The UK Department of Education collects highly sensitive personal data about students for the National Pupil Database, which is routinely shared with other departments and third parties for academic and commercial use. Some children are labelled as young offenders, disabled, or having mental health issues. Because this data is stored indefinitely, these labels can be shared and used throughout someone’s lifetime.
Based on complaints by defenddigitalme in 2019, and an earlier complaint from Liberty and Against Borders for Children on the distribution of pupil data to the UK Home Office, the UK Information Commissioner’s Office audited the Department of Education in 2019-20. A summary of the audit report was published in October 2020 and found that the Department had broken the law in the processing of the database, containing details of every state school pupil in England since 2002. Data protection was not being prioritised and they were not fulfilling their duties that data “shall be processed lawfully, fairly and in a transparent manner.” The audit listed more than 130 recommendations for the Department to implement.
defenddigitalme is now considering further litigation, through judicial review proceedings at the UK High Court, to ensure that the Department implements the required changes that would ensure pupil data storage and use meets privacy and data protection standards.