The government could face legal action over the way it handles pupil data as pressure grows to publish a full audit of its practices.
The campaign group DefendDigitalMe has issued a letter before claim to the Department for Education over its handling of “extremely sensitive information” about children, warning that it will seek a judicial review if it does not receive a “satisfactory response”.
The organisation said the department has “repeatedly” failed to provide details of steps it has taken to ensure it meets data protection law, and has not properly informed parents about what is done with their children’s data.
A damning audit by the Information Commissioner’s Office (ICO) in 2020 found the DfE broke data protection laws in how it handled pupil data.
The audit was prompted by complaints about the national pupil database (NPD), which holds information on millions of past and present school pupils.
A summary of the report warned that data protection “was not being prioritised”, which had “severely impacted the DfE’s ability to comply with the UK’s data protection laws”.
The watchdog issued 139 recommendations for improvement, with more than 60 per cent classified as “urgent or high priority”. The DfE said it had reviewed “all processes for the use of personal data”.
‘No sense of urgency’
But the government has not published an update on its work to address the ICO’s concerns since January 2021. The full report, which the DfE promised to publish, is also still under wraps more than two years later.
DefendDigitalMe’s director, Jen Persson, said there seemed to be “no sense of urgency”.
“[There is] no commitment to even recognising they have a serious problem, when there is no mechanism in place to automatically indicate a child at risk should have a sealed record protected from distribution.
“When you ask ordinary pupils and teachers, they are shocked to know more than statistics leave the school and are given away to an unlimited number of businesses.”
Her organisation wants a response detailing how the DfE is now complying with data protection law.
The department told Schools Week that while it was under “no obligation” to publish the full report, it had “committed in the future to publish the full report once we have concluded the work to the ICO’s satisfaction”.
As part of its investigation, the ICO looked into how the NPD, learning records service and “internally held databases” at the DfE were managed.
DfE faces questions over sharing of pupil data
The sharing of data from the NPD with external organisations has been a subject of controversy for some years, and children’s rights’ groups have called for it to be halted.
This came to a head in 2016 when the government began collecting data on pupils’ nationality and country of birth, eventually admitting it had planned to share the data with the Home Office for immigration control. The collection was cancelled in 2018.
The DfE releases anonymised sections of the NPD to organisations – including private companies – that request them. However, the ICO found the reasons for doing so were not always justified.
But access to pupil data is important for academics and research organisations, such as the National Foundation for Educational Research.
Its director of research, Lesley Duff, said analysis of important data sources played a “critical role in creating new evidence for teachers and other practitioners about what works in the education system”.
It could also provide “important insights that help the government develop new policies to improve educational outcomes”.
However, she warned it was “imperative that any data is handled and managed extremely sensitively, in compliance with GDPR principles, and is only shared with accredited academics and researchers who have been trained to use the data in a safe and secure manner”.