Tag Archives: National Pupil Database

Monitoring software in schools: the Department for Education’s digital dream or nightmare? (1)

Nicky Morgan, the Education Secretary,  gave a speech [1] this week and shared her dream of the benefits technology for pupils.

It mentioned two initiatives to log children’s individual actions; one is included in a consultation on new statutory guidance, and the other she praised, is a GPS based mobile monitoring app.

As with many new applications of technology, how the concept is to be implemented in practice is important to help understand how intrusive any new use of data is going to be.

Unfortunately for this consultation there is no supporting code of practice what the change will mean, and questions need asked.

The most significant aspects in terms of changes to data collection through required monitoring are in the areas of statutory monitoring, systems, and mandatory teaching of ‘safeguarding’:

Consultation p11/14: “We believe including the requirement to ensure appropriate filtering and monitoring are in place, in statutory guidance, is proportional and reasonable in order to ensure all schools and colleges are meeting this requirement. We don’t think including this requirement will create addition burdens for the vast majority of schools, as they are already doing this, but we are keen to test this assumption.”

Consultation:  paragraph 75 on page 22 introduces this guidance section and ends with a link to “Buying advice for schools.” “Governing bodies and proprietors should be confident that systems are in place that will identify children accessing or trying to access harmful and inappropriate content online. Guidance on e-security is available from the National Education Network.

Guidance: para 78 “Whilst it is essential that governing bodies and proprietors ensure that appropriate filters and monitoring systems are in place they should be careful  that “over blocking” does not lead to unreasonable restrictions as to what children can be taught with regards to online teaching  and safeguarding.” —

Consultation: “The Opportunities to teach safeguarding” section (para 77-78) has been updated and now says governing bodies and  “should ensure” rather than “should consider” that children are taught about safeguarding, including online, through teaching and learning opportunities. This is an important topic and the assumption is the vast majority of governing bodies and proprietors will already be ensuring the children in their school are suitably equipped with regards to safeguarding. But we are keen to hear views as to the change in emphasis.”

Paragraph 88 on p24  is oddly phrased: “Governing bodies and proprietors should ensure that staff members do not agree confidentiality and always act in the best interests of the child.”

What if confidentiality may sometimes be in the best interests of the child? What would that mean in practice?

 

Keeping Children Safe in Education – Questions on the Consultation and Use in practice

The consultation [2] is open until February 16th, and includes a new requirement to have web filtering and monitoring systems.

Remembering that 85% of children’s waking hours are spent outside school, and in a wide range of schools our children aged 2 -19, not every moment is spent unsupervised and on-screen, is it appropriate that this 24/7 monitoring would be applied to all types of school?

This provider software is reportedly being used in nearly 1,400 secondary schools in the UK.  We hear little about its applied use.

The cases of cyber bullying or sexting in schools I hear of locally, or read in the press, are through smartphones. Unless the school snoops on individual devices I wonder therefore if the cost, implementation and impact is proportionate to the benefit?

  1. Necessary and proportionate? How does this type of monitoring compare with other alternatives?
  2. Privacy impact assessment? Has any been done – surely required as a minimum measure?
  3. Cost benefit risk assessment of the new guidance in practice?
  4. Problem vs Solution: What problem is it trying to solve and how will they measure if it is successful, or stop its use if it is not?  Are other methods on offer?
  5. Due diligence: how do parents know that the providers have undergone thorough vetting and understand who they are? After all, these providers have access to millions of our children’s  online interactions.
  6. Evidence: If it has been used for years in school, how has it been assessed against other methods of supervision?
  7. The national cash cost: this must be enormous when added up for every school in the country, how is cost balanced against risk?
  8. Intangible costs – has anyone asked our children’s feeling on this? Where is the boundary between what is constructive and creepy? Is scope change documented if they decide to collect more data?

Are we Creating a Solution that Solves or creates a Problem?

The private providers would have no incentive to say their reports don’t work and schools, legally required to be risk averse, would be unlikely to say stop if there is no outcome at all.

Some providers  include “review of all incidents by child protection and forensic experts; freeing up time for teachers to focus on intervention” and “trends such as top users can be viewed.” How involved are staff who know the child as a first point of information sharing?

Most tools are multipurposed and I understand the reasons given behind them, but how it is implemented concerns me.

If the extent of these issues really justify this mass monitoring in every school – what are we doing to fix the causes, not simply spy on every child’s every online action in school? (I look at how it extends outside in part two.)

Questions on Public engagement: How are children and families involved in the implementation and with what oversight?

  1. Privacy and consent: Has anyone asked pupils and parents what they think and what rights they have to say no to sharing data?
  2. Involvement: Are parents to be involved and informed in software purchasing and in all data sharing decisions at local or regional level? Is there consistency of message if providers vary?
  3. Transparency: Where are the data created through the child’s actions stored, and for how long? Who has access to the data? What actions may result from it? And with what oversight?
  4. Understanding: How will children and parents be told what is “harmful and inappropriate content” as loosely defined by the consultation, and what they may or may not research? Children’s slang changes often, and “safeguarding” terms are subjective.
  5. Recourse: Will it include assessment of unintended consequences from misinterpretation of information gathered?
  6. Consent: And can I opt my child out from data collection by these unknown and ‘faceless’ third parties?

If children and parents are told their web use is monitored, what chilling effect may that have on their trust of the system, of teaching staff, and their ability to look for content to support their own sensitive concerns or development  that they may not be able to safe to look for at home? What limitation will that put on their creativity?

These are all questions that should be asked to thoroughly understand the consultation and requires wide public examination.

Since key logging is already common practice (according to provider websites) and will effectively in practice become statutory, where is the public discussion? If it’s not explicitly statutory, should pupils be subject to spying on their web searches in a postcode lottery?

What exactly might this part of the new guidance mean for pupils?

In part two, I include the other part of her speech, the GPS app and ask whether if we track every child in and outside school, are we moving closer to the digital dream, or nightmare, in the search to close the digital skills gap?

****

References:

[1] Nicky Morgan’s full speech at BETT

[2] Consultation: Keeping Children Safe in Education – closing Feb 16thThe “opportunities to teach safeguarding” section (para 77-78) has been updated and now says governing bodies and proprieties “should ensure” rather than “should consider” that children are taught about safeguarding, including online, through teaching and learning opportunities.

The Consultation Guidance: most relevant paragraphs 75 and 77 p 22

“Governing bodies and proprietors should be confident that systems are in place that will identify children accessing or trying to access harmful and inappropriate content online. [Proposed statutory guidance]

Since “guidance on procuring appropriate ICT” from the National Education Network NEN* is offered, it is clearly intended that this ‘system’ to be ‘in place’, should be computer based. How will it be applied in practice? A number of the software providers for schools already provide services that include key logging, using “keyword detection libraries” that “provides a complete log of all online activity”.

(*It’s hard to read more about as many of NEN’s links are dead.)  

Access to school pupil personal data by third parties is changing

The Department for Education in England and Wales [DfE] has lost control of who can access our children’s identifiable school records by giving individual and sensitive personal data out to a range of third parties, since government changed policy in 2012. It looks now like they’re panicking how to fix it.

Applicants wanting children’s personal identifiable and/or sensitive data now need to first apply for the lowest level criminal record check, DBS, in the access process, to the National Pupil Database.

Schools Week wrote about it and asked for comment on the change [1] (as discussed by Owen in his blog [2] and our tweets).

At first glance, it sound like a great idea, but what real difference will this make to who can receive 8 million school pupils’ data?

Yes, you did read that right.

The National Pupil Database gives away the personal data of eight million children, aged 2-19. Gives it away outside its own protection,  because users get sent raw data, to their own desks.[3]

It would be good to know people receiving your child’s data hadn’t ever been cautioned or convicted about something related to children in their past, right?

Unfortunately, this DBS check won’t tell the the Department for Education (DfE) that – because it’s the the basic £25 DBS check [4], not full version.

So this change seems less about keeping children’s personal data safe than being seen to do something. Anything. Anything but the thing that needs done. Which is to keep the data secure.

Why is this not a brilliant solution? 

Moving towards the principle of keeping the data more secure is right, but in practice, the DBS check is only useful if it would make data safe by stopping people receiving data and the risks associated with data misuse. So how will this DBS check achieve this? It’s not designed for people who handle data. It’s designed for people working with children.

There is plenty of evidence available of data inappropriately used for commercial purposes often in the news, and often through inappropriate storage and sharing of data as well as malicious breaches. I am not aware, and refer to this paper [5], of risks realised through malicious data misuse of data for academic purposes in safe settings. Though mistakes do happen through inappropriate processes, and through human error and misjudgement.

However it is not necessary to have a background check for its own sake. It is necessary to know that any users handle children’s data securely and appropriately, and with transparent oversight. There is no suggestion at all that people at TalkTalk are abusing data, but their customers’ data were not secure and those data held in trust are now being misused.

That risk is the harm that is likely to affect a high number of individuals if bulk personal data are not securely managed. Measures to make it so must be proportionate to that risk. [6]

Coming back to what this will mean for individual applicants and its purpose: Basic Disclosure contains only convictions considered unspent under The Rehabilitation of Offenders Act 1974. [7]

The absence of a criminal record does not mean data are securely stored or appropriately used by the recipient.

The absence of a criminal record does not mean data will not be forwarded to another undisclosed recipient and there be a way for the DfE to ever know it happened.

The absence of a criminal record showing up on the basic DBS check does not even prove that the person has no previous conviction related to misuse of people or of data. And anything you might consider ‘relevant’ to children for example, may have expired.

DBS_box copy

So for these reasons, I disagree that the decision to have a basic DBS check is worthwhile.  Why? Because it’s effectively meaningless and doesn’t solve the problem which is this:

Anyone can apply for 8m children’s personal data, and as long as they meet some purposes and application criteria, they get sent sensitive and identifiable children’s data to their own setting. And they do. [8]

Anyone the 2009 designed legislation has defined as a prescribed person or researcher, has come to mean journalists for example. Like BBC Newsnight, or Fleet Street papers. Is it right journalists can access my children’s data, but as pupils and parents we cannot, and we’re not even informed? Clearly not.

It would be foolish to be reassured by this DBS check. The DfE is kidding themselves if they think this is a workable or useful solution.

This step is simply a tick box and it won’t stop the DfE regularly giving away the records of eight million children’s individual level and sensitive data.

What problem is this trying to solve and how will it achieve it?

Before panicking to implement a change DfE should first answer:

  • who will administer and store potentially sensitive records of criminal convictions, even if unrelated to data?
  • what implications does this have for other government departments handling individual personal data?
  • why are 8m children’s personal and sensitive data given away ‘into the wild’ beyond DfE oversight in the first place?

Until the DfE properly controls the individual personal data flowing out from NPD, from multiple locations, in raw form, and its governance, it makes little material difference whether the named user is shown to have, or not have a previous criminal record. [9] Because the DfE has no idea if they are they only person who uses it.

The last line from DfE in the article is interesting: “it is entirely right that we we continue to make sure that those who have access to it have undergone the necessary background checks.”

Continue from not doing it before? Tantamount to a denial of change, to avoid scrutiny of the past and status quo? They have no idea who has “access” to our children’s data today after they have released it, except on paper and trust, as there’s no audit process.[10]

If this is an indicator of the transparency and type of wording the DfE wants to use to communicate to schools, parents and pupils I am concerned. Instead we need to see full transparency, assessment of privacy impact and a public consultation of coordinated changes.

Further, if I were an applicant, I’d be concerned that DfE is currently handling sensitive pupil data poorly, and wants to collect more of mine.

In summary: because of change in Government policy in 2012 and the way in which it is carried out in practice, the Department for Education in England and Wales [DfE] has lost control of who can access our 8m children’s identifiable school records. Our children deserve proper control of their personal data and proper communication about who can access that and why.

Discovering through FOI [11] the sensitivity level and volume of identifiable data access journalists are being given, shocked me. Discovering that schools and parents have no idea about it, did not.

This is what must change.

 

*********

If you have questions or concerns about the National Pupil Database or your own experience, or your child’s data used in schools, please feel free to get in touch, and let’s see if we can make this better to use our data well, with informed public support and public engagement.

********

References:
[1] National Pupil Database: How to apply: https://www.gov.uk/guidance/national-pupil-database-apply-for-a-data-extract

[2]Blogpost: http://mapgubbins.tumblr.com/post/132538209345/no-more-fast-track-access-to-the-national-pupil

[3] Which third parties have received data since 2012 (Tier 1 and 2 identifiable, individual and/or sensitive): release register https://www.gov.uk/government/publications/ national-pupil-database-requests-received

[4] The Basic statement content http://www.disclosurescotland.co.uk/disclosureinformation/index.htm

[5] Effective Researcher management: 2009 T. Desai (London School of Economics) and F. Ritchie (Office for National Statistics), United Kingdom http://www.unece.org/fileadmin/DAM/stats/documents/ece/ces/ge.46/2009/wp.15.e.pdf

[6] TalkTalk is not the only recent significant data breach of public trust. An online pharmacy that sold details of more than 20,000 customers to marketing companies has been fined £130,000 https://ico.org.uk/action-weve-taken/enforcement/pharmacy2u-ltd/

[7] Guidance on rehabilitation of Offenders Act 1974 https://www.gov.uk/government/uploads/system/uploads/
attachment_data/file/299916/rehabilitation-of-offenders-guidance.pdf

[8] the August 2014 NPD application from BBC Newsnight https://www.whatdotheyknow.com/request/293030/response/723407/attach/10/BBC%20Newsnight.pdf

[9] CPS Guidelines for offences involving children https://www.sentencingcouncil.org.uk/wp-content/uploads/Final_Sexual_Offences_Definitive_Guideline_content_web1.pdf
indecent_images_of_children/

[10] FOI request https://www.whatdotheyknow.com/request/pupil_data_application_approvals#outgoing-482241

[11] #saveFOI – I found out exactly how many requests had been fast tracked and not scrutinised by the data panel via a Freedom of Information Request, as well as which fields journalists were getting access to. The importance of public access to this kind of information is a reason to stand up for FOI  http://www.pressgazette.co.uk/press-gazette-launches-petition-stop-charges-foi-requests-which-would-be-tax-journalism

 

Parliament’s talking about Talk Talk and Big Data, like some parents talk about sex. Too little, too late.

Parliament’s talking about Talk Talk and Big Data, like some parents talk about sex ed. They should be discussing prevention and personal data protection for all our personal data, not just one company, after the event.

Everyone’s been talking about TalkTalk and for all the wrong reasons. Data loss and a 15-year-old combined with a reportedly reckless response to data protection, compounded by lack of care.

As Rory Cellan-Jones wrote [1] rebuilding its reputation with customers and security analysts is going to be a lengthy job.

In Parliament Chi Onwarah, Shadow Minister for Culture & the Digital Economy, summed up in her question, asking the Minister to acknowledge “that all the innovation has come from the criminals while the Government sit on their hands, leaving it to businesses and consumers to suffer the consequences?”  [Hansard 2]

MPs were concerned for the 4 million* customers’ loss of name, date of birth, email, and other sensitive data, and called for an inquiry. [It may now be fewer*.] [3] The SciTech committee got involved too.

I hope this means Parliament will talk about TalkTalk not as the problem to be solved, but as one case study in a review of contemporary policy and practices in personal data handling.

Government spends money in data protection work in the [4] “National Cyber Security Programme”. [NCSP] What is the measurable outcome – particularly for TalkTalk customers and public confidence – from its £860M budget?  If you look at the breakdown of those sums, with little going towards data protection and security compared with the Home Office and Defence, we should ask if government is spending our money in an appropriately balanced way on the different threats it perceives. Keith Vaz suggested British companies that lose £34 billion every year to cybercrime. Perhaps this question will come into the inquiry.

This all comes after things have gone wrong.  Again [5]. An organisation we trusted has abused that trust by not looking after data with the stringency that customers should be able to expect in the 21st century, and reportedly not making preventative changes, apparent a year ago. Will there be consequences this time?

The government now saying it is talking about data protection and consequences, is like saying they’re talking sex education with teens, but only giving out condoms to the boys.

It could be too little too late. And they want above all to avoid talking about their own practices. Let’s change that.

Will this mean a review to end risky behaviour, bring in change, and be wiser in future?

If MPs explore what the NCSP does, then we the public, should learn more about what government’s expectations of commercial companies is in regards modern practices.

In addition, any MPs’ inquiry should address government’s own role in its own handling of the public’s personal data. Will members of government act in a responsible manner or simply tell others how to do so?

Public discussion around both commercial and state use of our personal data, should mean genuine public engagement. It should involve a discussion of consent where necessary for purposes  beyond those we expect or have explained when we submit our data, and there needs to be a change in risky behaviour in terms of physical storage and release practices, or all the talk, is wasted.

Some say TalkTalk’s  practices mean they have broken their contract along with consumer trust. Government departments should also be asking whether their data handling would constitute a breach of the public’s trust and reasonable expectations.

Mr Vaizey should apply his same logic to government handling data as he does to commercial handling. He said he is open to suggestions for improvement. [6]

Let’s not just talk about TalkTalk.

    • Let’s Talk Consequences: organisations taking risk seriously and meaningful consequences if not [7]
    • Let’s Talk Education: the education of the public on personal data use by others and rights and responsibilities we have [8]
    • Let’s Talk Parliament’s Policies and Practices: about its own complementary lack of data  understanding in government and understand what good practice is in physical storage, good governance and transparent oversight
    • Let’s Talk Public Trust: and the question whether government can be trusted with public data it already has and whether its current handling makes it trustworthy to take more [9]

Vaizey said of the ICO now in his own department: “The Government take the UK’s cyber-security extremely seriously and we will continue to do everything in our power to protect organisations and individuals from attacks.”

“I will certainly meet the Information Commissioner to look at what further changes may be needed in the light of this data breach. [..] It has extensive powers to take action and, indeed, to levy significant fines. “

So what about consequences when data are used in ways the public would consider a loss, and not through an attack or a breach, but government policy? [10]

Let’s Talk Parliament’s Policies and Practices

Commercial companies are not alone in screwing up the use and processing [11] management of our personal data. The civil service under current policy seems perfectly capable of doing by itself. [12]

Government data policy has not kept up with 21st century practices and to me seems to work in the dark, as Chi Onwarah said,

‘illuminated by occasional flashes of incompetence.’

This incompetence can risk harm to people’s lives, to business and to public confidence.

And once given, trust would be undermined by changing the purposes or scope of use for which it was given, for example as care.data plans to do after the pilot. A most risky idea.

Trust in these systems, whether commercial or state, is crucial. Yet reviews which highlight this, and make suggestions to support trust such as ‘data should never be (and currently is never) released with personal identifiers‘ in The Shakespeare Review have been ignored by government.

Where our personal data are not used well in government departments by the department themselves, they seem content to date to rely on public ignorance to get away with current shoddy practices.

Practices such as not knowing who all your customers are, because they pass data on to others. Practices, such as giving individual level identifiable personal data to third parties without informing the public, or asking for consent. Practices, such as never auditing or measuring any benefit of giving away others personal data.

“It is very important that all businesses, particularly those handling significant amounts of sensitive customer data, have robust procedures in place to protect those data and to inform customers when there may have been a data breach.” Ed Vaizey, Oct 26th, HOC

If government departments prove to be unfit to handle the personal data we submit in trust to the state today, would we be right to trust them with even more?

While the government is busy wagging fingers at commercial data use poor practices, the care.data debacle is evidence that not all its MPs or civil service understand how data are used in commercial business or through government departments.

MPs calling for commercial companies to sharpen up their data protection must understand how commercial use of data often piggy-backs the public use of our personal data, or others getting access to it via government for purposes that were unintended.

Let’s Talk Education

If the public is to understand how personal data are to be kept securely with commercial organisations, why should they not equally ask to understand how the state secures their personal data? Educating the public could lead to better engagement with research, better understanding of how we can use digital services and a better educated society as a whole. It seems common sense.

At a recent public event [13],  I asked civil servants talking about big upcoming data plans they announced, linking school data with more further education and employment data, I asked how they planned to involve the people whose data they would use. There was no public engagement to mention. Why not? Inexcusable in this climate.

Public engagement is a matter of trust and developing understanding in a relationship. Organisations must get this right.[14]

If government is discussing risky practices by commercial companies, they also need to look closer to home and fix what is broken in government data handling where it exposes us to risk through loss of control of our personal data.

The National Pupil Database for example, stores and onwardly shares identifiable individual sensitive data of at least 8m children’s records from age 2 -19. That’s twice as big as the TalkTalk loss was first thought to be.

Prevention not protection is what we should champion. Rather than protection after the events,  MPs and public must demand emphasis on prevention measures in our personal data use.

This week sees more debate on how and why the government will legislate to have more powers to capture more data about all the people in the country. But are government policy, process and practices fit to handle our personal data, what they do with it and who they give it to?

Population-wide gathering of data surveillance in any of its many forms is not any less real just because you don’t see it. Children’s health, schools, increases in volume of tax data collection. We don’t discuss enough how these policies can be used every day without the right oversight. MPs are like the conservative parents not comfortable talking to their teens about sleeping with someone. Just because you don’t know, it doesn’t mean they’re not doing it. [15] It just means you don’t want to know because if you find out they’re not doing it safely, you’ll have to do something about it.

And it might be awkward. (Meanwhile in schools real, meaningful PHSE has been left off the curriculum.)

Mr. Vaizey asked in the Commons for suggestions for improvement.

My suggestion is this. How government manages data has many options. But the principle should be simple. Our personal data needs not only protected, but not exposed to unnecessary risk in the first place, by commercial or state bodies. Doing nothing, is not an option.

Let’s Talk about more than TalkTalk

Teens will be teens. If commercial companies can’t manage their systems better to prevent a child successfully hacking it, then it’s not enough to point at criminal behaviour. There is fault to learn from on all sides. In commercial and state uses of personal data.

There is talk of new, and bigger, data sharing plans. [16]

Will the government wait to see  and keep its fingers crossed each month to see if our data are used safely at unsecured settings with some of these unknown partners data might be onwardly shared with, hoping we won’t find out and they won’t need to talk about it, or have a grown up public debate based on public education?

Will it put preventative measures in place appropriate to the sensitivity and volume of the data it is itself responsible for?

Will moving forward with new plans mean safer practices?

If government genuinely wants our administrative data at the heart of digital government fit for the 21st century, it must first understand how all government departments collect and use public data. And it must educate the public in this and commercial data use.

We need a fundamental shift in the way the government respects public opinion and shift towards legal and privacy compliance – both of which are lacking.

Let’s not talk about TalkTalk. Let’s have meaningful grown up debate with genuine engagement. Let’s talk about prevention measures in our data protection. Let’s talk about consent. It’s personal.

******

[1] Questions for TalkTalk: http://www.bbc.co.uk/news/technology-34636308

[2] Hansard: http://www.publications.parliament.uk/pa/cm201516/cmhansrd/cm151026/debtext/151026-0001.htm#15102612000004

[3] TalkTalk update: http://www.talktalkgroup.com/press/press-releases/2015/cyber-attack-update-tuesday-october-30-2015.aspx

[4] The Cyber Security Programme: http://www.civilserviceworld.com/articles/feature/depth-look-national-cyber-security-programme

[5] Paul reviews TalkTalk; https://paul.reviews/value-security-avoid-talktalk/

[6] https://ico.org.uk/for-organisations/guide-to-data-protection/conditions-for-processing/

[7] Let’s talk Consequences: the consequences of current failures to meet customers’ reasonable expectations of acceptable risk, are low compared with elsewhere.  As John Nicolson (East Dunbartonshire) SNP pointed out in the debate, “In the United States, AT&T was fined £17 million for failing to protect customer data. In the United Kingdom, the ICO can only place fines of up to £500,000. For a company that received an annual revenue of nearly £1.8 billion, a fine that small will clearly not be terrifying. The regulation of telecoms must be strengthened to protect consumers.”

[8] Let’s talk education: FOI request revealing a samples of some individual level data released to members of the press: http://www.theyworkforyou.com/debates/?id=2015-10-26b.32.0

The CMA brought out a report in June, on the use of consumer data, the topic should be familiar in parliament, but little engagement has come about as a result. It suggested the benefit:

“will only be realised if consumers continue to provide data and this relies on them being able to trust the firms that collect and use it”, and that “consumers should know when and how their data is being collected and used and be able to decide whether and how to participate. They should have access to information from firms about how they are collecting, storing and using data.”

[9] Let’s Talk Public Trust – are the bodies involved Trustworthy? Government lacks an effective data policy and is resistant to change. Yet it wants to collect ever more personal and individual level for unknown purposes from the majority of 60m people, with an unprecedented PR campaign.  When I heard the words ‘we want a mature debate’ it was reminiscent of HSCIC’s ‘intelligent grown up debate’ requested by Kinglsey Manning, in a speech when he admitted lack of public knowledge was akin to a measure of past success, and effectively they would rather have kept the use of population wide health data ‘below the radar’.

Change: We need change, the old way after all, didn’t work, according to Minister Matt Hancock: “The old model of government has failed, so we will build a new one.” I’d like to see what that new one will look like. Does he mean to expand only data sharing policy, or the powers of the civil service?

[10] National Pupil Database detailed data releases to third parties https://www.whatdotheyknow.com/request/pupil_data_national_pupil_databa

[11] http://adrn.ac.uk/news-events/latest-news/adrn-rssevent

[12] https://jenpersson.com/public-trust-datasharing-nib-caredata-change/

[13] https://www.liberty-human-rights.org.uk/human-rights/privacy/state-surveillance

[14] http://www.computerweekly.com/news/4500256274/Government-will-tackle-barriers-to-sharing-and-linking-data-says-Cabinet-Office-minister-Hancock

Free School Meals: A political football and the need for research to referee

I wrote this post in July 2014, before the introduction of the universal infant free school meals programme (UIFSM) and before I put my interest in data to work. Here’s an updated version. My opinion why I feel it is vital that  public health and socio economic research should create an evidence base that justifies or refutes policy. 

I wondered last year whether our children’s health and the impact of UIFSM was simply a political football, which was given as a concession in the last Parliament, rushed through to get checked-off, without being properly checked out first?

How is UIFSM Entitlement Measured and What Data do we Have?

I have wondered over this year how the new policy which labels more children as entitled to free school meals may affect public health and social research.

The Free School Meal (FSM) indicator has been commonly used as a socio-economic indicator.

In fact, there is still a practical difference within the ‘free school meals’ label.

In my county, West Sussex, those who are entitled to FSM beyond infants must actively register online. Although every child in Reception, Years 1 and 2  is automatically entitled to UIFSM, parents in receipt of the state income benefits must actively register with county to have an FSM eligibility check, so that schools receive the Pupil Premium.  Strangely having to register for ‘Free School Meals’ where others need not under automatic entitlement in infants – because it’s not called as it probably should be ‘sign up for Pupil Premium’ which benefits the school budget and one hopes, the child with support or services they would not otherwise get.

Registering for a free school meal eligibility check could raise an extra grant of £1,320 per year, per child, for the child’s primary school, or £935 per child for secondary schools, to fund valuable support like extra tuition, additional teaching staff or after school activities. [source]

Researchers will need to give up the FSM indicator used as an adopted socio-economic function in age groups under 8. Over 8 (once children leave infants) only those entitled due to welfare status and actively  registered will have the FSM label. Any comparative research can only use the Pupil Premium status, but as the benefits which permit applying for it changed too, comparison will be hard. An obvious and important change to remember measuring  the effects of the policy change have had.

One year on, I’d also like to understand how research may capture the changes of children’s experience in reality.

There are challenges in this; not least getting hold of the data. Given that private providers may not all be open to provision of information, do not provide data as open data, and separately, are not subject to the Freedom of Information Act, we may not be able to find out the facts around the changes and how catering meets the needs of some of our youngest children.

If it can be hard to access information from private providers held by them, it can be even harder to do research in the public interest using information about them. In my local area Capita manages a local database and the meal providers are private companies. (No longer staff directly employed and accountable to schools as once was).

[updated Aug 30 HT Owen Boswara for the link to the Guardian article in March 2015 reporting that there are examples where this has cut the Pupil Premium uptake]

Whom does it benefit most?

Quantity or Quality and Equality?

In last year’s post I considered food quality and profit for the meal providers.

I would now be interested to see research on what changes if any there have been in the profit and costs of school meal providers since the UIFSM introduction and what benefits we see for them compared with children.

4 in 10 children are classed as living in poverty but may not meet welfare benefit criteria according to Nick Clegg, on LBC on Sept 5th 2014. That was a scandalous admission of the whole social system failure on child poverty. Hats off to the nine year-old who asked good questions last year.

The entitlement is also not applied to all primary children equally, but infants only. So within one family some children are now entitled and others are not.

I wonder if this has reshaped family evening meals for those who do not quite qualify for FSM, where now one child has already ‘had a hot meal today’ and others have not?

The whole programme of child health in school is not only unequal in application to children by age, but is not made to apply to all schools equally.

Jamie Oliver did his darnedest to educate and bring in change, showing school meals needed improvement in quality across the board. What has happened to those quality improvements he championed? Abandoned at least in free school where schools are exempt from national standards. [update: Aug 25 his recent comment].

There is clearly need when so many children are growing up in an unfairly distributed society of have and have-not, but the gap seems to be ever wider. Is Jamie right that in England eating well is a middle class concern? Is it impossible in this country to eat cheaply and eat well?

In summary, I welcome anything that will help families feed their children well. But do free school dinners necessarily mean good nutrition? The work by the Trussel Trust and others, shows what desperate measures are needed to help children who need it most and simply ‘a free school meal’ is not necessarily a ticket to good food, without rigorous application and monitoring of standards, including reviewing in schools what is offered vs what children actually eat from the offering.

Where is the analysis for people based policy that will tackle the causes of need, and assess if those needs are being met?

Evidence based understanding

It appears there were pilots and trials but we hadn’t heard much about them before September 2014. I agreed with then MP David Laws, on the closure of school kitchens, but from my own experience, the UIFSM programme lacked adequate infrastructure and education before it began.

Mr. Laws MP said,

“It is going to be one of the landmark social achievements of this coalition government – good for attainment, good for health, great for British food, and good for hard working families. Ignore the critics who want to snipe from the sidelines.”

I don’t want to be a critic from the sidelines, I’d like to be an informed citizen and a parent and know that this programme brought in good food for good health. Good for very child, but I’d like to know it brought the necessary change for the children who really needed it. [Ignoring his comment on hard working families, which indicates some sort of value judgement and out of place.]

Like these people and their FOIs, I want to ask and understand. Will this have a positive effect on the nutrition children get, which may be inadequate today?

How will we measure if UIFSM is beneficial to children who need it most?

Data used well gives insights into society that researchers should use to learn from and make policy recommendations.

The data from the meal providers and the data on UIFSM indicators as well as Pupil Premium need looked at together. That won’t be easy.

What is accessible is the data held by the DfE but that may also be “off” for true comparison because the need for active sign up is reportedly patchy.

Data on individual pupils needs used with great care due to these measurement changes in practice as well as its sensitivity. To measure that the policy is working needs careful study accounting for all the different factors that changed at the same time. The NPD has pupil premium tracked but has its uptake affected the numbers as to make it a useful comparator?

Using this administrative data  — aggregated and open data — and at other detailed levels for bona fide research is vital to understand if policies work. The use of administrative data for research has widespread public support in the public interest, as long as it is done well and not for commercial use.

To make it more usefully available, and as I posted previously, I believe the Department of Education should shape up its current practices in its capacity as the data processor and controller of the National Pupil Database to be fit for the 21st century if it is to meet public expectations of how it should be done.

Pupils and parents should be encouraged to become more aware about information used about them, in the same way that the public should be encouraged to understand how that information is being used to shape policy.

At the same time as access to state held data could be improved, we should also demand that access to information for public health and social benefit should be required from private providers. Public researchers must be prepare to stand up and defend this need, especially at a time when Freedom of Information is also under threat and should in fact expanded to cover private providers like these, not be restricted further.

Put together, this data in secure settings with transparent oversight could be invaluable in the public interest. Being seen to do things well and seeing public benefits from the data will also future-proof public trust that is vital to research. It could be better for everyone.

So how and when will we find out how the UIFSM policy change made a difference?

What did UIFSM ever do for us?

At a time when so many changes have taken place around child health, education, poverty and its measurement it is vital that public health and socio economic research creates an evidence base that justifies or refutes policy.

In some ways, neutral academic researchers play the role of referee.

There are simple practical things which UIFSM policy ignores, such as 4 year-olds starting school usually start on packed lunch only for a half term to get to grips with the basics of school, without having to manage trays and getting help to cut up food. The length of time they need for a hot meal is longer than packed lunch. How these things have affected starting school is intangible.

Other tangible concerns need more attention, many of which have been reported in drips of similar feedback such as reduced school hall and gym access affecting all primary age children (not only infants) because the space needs to be used for longer due to the increase in numbers eating hot meals.

Research to understand the availability of facilities and time spent on sport in schools since the introduction of UIFSM will be interesting to look at together with child obesity rates.

The child poverty measurements also moved this year. How will this influence our perception of poverty and policies that are designed to tackle it?

Have we got the data to analyse these policy changes? Have we got analysis of the policy changes to see if they benefit children?

As a parent and citizen, I’d like to understand who positions the goalposts in these important public policies and why.

And who is keeping count of the score?

****

image source: The Independent

refs: Helen Barnard, JRF. http://www.jrf.org.uk/blog/2015/06/cutting-child-benefit-increasing-free-childcare-where-poverty-test

Our children’s school data: an end-of-year report card

To quote the late Aaron Swartz: “It’s not OK to not understand the internet, anymore.”

Parents and guardians are trying their best.We leave work early and hurry to attend meetings on internet safety. We get told how vital it is that children not give away their name, age or address to strangers on social media. We read the magazines that come home in book bags about sharing their identity with players in interactive games.  We may sign school policies to opt out of permission for sharing photos from school performances on the school website.

And yet most guardians appear unaware that our children’s confidential, sensitive and basic personal data are being handed out to third parties by the Department of Education, without our knowledge or clear and accessible public accountability.

Data are extracted by the Department for Education [DfE] from schools, stored in a National Pupil Database [NPD], and onwardly shared.

Fine you may say. That makes sense, it’s the Department for Education.

But did you expect that the Ministry of Defence or Schools comparison websites may request or get given access to our children’s individual records, the data [detailed in the ‘NPD data tables’] that we provide to schools for routine administration?

School heads, governors, and every parent I have spoken with in my area, are totally unaware that data extracted by the Department of Education are used in this way.

All are surprised.

Some are shocked at the extent of data sharing at such an identifiable and sensitive level, without school and parental knowledge.

The DfE manages the NPD and holds responsibility to ensure we know all about it. But they’re not ensuring that pupils and parents are told before the data extraction, who else gets access to it and for what purposes. That fails to process data fairly which is a requirement to make its use lawful.

There’s no way to opt out, to check its accuracy or recourse for anything incorrect.

As our lives involve the ever more advanced connectivity of devices, systems, and services, that’s simply not good enough. It’s not a system fit for the 21st century or our children’s digital future.

While the majority of requestors seem to access data for bona fide research in the public interest, some use it for bench marking, others are commercial users.

Is that what pupils and parents expect their data are used for?

And what happens in future when, not if, the Department chooses to change who uses it and why.

How will we know about that? Because it has done so already.

When school census data first began, it extracted no names. That changed. Every pupil’s name is now recorded along with a growing range of information.

Where it began with schools, it is now extended to nursery schools; childminders, private nurseries and playgroups.

Where it was once used only for state administrative purposes, since 2012 it has been given to third parties.

What’s next?

Data should be used in the public interest and must be shared to adequately administer, best serve, understand, and sometimes protect our children.

I want to see our children’s use of technology, and their data created in schools used well in research that will enable inclusive, measurable benefits in education and well being.

However this can only be done with proper application of law, future-proofed security, and respectful recognition of public opinion.

The next academic year must bring these systems into the 21st century to safeguard both our children and the benefits that using data wisely can bring.

Out of sight, out of date, out of touch?

The data sharing is made possible through a so-called ‘legal gateway’, law that gives permission to the Secretary of State for Education to require data from schools.

In this case, it is founded on legislation almost twenty years old.

Law founded in the 1996 Education Act and other later regulations changed in 2009 give information-sharing powers to the Secretary of State and to public bodies through law pre-dating wide use of the Internet, social media, and the machine learning and computer processing power of today.

Current law and policies have not kept pace with modern technology. 2015 is a world away even from 2009 when Pluto was still a planet.

Our children’s data is valuable, and gives insights into society that researchers should of course use to learn from and make policy recommendations. That has widespread public support in the public interest. But it has to be done in an appropriate and secure way, and as soon as it’s for commercial use. there are more concerns and questions to ask.

As an example why NPD doesn’t do this as I feel it should, the data are still given away to users in their own offices rather than properly and securely accessed in a safe-setting, as bona fide accredited researchers at the Office of National Statistics do.

In addition to leaving our children’s personal data vulnerable to cybersecurity threats, it actively invites greater exposure to human error.

Remember those HMRC child benefit discs lost in the post with personal and bank data of 25 million individuals?

Harder to do if you only access sensitive data in a safe setting where you can walk out with your research but not raw files.

When biometrics data are already widely used in schools and are quite literally, our children’s passport to the world, poor data management approaches from government in health and education are simply not good enough anymore.

It’s not OK anymore.

Our children’s personal data is too valuable to lose control of as their digital footprint will become not an add-on, but integral to everything they do in future.

Guardians do their best to bring up children as digitally responsible citizens and that must be supported, not undermined by state practices.

Children will see the divide between online and ‘real’-life activities blend ever more seamlessly.

We cannot predict how their digital identity will become used in their adult lives.

If people don’t know users have data about them, how can we be sure they are using it properly for only the right reasons or try and repair damage when they have not?

People decide to withhold identities or data online if they don’t trust how they will be used, and who will use it well.

Research, reports and decision making are flawed if data quality is poor. That is not in the public interest.

The government must at least take responsibility for current policies to ensure our children’s rights are met in practice.

People who say data privacy does not matter, seem to lack any vision of its value.

Did you think that a social media site would ever try to control its users emotions and influence their decision-making based on the data they entered or read? It just did.

Did you foresee five years ago that a fingerprint could unlock your phone? It just did.

Did you believe 5 months ago the same fingerprint accessible phone would become an accepted payment card in England? It just did.

There is often a correlation between verification of identity and payment.

Fingerprinting for payment and library management has become common in UK schools and many parents do not know that parental consent is a legal requirement.

In reality, it’s not always enacted by schools.

Guardians can find non-participation is discouraged and worry their child will be stigmatised as the exception.

Yet no one would seriously consider asking guardians to give canteens their bank card PIN.

The broad points of use where data are created and shared about our children mean parents can often not know who knows what about them.

What will that mean for them as adults much of whose lives will be digital?

What free choice remains for people who want to be cautious with their digital identities? 

Many systems increasingly require registration, some including biometric data, sometimes from vulnerable people, and the service on offer is otherwise denied.

Is that OK anymore? Or is denial-of-service a form of coercion?

The current model of state data sharing often totally ignores that the children and young people whose personal data are held in these systems are not asked, informed or consulted about changes.

While Ministers talk about wanting our children to become digital leaders of tomorrow, policies of today promote future adults ill-educated in their own internet safety and personal data sharing practices.

But it’s not OK not to understand the internet anymore.

Where is the voice of our young people talking about who shares their information, how it is used online, and why?

When shall we stop to ask collectively, how personal is too personal?

Is analysing the exact onscreen eye movement of a child appropriate or invasive?

These deeply personal uses of our young people’s information raise ethical questions about others’ influence over their decision making.

Where do we draw the line?

Where will we say, it’s not OK anymore?

Do we trust that all uses are for bona fide reasons and not ask to find out why?

Using our children’s data across a range of practices in education seem a free for all to commercially exploit, with too little oversight and no visibility of decision making processes for the public,whose personal data they profit from.

Who has oversight for the ethical use of listening software tools in classrooms, especially if used to support government initiatives like Channel in ‘Prevent’?

What corrective action is taken if our children’s data are exposed through software brought into school over which parents have no control?

The policies and tools used to manage our children’s data in and outside schools seem often out of step with current best-in-class data protection and security practices.

Pupils and parents find it hard to track who has their personal data and why.

While the Department for Education says what it expects of others, it appears less committed to meeting its own responsibilities: “We have been clear that schools are expected to ensure that sensitive pupil information is held securely. The Data Protection Act of 1998 is clear what standards schools are expected to adhere to and we provide guidance on this.” 

A post on a webpage is hardly guidance fit to future proof the data and digital identities of a whole generation.

I believe we should encourage greater use of this administrative data for bona fide research. Promoting broader use of aggregated and open data could also be beneficial. In order to do both, key things should happen that will make researchers less risk averse in its use, and put data at reduced risk of accidental or deliberate misuse by other third parties. Parents and pupils could become more confident that their data is used for all the right reasons.

The frameworks of fair processing, physical data security, of transparent governance and publicly accountable oversight need redesigned and strengthened.

Not only for data collection, but its central management, especially on a scale as large as the National Pupil Database.

“It’s not OK not to understand the internet anymore.”

In fact, it never was.

The next academic year must bring these systems into the 21st century to safeguard both our children and the benefits that using data wisely can bring.

The Department for Education “must try harder” and must start now.

********

If you have questions or concerns about the National Pupil Database or your own experience, or your child’s data used in schools, please feel free to get in touch, and let’s see if we can make this better. [Email me as listed above right.]

1. An overview: an end of year report on our Children’s School Records
2. The National Pupil Database end of year report: an F in fair processing
3. The National Pupil Database end of year report: a D in transparency, C- in security

********

References:

[1] The National Pupil Database user guide: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/261189/NPD_User_Guide.pdf

[2] Data tables to see the individual level data items stored and shared (by tabs on the bottom of the file) https://www.gov.uk/government/publications/national-pupil-database-user-guide-andsupporting-information

[3] The table to show who has applied for and received data and for what purpose https://www.gov.uk/government/publications/national-pupil-database-requests-received

[4] Data Trust Deficit – from the RSS: http://www.statslife.org.uk/news/1672-new-rss-research-finds-data-trust-deficit-with-lessons-for-policymakers

[5] Talk by Phil Booth and Terri Dowty: http://www.infiniteideasmachine.com/2013/04/terris-and-my-talk-on-the-national-pupil-database-at-the-open-data-institute/

[6] On 1 September 2013 sections 26 and 27 of the Protection of Freedoms Act 2012 came into force, requiring schools to seek parental consent before collecting biometric data, such as fingerprints.