DfE facing action over 'wide ranging and serious' data protection breaches

The Department for Education breached data protection rules over its controversial pupil nationality data collection and by sharing pupils’ details with the Home Office, the data watchdog has found.

The Information Commissioner’s Office is now considering whether to take further regulatory action against the department following “wide ranging and serious concerns” raised in a complaint by Against Borders for Children.

The ICO’s decision letter, seen by Schools Week, said the complaint “highlighted clear deficiencies in the processing of pupil personal data by the DfE”.

“Our view is that the DfE is failing to comply fully with its data protection obligations. Primarily in the areas of transparency and accountability, where there are far reaching issues, impacting a huge number of individuals in a variety of ways.”

The letter added that the “wide ranging and serious concerns raised about the DfE in recent months, including this one, will be formally considered for further action”.

The complaint centred on the government’s retention of nationality and country of birth data collected through the school census and the sharing of pupil data with the Home Office for immigration checks.

A legal duty for schools to collect data on pupils’ nationality and country of birth was introduced in September 2016, but formally ended in June last year amid concern that it was being used to track the immigration status of children.

The ICO said the DfE does not need consent to collect and retain nationality and birth data in the pupil database.

But it found the government was failing to fully comply with the GDPR because many parents and pupils are “either entirely unaware of the school census and the inclusion of that information in the national pupil database or are not aware of the nuances within the data collection, such as which data is compulsory and which is optional”.

On the second issue, the Home Office can request data – including a pupil’s address and school details – from the national pupil database if there is evidence of illegal activity, including illegal immigration, or evidence a child is at risk.

The DfE has agreed to share the personal details of up to 1,500 school children a month with the Home Office as part of the “hostile environment” policy. Campaigners have dubbed these “secret immigration checks”.

However, the ICO warned of a “lack of transparency by the DfE” because parents and children were not informed their data could be shared with the Home Office.

“Our view is that the DfE is failing to comply fully with the GDPR in respect of these articles and the requirement for accountability in the processing of personal data.”

Against Borders for Children, represented by human rights organisation Liberty, argued the DfE’s actions left parents afraid to send their children to school, and have called on the DfE to delete children’s nationality and country of birth data.

Kojo Kyerewaa, Against Borders for Children co-ordinator, said schools have been “covertly incorporated as part of Home Office immigration enforcement”.

“Millions of families haven’t consented to a pupil nationality database or to secret immigration checks. We call on the DfE to protect all children’s access to education without fear by deleting the pupil nationality database, repeal pupil nationality census legislation and stop immigration checks using pupils’ data.”

Lara Ten Caten, a lawyer at Liberty, said the DfE had made schools “unknowingly and unwittingly complicity in the government’s hostile environment”.

“The government must introduce a firewall so parents can send their children to school free from fear that they may face deportation as a result.”

The DfE and ICO were unable to comment on the case because of purdah restrictions.

Jen Persson, from campaign group Defend Digital Me, said it’s now about waiting to see whether the ICO will “show their teeth” and, if so, what enforcement they will take.