Defenddigitalme successfully prompts an investigation of UK Department of Education data-sharing policies, unearthing major compliance breaches and securing the deletion of sensitive student information.
Earlier this year, we explored a range of digital rights topics in video format as part of the Digital Freedom Fund’s Digital Rights Around the World Series. We are now revisiting some of those topics with updates from discussions that happened during our 2021 Strategy Meeting and additional developments since then.
Throughout history, governments have created national population registers and used the personal data for purposes other than the originally stated aims. The UK’s National Pupil Database is no exception. Built from children’s school records since 2002, it includes the sensitive personal data of over 23 million pupils, including ethnicity and even the religious belief, and sexual orientation of millions of university students. defenddigitalme has been litigating to secure the data rights of everyone affected.
While one might expect access to such a database to be limited to schools or its use to be tightly controlled for national education policy, in practice the data is distributed by the Department for Education (DfE) to thousands of third parties. As a result, it is extremely vulnerable to abuse and exploitation. Between March 2012 and June 2020, over a third of the approved requests for identifying data was for use by commercial companies. And although all the approved data shares are catalogued in a register, the volume of data disseminated in each release remains unaccounted for. The DfE could be giving out millions of records every time.
Between March 2012 and June 2020, over a third of the approved requests for identifying data was for use by commercial companies
The data has also been made accessible to other public bodies like the police, the Department for Work and Pensions for fraud investigation, and the Home Office, the UK’s government department responsible for immigration, security, and law enforcement. Very few details of these uses are published in the official register, and the whole process lacks meaningful oversight.
There has already been some success in objecting to the ever expanding data collections. In 2016, at the same time as the Department for Education (DfE) introduced new legislation to start to record the nationality and country-of-birth of 8.2 million school children, defenddigitalme exposed that Home Office access for immigration enforcement purposes had already begun in secret a year earlier. Opposition to this grew into the Against Borders for Children (ABC) coalition, that led a successful boycott of the school census between October 2016 and June 2018, when the collection was finally stopped. Though Liberty supported ABC’s judicial review of the ongoing data sharing practice for immigration enforcement purposes, the court rejected the case on grounds of being out of time.
…the court rejected the case on grounds of being out of time
When another proposed expansion in 2017 planned to introduce mental health, pregnancy, and young offender labels to the National Pupil Database in the reasons for children’s school exclusions, defenddigitalme took immediate action. Our legal team brought a complaint to the DfE and to the Information Commissioner’s Office (ICO), the UK’s independent regulatory authority for data protection. Although defenddigitalme was able to ensure that new labels would not be given away to third parties after collection, the Local Authorities did not tell families about the new collection which went ahead, and the DfE still does not adequately inform families that their children have a permanent National Pupil Database record at all.
Along with the complaint brought by ABC and Liberty, our legal case successfully prompted the ICO to launch a formal investigation. In 2020, this investigation turned into a compulsory audit, after it was revealed that gambling companies had access to learner records. The ICO found that the Department for Education had failed to comply with data protection laws. Among the breaches specified was a failure to provide children and their parents with information about the circumstances in which pupil data was collected, the way in which it was processed, who could access the data, and how pupils can exercise their data subject rights (Articles 12, 13, and 14 of the General Data Protection Regulation (GDPR) and UK Data Protection Act).
Among the breaches specified was a failure to provide children and their parents with information about the circumstances in which pupil data was collected
Since both the DfE and the ICO have so far declined requests to release a copy of the full audit, additional details are unavailable of what exactly was in scope. But in March 2020, the DfE was tasked with developing a comprehensive data protection compliance programme. In September 2020, the Department deleted the nationality and country-of-birth data it had collected between 2016 and 2018.
In January 2021, nearly a year after the ICO audit was completed, the DfE published its first written response. Specifically, it pointed to a range of internal structural changes with regard to the DfE’s data protection function, which it began in response to the ICO audit. In June 2021, the Schools Minister promised to publish a further update “detailing progress and the recommendations that have been successfully met” on or before 22 July 2021, but at the time of writing, no additional information has been released.
Though progress has been made, much more remains to be done. As discussed in DFF’s annual strategy meeting this year, data protection authorities have limitations in their scope and remit – they can enforce data protection law but cannot make evaluations based on broader ethical considerations. Greater collaboration with other organisations working in equality and consumer law will be necessary to secure data policies that centre human rights in the years to come.
…most of all we are calling for families to be properly told how their children’s personal data is collected and used
In the meantime, defenddigitalme intends to ensure that pupil data is minimised at national, Local Authority, and local levels. We continue to lobby for the regulations permitting the census expansion to pupils’ nationality to be revoked. We work to protect all pupil data collected by the DfE from unsafe and unlawful external data shares. And most of all we are calling for families to be properly told how their children’s personal data is collected and used, and for everyone to be enabled to exercise their rights.
Jen Persson is the Director of defenddigitalme, a call to action and NGO founded to campaign for safe, fair and transparent data and digital rights in education, in England, and beyond.