education has again deflected a question from the House of Lords (UIN HL2566) to ask when the full ICO audit findings would be published. Five years after it was carried out, their answer is that “The department will publish an updated audit closure report in Quarter 1 of 2025/26 on completion of the remedial actions.” [Ed. note: We hope it is 2025, and not ’26.]

And it also confirmed that, “it is not possible for a parent/guardian or an individual child to opt out of the school census collection,” so when it comes to the resuses, no one offers any Right to Object (for processing based on public task) nor any opt-out (nor opt-in) of processing based on Legitimate Interests. Families do not get told how pupils and parents may object to any data being collected in the school census, or by what process they may do so. [UIN HL2698]

December

Five years after the audit took place, will that statement address the open questions?

  • There is still no fair processing (telling the people whose data it is, what it is used for or where it goes for how long or why (“as required under Articles 12,13 and 14 of the GDPR”);
  • It is still not clear to schools as data controllers, what their role is in telling families what is collected under what law and what is optional, one of the key failings required by law highlighted in the summary of the audit that was published in October 2020;
  • There is no apparent change in the “over reliance on public task” lack of identified supportive legislation, or the “limited understanding of the requirements of legitimate interest” necessary “to ensure the use of this lawful basis is appropriate and considers the requirements set out in Article 6(1)(f) of the GDPR” found (page 6/6);
  • There is no right to object, balancing test and no opt out offered on the collection of, never mind the reuses of any sensitive and identifying pupil data from the NPD, at local or national levels;
  • There is still no user-friendly Subject Access Request process, and not one suitable for children at all, or that 23 million people know about;
  • And no way to know whether your own data have gone or are still with any of the over 2,500 releases of identifying and sensitive data to third parties since 2012.

The new proposal for a Code of Practice for the education sector to be included in the reform of UK data protection law, might go some way towards turning what’s on paper into practice,  if it were to get government support and to pass. This would not be new data protection law per se, but would require the ICO to create a dedicated, sector specific Code of Practice that explains for schools what is expected of the law, with clear ways to adhere to it in this special sphere of working with a mix of child/parent rights, in a non-consensual and power imbalanced environment. At least parents might have something concrete to help us get change at local levels, and that could be good for consistent confident practice for schools, industry, and public interest research bodies too.

 

What can you do?

How our school records are used must be made safe. You should have control over how they are used. Tell your friends and famliy, people you work with, tell your local press, and tell your MP. Here are 5 things that must change:

  1. Data should be used only in secure settings, distributing access, not the data itself.
  2. The DfE must tell families of the 9 million children in school today, where their children’s records have gone, and are going, to which third parties, how long they will have it for, and why.
  3. The DfE must also tell everyone who has left school since 2012 when the law was changed, but their data from being in school any time 1996-2012 was reused retrospectively, meaning it is being used without any way for them to have had knowledge it would be, as well as everyone not told since the law changed.
  4. The DfE must ensure families’ right to choose in future if their child’s record is used for anything beyond their own education and how. The right to object must be honoured and start with opt-in to secondary reuses to ensure privacy by-design-and-default, in line with what parents told DSIT/DfE in their own public engagement work.
  5. The DfE must stop new expansions without public consultation (such as adding sexual orientation and religion collected from equality monitoring in student UCAS applications, to named national records).

Appendix

SOURCE LIST OF RELEVANT LEGISLATION PROVIDED IN ANSWER TO A PARLIAMENTARY QUESTION

In 2017 a parliamentary question HL2783 [annex attached in link from the answer]  asked what specific information schools are legally required to collect regarding pupils. This is for schools, not higher and further education. The answer was then, that schools are required to collect information on pupils under the following legislation:

Primary Legislation
Subordinate Legislation
  1. Education (Individual Performance Information) (Identification of Individual Pupils) Regulations 1998, SI 1998/1834 (made under sub-s (2)).
  2. Education (School Performance Information) (England) Regulations 1998, 1998/1929 (made under sub-s (1)).
  3. Education (Information About Post-16 Individual Pupils) (Wales) Regulations 2003, SI 2003/2453 (made under sub-ss (1), (2), (4)).
  4. Education (Information About Children in Alternative Provision) (England) Regulations 2007, SI 2007/1065.
  5. Education (School Performance Information) (England) Regulations 2007, SI 2007/2324.
  6. Education (Pupil Referral Units) (Application of Enactments) (England) Regulations 2007, SI 2007/2979.
  7. Education (Information About Individual Pupils) (Wales) Regulations 2007, SI 2007/3562 (made under sub-ss (1), (2), (4)).
  8. Education (School Performance Information) (England) (Amendment) Regulations 2008, SI 2008/364.
  9. Education (School Performance Information) (England) (Amendment) (No 2) Regulations 2008, SI 2008/1727.
  10. Special Educational Needs (Information) Act 2008
  11. Education (School Performance Information) (England) (Amendment) Regulations 2009, SI 2009/646.
  12. Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009, SI 2009/1563 (made under sub-ss (4)–(6)).
  13. Education (Information About Children in Alternative Provision) (Wales) Regulations 2009, SI 2009/3355.
  14. Education (Individual Pupil Information) (Prescribed Persons) (England) (Amendment) Regulations 2010, SI 2010/1940 (made under sub-ss (4)–(6)).
  15. Apprenticeships, Skills, Children and Learning Act 2009 (Consequential Amendments) (Wales) Regulations 2010, SI 2010/2431.
  16. School Performance Information (Wales) Regulations 2011, SI 2011/1963 (made under sub-ss (1), (2)).
  17. Education (Information About Individual Pupils) (Wales) (Amendment) Regulations 2011, SI 2011/2325 (made under sub-ss (1), (2), (4)).
  18. Education (School Performance Information) (England) (Amendment) Regulations 2012, SI 2012/1274 (made under sub-ss (1), (2)).
  19. Protection of Freedoms Act 2012 (does not enable national data collection but sets rules in place for parental consent and objection requirements.)
  20. National Curriculum (Amendments relating to Educational Programmes for the Foundation Phase and Programmes of Study for the Second and Third Key Stages) (Wales) Regulations 2013, SI 2013/437 (made under sub-ss (1), (2)).
  21. Education (Individual Pupil Information) (Prescribed Persons) (England) (Amendment) Regulations 2013, SI 2013/1193 (made under sub-ss (4)–(6)).
  22. Education (School Performance Information) (England) (Amendment) Regulations 2013, SI 2013/1759 (made under sub-ss (1), (2)).
  23. Education (Information About Individual Pupils) (England) Regulations 2013, SI 2013/2094 (made under sub-ss (1), (2)).
  24. Education (Information About Individual Pupils) (Wales) (Amendment) Regulations 2013, SI 2013/3137 (made under sub-ss (1), (2), (4)).
  25. Education (Pupil Information and School Performance Information) (Miscellaneous Amendments) (England) Regulations 2013, SI 2013/3212.
  26. Education (Information) (Miscellaneous Amendments) (England) Regulations 2015, SI 2015/902.
  27. Education (School Performance Information) (England) (Amendment) Regulations 2015, SI 2015/1566.
  28. Education (Pupil Information) (England) (Miscellaneous Amendments) Regulations 2016, SI 2016/808 (made under sub-ss (1), (2)).
  29. National Curriculum (Miscellaneous Amendments) (Wales) Regulations 2016, SI 2016/837 (made under sub-ss (1), (2)).
  30. The Education (Information About Children in Alternative Provision) (England) (Amendment) Regulations 2017 SI 2017/807.

Other Relevant Legislation

1. Education Act 2005 http://www.legislation.gov.uk/ukpga/2005/18/section/114
2. Education Act 1996 http://www.legislation.gov.uk/ukpga/1996/56/section/537A
3. Children Act 1989 http://www.legislation.gov.uk/ukpga/1989/41/section/83
4. The Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009 http://www.legislation.gov.uk/uksi/2009/1563/made
5. The Education (Individual Pupil Information) (Prescribed Persons) (England) (Amendment) Regulations 2010 http://www.legislation.gov.uk/uksi/2010/1940/contents/made
6. The Education (Individual Pupil Information) (Prescribed Persons) (England) (Amendment) Regulations 2013 http://www.legislation.gov.uk/uksi/2013/1193/contents/made
7. Special Educational Needs (Information) Act 2008 http://www.legislation.gov.uk/ukpga/2008/11/contents
Education and Inspections Act 2006 http://www.legislation.gov.uk/ukpga/2008/11/contents
8. Statutory Instrument No.208 in 2016, for the expansion of pupil data collection to include Country of Birth, Nationality and EAL at national level http://legislation.data.gov.uk/uksi/2016/808/made/data.html The Education (Pupil Information) (England) (Miscellaneous Amendments) Regulations 2016
9. List of some individual data items extracted mentioned in 2013 SI http://www.legislation.gov.uk/uksi/2013/2094/schedule/1/made The Education (Information About Individual Pupils) (England) Regulations 2013
2013 No. 2094 SCHEDULE 1
10. Revocation http://www.legislation.gov.uk/uksi/2013/2094/schedule/2/made
11. School Standards and Framework Act 1998 (section 537A) http://www.legislation.gov.uk/ukpga/1998/31/pdfs/ukpga_19980031_en.pdf