A damning ICO report on the DfE’s data handling is a wake-up call for the department that schools can also learn from, writes Jen Persson
It’s school census time again. But do you know where the pupil records go every term?
Over 21 million people’s names are now in the national pupil database, collected in state education since 1996, including detailed special educational needs, and indicators of adoption. Even university students’ religion and sexual orientation are added from equality monitoring.
The executive summary does not detail the 139 recommendations for improvement, but over 60 per cent are classified as urgent or high-priority and it is clear that the ICO expects action from the DfE to make processing of pupil data lawful.
In the meantime, many of the recommendations are also relevant for education settings, and there is no need to wait for the DfE to set the example. Here are 7 of them:
- The ICO found the DfE doesn’t have a good grasp of everything it holds, a direct breach of Article 30 of the GDPR which requires all organisations, schools included, to document all data processing.
- The DfE does not provide sufficient information about how people’s data is used, often not telling them at all. This is a failure of the first principle of the GDPR outlined in Article 5(1)(a), to process lawfully, fairly and in a transparent manner. In our work, we also find that schools routinely fail to tell families which apps are used, about primary assessment and accountability data collections, what is optional in the census, explain their data rights or how to meet them in practical terms such as the Right to Object, or offer alternatives to biometric data use as required under the Protection of Freedoms Act 2012.
- There is confusion at DfE about when third parties are a controller or data processor. Our research for the new State of Data 2020 report found many companies claim to be data processors simply by writing it into a contract. This is wrong. How the data is processed determines the roles, and many companies are often joint data controllers if they determine what to do with pupil data, such as repurposing it for distribution, including research. Companies do not lawfully have authority to do this on their own.
- The DfE has insufficient controls to protect personal data passed on to commercial users. Do you know what each app and its sub-processors really do, in what country and who “company affiliates” are, in terms and conditions?
- The ICO also found an over-reliance on using the legal basis of “public task” as the basis for data sharing, and limited understanding of implications when “legitimate interests” is used. This is also true in schools.
- The DfE fails to provide sufficient training to staff about information governance, data protection, and records and risk management. Given the volume of national data demands, this should be part of basic teacher training and free CPD.
- DfE data protection impact assessments are not carried out early enough and sometimes not at all. This is also vital for schools, for example, when partnering with product or research trials. Insist on having a copy of their DPIA and the research ethics approval. If they refuse, ask why and consider if you should rely on trust alone to be sufficiently accountable to parents.
Children’s confidential data are collected simply because they go to school. Without parents’ permission, their identifying details are distributed to thousands of third parties and used not for the immediate purposes of a child’s education, but by companies for profit.
That’s why defenddigitalme is calling for an Education and Digital Rights Act and independent oversight under a national guardian just like there is in the NHS. We know where the systemic issues are, and thanks to the ICO investigation into the DfE, we know they start at the very top. Now it’s time to address them.
Michael Gove was education secretary in 2012 when the government changed the law to give away millions of children’s identifying school records. Will Gavin Williamson fix it?