The Department for Education proposes to ‘widen access’ to the information held in the National Pupil Database, changing the ‘purposes’ for which it can be shared. Or in other words, it intends to share your kids’ personal data, which it sucks up every term from school systems whether you know or like it or not, with commercial organisations, the media and a whole host of others…
DfE is running a 6-week consultation on this, which ends tomorrow. Others, including the Open Data Institute and Open Rights Group (added 18/12/12) have already published their responses.
Here is mine:
1) Do you agree with the proposal to widen the purposes for which data from the National Pupil Database can be shared? Please explain the reasons for your answer.
I disagree with the proposal for a number of reasons – not least that the purposes as redrafted offer few limits to the types and number of people and organisations with which children’s (and adults’) personal data held in the National Pupil Database could in practice be shared.
I am particularly concerned by the indicative list in section 7.1, which includes “the media” and the catch-all “commercial or non-profit organisations”; a definition that covers any corporate entity, but which clearly does not exclude purely profit-driven enterprises. There appears to be no reason why that list might not also include ‘market researchers’ or ‘direct marketers’ – or for that matter ‘political parties’.
While I trust that the Department’s Data and Statistics Division and Data Management Advisory Panel do their best to protect the personal data of the millions of people for which they are custodians, broadening the purposes in the way proposed would make this extraordinarily important job much harder; maybe even impossible.
Setting aside for a moment the stated aims or intended consequences of these changes, it is always worth examining the unintended but predictable consequences.
Were the Regulations altered to stipulate that data in the National Pupil Database could be shared, some may insist on the letter of the law that they must be shared. In such circumstances, and especially if the motivations were financial gain rather than research, the protections in place could prove to be altogether too weak. A contract or set of Terms and Conditions with threat of audit may have been sufficient to manage the release of data to the academy. To pretend that these and the sanctions offered by the Data Protection Act are sufficient to disincentivise bad behaviour in a commercial context or with the media is to fly in the face of evidence.
The second reason I disagree with the proposal is because of what it fails to say. The consultation document provides a few anecdotal suggestions in section 5.1 but no evidence or detail of how any of the “potential uses” would deliver benefit or to whom. Of course, providing superficially accurate ‘estimates’ would be meaningless, but providing some sort of outline cost/benefit and risk analyses would at least allow people to gauge the Department’s argument and thinking. As it stands the ‘argument’ is little more than a set of assertions and the proposal appears to boil down to, “We’ll suck it and see”.
I was struck by the complete absence from the entire document of the description ‘personal data’. This is a significant and damning omission. The data in the National Pupil Database is variously referred to as “rich data”, “government data”, “pupil data” and just once as “sensitive data”. At individual level, the data in NPD are indisputably personal data. Though interspersed with administrative and other data, this is information about my children, their circumstances and characteristics and my home. That this is not consistently referred to as personal data gives me cause for concern.
Which leads me to my third point; informed consent. I am fully aware that much of the data in the National Pupil Database is harvested via statutory gateway, which in law provides an exemption for processing data without consent. But what the Department chooses to present as “minor amendments” to the Regulations in fact represent a hugely significant change in what may be done with the personal data – some highly sensitive – which have been collected in this way.
To claim: “The Department makes it clear to children and their parents what information is held about pupils and how it is processed, through a statement on its website. Schools also inform parents and pupils of how the data is used through privacy notices” is, quite frankly, a joke.
(I would be very interested to see the annual traffic logs / unique visits for the web page(s) on which the Department’s “statement” resides. As far as I can tell, the page ‘National pupil database: How is the data used?’ is merely a re-ordering of the four bullet-points that appear in section 3.1 of the consultation document. Three of the six pages explaining NPD are concerned with accessing the data.)
I am probably quite unusual in having read the “privacy notices” sent from both my children’s primary and secondary schools, generally amongst a swathe of other papers and forms at the beginning of a school year or induction. These notices may have provided some information, but they certainly did not properly inform me about the National Pupil Database and what is done with the data on it. And I doubt anyone who wasn’t specifically looking for it would notice any change to the boilerplate from one year to the next.
According to the Second Data Protection Principle: “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”
The proposed changes are not just a minor ‘loosening’ of the limits to sharing. The amendment quite clearly changes the specified purpose for which at least some of personal data is collected – e.g. via the School Census – at the same time vastly increasing the type and number of bodies and organisations which may access the data and the ways in which they may process them.
That the reach, scope and scale of the National Pupil Database have been extended time and again over the years is bad enough. To try to pass off these currently proposed changes as “minor” is as cavalier as it is deceptive.
1) The proposed change offers few practical limits to the type or number of organisations which may apply for access; the protections in place are insufficient for the marketplace the Secretary of State appears to wish to create.
2) The Department provides no evidence, cost/benefit or risk analysis; its argument is mere assertion and it appears to have adopted a “suck it and see” approach.
3) The amendment as it stands is a major change to the specified purpose for which (some) personal data is being gathered; to use the “lawful” exception yet again is a perversion of principle.
So what do I suggest? Stop! Go back to the beginning. Think again.
I urge you not to go down this route at all. But if you must, for something that would clearly affect every child in state education, many who have gone through it and their families now and for generations to come, the only reasonable way forward is to conduct a full and proper consultation (I say more on this below) and to allow Parliament the opportunity to debate a far more coherent, robust and properly-evidenced proposal, in primary legislation.
2) How could you or your organisation potentially use the data?
I or my children might like to see a copy of the information that is held about them, but I assume we already have the right to do this through a Subject Access Request.
I would very much like to have a complete list of every body or agency that has accessed my children’s data. I do not know why the Department does not publish this information on its website – it is one of the most obvious things about NPD data sharing that children and parents are likely to want to know.
3) What do you see as the benefits of widening the purposes for which data can be shared?
I see significant risks and no attempt to model them, let alone the cost/benefit. I do not propose to feed the Department’s fantasies.
4) Do you have any other comments you would like to make about the proposals in this consultation document?
No. I hope I have made myself clear.
5) Please let us have your views on responding to this consultation (e.g. the number and type of questions, whether it was easy to find, understand, complete etc.).
My other comments relate to the consultation process itself.
As you say below, Cabinet Office’s current Consultation Principles state: “Departments will need to give more thought to how they engage with and consult with those who are affected.”
A six-week online consultation in the busy run-up to Christmas is neither an appropriate nor sufficient way in which to engage with and consult those who would be affected by these proposals. As much as the Department appears to wish to downplay it, the proposed amendment represents a major change in what is intended to be done with the personal information – some highly sensitive – of millions of children, some now adults and their families. It appears any thought given to this consultation process was on the basis of how quickly it could be hustled through.
Based on people I have spoken with, I strongly suspect that many if not most children and parents are still quite unaware of the National Pupil Database. But, again only anecdotally, I believe many parents and children would be very concerned at the notion that their personal information – gathered without their consent, simply by virtue of them attending school – might be shared with, say, commercial companies and the media.
At the very least, details of this consultation should have been sent to every school with instructions to notify parents that a significant change to arrangements regarding their children’s personal data was being proposed. (Neither head at either of my children’s schools had heard anything about this.) And, for any change that would affect so many, a period of at least half a term should be the minimum allowed for people to respond. Preferably not just before a holiday!
As is often the case, the questions and language in this consultation are skewed towards the positive with no mention of risks or potential disbenefits. I hardly expect this to change, but will continue to comment in the hope of improvement.