The UK Department of Education collects highly sensitive personal data about students for the National Pupil Database, which is routinely shared with other departments and third parties for academic and commercial use. Some children are labelled as young offenders, disabled, or having mental health issues. Because this data is stored indefinitely, these labels can be shared and used throughout someone’s lifetime.
Based on complaints by defenddigitalme in 2019, and an earlier complaint from Liberty and Against Borders for Children on the distribution of pupil data to the UK Home Office, the UK Information Commissioner’s Office audited the Department of Education in 2019-20. A summary of the audit report was published in October 2020 and found that the Department had broken the law in the processing of the database, containing details of every state school pupil in England since 2002. Data protection was not being prioritised and they were not fulfilling their duties that data “shall be processed lawfully, fairly and in a transparent manner.” The audit listed more than 130 recommendations for the Department to implement.
UK's national pupil database
Organisation Name
defenddigitalme
Country/Jurisdiction
United Kingdom
Amount Granted
EUR 65,747
Current Status
Case partially won
Image credit: Yustinus Tjiuwanda on Unsplash
Grant type
Litigation Track Support
Description
Two instances: Data Protection Authority and High Court
The UK Department of Education collects highly sensitive personal data about students for the National Pupil Database, which is routinely shared with other departments and third parties for academic and commercial use. Some children are labelled as young offenders, disabled, or having mental health issues. Because this data is stored indefinitely, these labels can be shared and used throughout someone’s lifetime.
Based on complaints by defenddigitalme in 2019, and an earlier complaint from Liberty and Against Borders for Children on the distribution of pupil data to the UK Home Office, the UK Information Commissioner’s Office audited the Department of Education in 2019-20. A summary of the audit report was published in October 2020 and found that the Department had broken the law in the processing of the database, containing details of every state school pupil in England since 2002. Data protection was not being prioritised and they were not fulfilling their duties that data “shall be processed lawfully, fairly and in a transparent manner.” The audit listed more than 130 recommendations for the Department to implement.
Following from the outcomes of the audit, in 2021 Department for Education deleted the nationality and country-of-birth data from millions of school children, a major win resulting from long-time campaigning and litigation.
Despite this win, according to defenddigitalme the Department failed to provide details they had promised of the steps that they are taking to address the failings identified, and their practices in relation to the collection and sharing of children’s information seemed to continue largely unchanged. Therefore, in 2022, defenddigitalme began steps to get permission to apply for judicial review of the Department’s unlawful behaviour.
Unfortunately, the courts refused permission to pursue the litigation to the next stage, and defenddigitalme decided to discontinue further legal action. The ruling does not dispute or affect the significance of the concerns that the Information Commissioner had raised, or Defend Digital Me’s own view that there is still unlawful practice and excessive data collection and retention.
"Some children are labelled as young offenders, disabled, or having mental health issues. Because this data is stored indefinitely, these labels can be shared and used throughout someone’s lifetime"
Strategic Goal
For the UK Information Commissioner’s Office or High Court to rule that current data processing practices in the context of the National Pupil Database are in breach of data protection law. Ultimately, defenddigitalme want to ensure, across the UK, that the information stored about students is time-bound and limited and that every family knows how, when, and why their child’s data is being collected and processed.