Category Archives: National Pupil Database

Our children’s school data: an end-of-year report card

To quote the late Aaron Swartz: “It’s not OK to not understand the internet, anymore.”

Parents and guardians are trying their best.We leave work early and hurry to attend meetings on internet safety. We get told how vital it is that children not give away their name, age or address to strangers on social media. We read the magazines that come home in book bags about sharing their identity with players in interactive games.  We may sign school policies to opt out of permission for sharing photos from school performances on the school website.

And yet most guardians appear unaware that our children’s confidential, sensitive and basic personal data are being handed out to third parties by the Department of Education, without our knowledge or clear and accessible public accountability.

Data are extracted by the Department for Education [DfE] from schools, stored in a National Pupil Database [NPD], and onwardly shared.

Fine you may say. That makes sense, it’s the Department for Education.

But did you expect that the Ministry of Defence or Schools comparison websites may request or get given access to our children’s individual records, the data [detailed in the ‘NPD data tables’] that we provide to schools for routine administration?

School heads, governors, and every parent I have spoken with in my area, are totally unaware that data extracted by the Department of Education are used in this way.

All are surprised.

Some are shocked at the extent of data sharing at such an identifiable and sensitive level, without school and parental knowledge.

The DfE manages the NPD and holds responsibility to ensure we know all about it. But they’re not ensuring that pupils and parents are told before the data extraction, who else gets access to it and for what purposes. That fails to process data fairly which is a requirement to make its use lawful.

There’s no way to opt out, to check its accuracy or recourse for anything incorrect.

As our lives involve the ever more advanced connectivity of devices, systems, and services, that’s simply not good enough. It’s not a system fit for the 21st century or our children’s digital future.

While the majority of requestors seem to access data for bona fide research in the public interest, some use it for bench marking, others are commercial users.

Is that what pupils and parents expect their data are used for?

And what happens in future when, not if, the Department chooses to change who uses it and why.

How will we know about that? Because it has done so already.

When school census data first began, it extracted no names. That changed. Every pupil’s name is now recorded along with a growing range of information.

Where it began with schools, it is now extended to nursery schools; childminders, private nurseries and playgroups.

Where it was once used only for state administrative purposes, since 2012 it has been given to third parties.

What’s next?

Data should be used in the public interest and must be shared to adequately administer, best serve, understand, and sometimes protect our children.

I want to see our children’s use of technology, and their data created in schools used well in research that will enable inclusive, measurable benefits in education and well being.

However this can only be done with proper application of law, future-proofed security, and respectful recognition of public opinion.

The next academic year must bring these systems into the 21st century to safeguard both our children and the benefits that using data wisely can bring.

Out of sight, out of date, out of touch?

The data sharing is made possible through a so-called ‘legal gateway’, law that gives permission to the Secretary of State for Education to require data from schools.

In this case, it is founded on legislation almost twenty years old.

Law founded in the 1996 Education Act and other later regulations changed in 2009 give information-sharing powers to the Secretary of State and to public bodies through law pre-dating wide use of the Internet, social media, and the machine learning and computer processing power of today.

Current law and policies have not kept pace with modern technology. 2015 is a world away even from 2009 when Pluto was still a planet.

Our children’s data is valuable, and gives insights into society that researchers should of course use to learn from and make policy recommendations. That has widespread public support in the public interest. But it has to be done in an appropriate and secure way, and as soon as it’s for commercial use. there are more concerns and questions to ask.

As an example why NPD doesn’t do this as I feel it should, the data are still given away to users in their own offices rather than properly and securely accessed in a safe-setting, as bona fide accredited researchers at the Office of National Statistics do.

In addition to leaving our children’s personal data vulnerable to cybersecurity threats, it actively invites greater exposure to human error.

Remember those HMRC child benefit discs lost in the post with personal and bank data of 25 million individuals?

Harder to do if you only access sensitive data in a safe setting where you can walk out with your research but not raw files.

When biometrics data are already widely used in schools and are quite literally, our children’s passport to the world, poor data management approaches from government in health and education are simply not good enough anymore.

It’s not OK anymore.

Our children’s personal data is too valuable to lose control of as their digital footprint will become not an add-on, but integral to everything they do in future.

Guardians do their best to bring up children as digitally responsible citizens and that must be supported, not undermined by state practices.

Children will see the divide between online and ‘real’-life activities blend ever more seamlessly.

We cannot predict how their digital identity will become used in their adult lives.

If people don’t know users have data about them, how can we be sure they are using it properly for only the right reasons or try and repair damage when they have not?

People decide to withhold identities or data online if they don’t trust how they will be used, and who will use it well.

Research, reports and decision making are flawed if data quality is poor. That is not in the public interest.

The government must at least take responsibility for current policies to ensure our children’s rights are met in practice.

People who say data privacy does not matter, seem to lack any vision of its value.

Did you think that a social media site would ever try to control its users emotions and influence their decision-making based on the data they entered or read? It just did.

Did you foresee five years ago that a fingerprint could unlock your phone? It just did.

Did you believe 5 months ago the same fingerprint accessible phone would become an accepted payment card in England? It just did.

There is often a correlation between verification of identity and payment.

Fingerprinting for payment and library management has become common in UK schools and many parents do not know that parental consent is a legal requirement.

In reality, it’s not always enacted by schools.

Guardians can find non-participation is discouraged and worry their child will be stigmatised as the exception.

Yet no one would seriously consider asking guardians to give canteens their bank card PIN.

The broad points of use where data are created and shared about our children mean parents can often not know who knows what about them.

What will that mean for them as adults much of whose lives will be digital?

What free choice remains for people who want to be cautious with their digital identities? 

Many systems increasingly require registration, some including biometric data, sometimes from vulnerable people, and the service on offer is otherwise denied.

Is that OK anymore? Or is denial-of-service a form of coercion?

The current model of state data sharing often totally ignores that the children and young people whose personal data are held in these systems are not asked, informed or consulted about changes.

While Ministers talk about wanting our children to become digital leaders of tomorrow, policies of today promote future adults ill-educated in their own internet safety and personal data sharing practices.

But it’s not OK not to understand the internet anymore.

Where is the voice of our young people talking about who shares their information, how it is used online, and why?

When shall we stop to ask collectively, how personal is too personal?

Is analysing the exact onscreen eye movement of a child appropriate or invasive?

These deeply personal uses of our young people’s information raise ethical questions about others’ influence over their decision making.

Where do we draw the line?

Where will we say, it’s not OK anymore?

Do we trust that all uses are for bona fide reasons and not ask to find out why?

Using our children’s data across a range of practices in education seem a free for all to commercially exploit, with too little oversight and no visibility of decision making processes for the public,whose personal data they profit from.

Who has oversight for the ethical use of listening software tools in classrooms, especially if used to support government initiatives like Channel in ‘Prevent’?

What corrective action is taken if our children’s data are exposed through software brought into school over which parents have no control?

The policies and tools used to manage our children’s data in and outside schools seem often out of step with current best-in-class data protection and security practices.

Pupils and parents find it hard to track who has their personal data and why.

While the Department for Education says what it expects of others, it appears less committed to meeting its own responsibilities: “We have been clear that schools are expected to ensure that sensitive pupil information is held securely. The Data Protection Act of 1998 is clear what standards schools are expected to adhere to and we provide guidance on this.” 

A post on a webpage is hardly guidance fit to future proof the data and digital identities of a whole generation.

I believe we should encourage greater use of this administrative data for bona fide research. Promoting broader use of aggregated and open data could also be beneficial. In order to do both, key things should happen that will make researchers less risk averse in its use, and put data at reduced risk of accidental or deliberate misuse by other third parties. Parents and pupils could become more confident that their data is used for all the right reasons.

The frameworks of fair processing, physical data security, of transparent governance and publicly accountable oversight need redesigned and strengthened.

Not only for data collection, but its central management, especially on a scale as large as the National Pupil Database.

“It’s not OK not to understand the internet anymore.”

In fact, it never was.

The next academic year must bring these systems into the 21st century to safeguard both our children and the benefits that using data wisely can bring.

The Department for Education “must try harder” and must start now.


If you have questions or concerns about the National Pupil Database or your own experience, or your child’s data used in schools, please feel free to get in touch, and let’s see if we can make this better. [Email me as listed above right.]

1. An overview: an end of year report on our Children’s School Records
2. The National Pupil Database end of year report: an F in fair processing
3. The National Pupil Database end of year report: a D in transparency, C- in security



[1] The National Pupil Database user guide:

[2] Data tables to see the individual level data items stored and shared (by tabs on the bottom of the file)

[3] The table to show who has applied for and received data and for what purpose

[4] Data Trust Deficit – from the RSS:

[5] Talk by Phil Booth and Terri Dowty:

[6] On 1 September 2013 sections 26 and 27 of the Protection of Freedoms Act 2012 came into force, requiring schools to seek parental consent before collecting biometric data, such as fingerprints.

No Security Blanket – why consent packages fail our children – and more

As a mother, I want to know that my children’s personal data, when it is collected by any organisation, will be kept safe and used in ways I would expect. I see it as my responsibility safeguarding my children today, to also think of their future.

We should seek to protect the fundamentals in the Universal Declaration of human rights for all:

Everyone in the community should find the free and full development of his personality is possible. Everyone has the right to work, to free choice of employment.

In effect, these basic human rights seek to prevent discrimination and interference.

But it feels as though the world around us in England has gone mad. Risking stigma, discrimination, giving our kids’ personal information quite freely away and with it, their future autonomy.

Here’s five recent case studies and why they fail our young people.

The Department of Education’s National Pupil Database & Personal Demographics Service

What About Youth is reportedly using contact details directly from the Personal Demographic Service (PDS) data stored at HSCIC and the schools’ database, the Department of Education’s National Pupil Database, and giving them to IPSOS Mori, the poll research organisation to carry out the What About Youth? study on behalf of the Health and Social Care Information Centre, funded by the Department of Health. To contact our 14-16yr olds directly.

“Your contact details were taken from NHS Registration data, held by the Health and Social Care Information Centre and the Department of Education’s National Pupil Database, which contains details of every pupil in England. The NHS Registration data has been used as it is a reliable source of details such as name, address, date of birth and NHS Number. It does not include any medical data so we don’t know anything about any illnesses or conditions you have had or received treatment for.

We have received approval to use your contact details only for this study. We won’t be using them for any other purpose, nor will we share them with anyone else. “

I don’t know that any parent would find that an expected use of their personal contact details to be contacted by the third party directly.

How is the questionnaire coded I wonder, whilst “the answers will not have the child’s name and address on, so no-one who sees them will know whose they are,” the “aim of the study is to make it easier for doctors, nurses and local authorities to help young people.” So it would appear Local Authority is going to be coded at least. And your individual postcode. And child’s age and gender and ethnicity and more.

If the child (14-16yr olds) agrees to being re-contacted, I would want to know as a parent exactly how, when and for what. But parents are encouraged not to influence the child completing the form, so we may never know. The survey asks about all sorts of insecurities, not all of which I believe every 14 year old will have yet considered. Is it right that the State should intrude with these topics into my child’s private time and thoughts? The content deserves scrutiny from parents before the children are involved. At least, not done in school, we get a letter and know about it at home.

But how can the project ethically ask my child to give their consent to share intimate details not only about themselves but about our whole household and potentially agree to future contact, whilst expressly asking me not to be involved in the decision?

I wonder how pupils will feel whose parents suggest they would prefer their child does not complete it?

Surely if the Department of Education’s National Pupil Database is obligatory it should not assume OK to give out personal contact details to anyone? Some families choose to be ex-directory. Does the cross-purposes use of the Personal Demographics Service make that now impossible?

Should our children and parents, who trust that their personal details are used for registering for the basic rights of health and education, not be allowed to trust those contact details are held in confidence, rather than shared with third parties?

What is the government thinking about, as it manages our young people’s data privacy?

The National Citizen Service and Health Data stored at the Health and Information Centre

While I was looking more closely at the DAAG (HSCIC) minutes this week as related to, I looked at the approval for consent advice and request for future data linkage with the National Citizen Service (NCS) project, open to all 16 and 17-year-olds in England. The request checked that the consent was appropriate for future sharing of Mental health and Hospital Records with the Cabinet Office.

While I was at it, I took a look a close look at the NCS sign up process. At the bottom of the online register in small print was the required check box to proceed:

I agree to my personal data being stored, shared and used by the NCS Trust and other organisations to inform me of NCS and graduate opportunities and to support the delivery of NCS and its graduate programme. I agree to the NCS Terms & Conditions and Privacy Policy.

Then you need to click down twice, to the T&C and Privacy Policy.
From the Terms&Conditions we need to take another step:

Information about you : We will never pass any details you provide to us on to anyone other than those specified in our privacy policy.

You also need to go to the separate Privacy Policy. which turns out stating there is virtually nothing private about managing your personal data after you enquire at all – but is in fact a  ‘Data Sharing Policy’:

 “By submitting the Expression of Interest form you agree to your personal data being stored, shared and used by the NCS Trust (the data controller) and the following organisations: NCS contractors and their sub-contractors, government bodies, strategic partners of NCS, fraud detection organisations, organisations supporting the delivery of NCS or other organisations (including any organisation running or supporting all or part of NCS in the future).”

You must agree or cannot proceed with the application.

Where does the consent to link to a child’s medical Mental Health and Hospital records get asked I wonder? Does it get expressly asked later in the project or on paper because it does not get asked online in the Young Person nor the Adult/Guardian’s sign up. Is this the consent process the DAAG approved? Is it just meant to be included in the blanket “government bodies”? Perhaps the wording is still to be amended?

Sign the child (and your own ‘Guardian’ details) up for NCS and there is no choice but to accept that data sharing agreement. You must accept it to sign up for the programme but there is an open ended who, when and for what in the blanket consent …”supporting all or part of NCS in the future.” The NCS sign-up and consent doesn’t explicitly mention sharing data with named sub-contractors anywhere either.

The charities involved may do great work. But why Serco? Is this the organisation that we would wish to be managing our young people’s personal data? Think I agree with Navca on this one. By signing away rights …”in the future,” we have no idea WHO will own the data  later.

Should our children who need this NCS programme most, not be allowed to particpate unless their personal and potentially medical details go to all these unknown future places?

UCAS and student applications – further education

When I read recently in the Guardian about Ucas selling student records of our under 18s applying to university I was equally surprised.

At a time when teen deaths from alcohol consumption often mixed with energy drinks appear regularly in the news, it is highly irresponsible to me as a parent, to know that a commercial company promoted new energy drinks by sending cans to 17,500 selected students in order to create a “social media buzz”. I know from my own experience, university is often the place we are first exposed to a regular bar life. And so does business.

This goes far beyond the scope of what our teens signing up should expect their data to be used for. Who will decide what products and what uses of data will be acceptable in future?

I am fed up of these blanket consent approaches which deny a service unless we also sign away the knowledge of our personal habits and preferences for others to commercially exploit.

This mixing of purposes in which data privacy is to one’s disadvantage, is an abuse of trust. And it is the importance of trust and exploiting mixed purposes, which for me, has been so starkly highlighted in the management of our medical records.

Dental Service – the NHS Business Service Authority

When I signed the form to pay for my recent dental treatment I read the small print. The Dental Admin Assistant shared my surprise to find that the data processing takes place outside the UK, and requires data sharing with processors in ‘India or Sri Lanka.” WHO WILL USE IT WHERE and FOR WHAT PURPOSES? I am required to sign the form to agree to pay for my treatment. It gives permission to share with Dept of Work and Pensions, HM Revenue and Customs, local authorities and CCGS (then PCTs). But why should the one signature to bind them all, mean sending my personal confidential data abroad, outwith EU data laws even?

Is there fair processing on this form, does it indicate properly for what purposes the wide ranging bodies will be given access? Surely they don’t all need it for “fraud prevention and to ensure correctness” about my dental check up?

If the government bodies are all working together and can share data at will under these blanket assumptions, without our explicit consent or knowledge, then a great number of people will be rightly concerned. I am concerned by powers this Memorandum gives NHS Protect and the Border Agency from 2011 and I am a legitimate resident. ” To provide a centre of excellence for NHS anti-crime work by applying a strategic, coordinated and intelligence led approach.”  I only went for a scale-and-polish!

This default to wide sharing seems to be increasingly seen as the norm. Surely it should be assumed that the minimum data should be shared with the minimum necessary recipients? Current policies seem to have confused a drive for Open Data with giving away our privacy.

How could it be done differently?

If I sign a form to pay for my dental treatment, surely it should be only that. If you want other permissions, ask in other check boxes. I believe our NHS should be managing our NHS data within our borders, but that is a separate debate.

This blanket consent approach excludes the service unless you are happy to give open ended access to your personal data to Government and its contractors.

Should I not be allowed to have NHS dental treatment, for which I pay on completion, unless my personal details go to all these other places?

Let’s consider an alternative. Enable the ability to say yes to paying for my treatment, without sharing fully identifiable data with other government bodies or sending it abroad.

It is one thing to share truly anonymised data. And quite another to extract identifiable personal details for at minimum ten years or longer. Time limit the consent.

If the 14-16yr old on the What About Youth questionnaire agrees to ‘future contact’ they presumably are agreeing to  having identifiable data and contact data kept with their answers, to enable that future contact.

If children agree to the NCS blanket sign up, they are signed up for an unspecified time. These sign ups remove our children’s autonomy later in life, and they can never get it back.

Right now, I wouldn’t let my children’s personal data anywhere near any of these systems if I wanted to retain any future control of it at all. But do I have a choice? My children are in school, and that will mean in the Department of Education’s National Pupil Database. And they will have NHS records. I see some subject access requests ahead.

Given past historical purposes of the ONSET project at the Home Office, Contact Point and DWP I would want to keep my kids’ data free from all of these.

Some may ask, why does it matter?

Because this joining up of services is interweaving systems whose aim is on the one hand compassion and care, with those on the other which are punitive and controlling. Their aims are not aligned. And inevitably it is the systems which shout loudest, under any government of the day, whose opinion tips the balance of purpose and decision making. And recent claims of micro managing in Health show, top down control usually wins.

Because I believe the earlier we label our children the harder it is for them to become anything more.  Inevitably labels shape expectations. Not only for the individual but those who interact with them. It is only the very best educators and social care staff or police or medics who manage to put those aside and see the individual in each episode of contact. The future intent for is integration of data sharing between medical contact, social care and education, under local authorities, health and wellbeing boards and more. How far would the impact of one wrong label spread in a child’s lifetime, in different places?

Because our children should enter adulthood with as few restrictions placed upon their development and self-determination as possible. Even, I would argue, those children who need the contact with all those organisations. I could argue, all the more so, precisely because they have those extra needs and contact. They may need excellent care and transition between youth and adult services. They need it facilitated first and foremost by qualified individuals who are trusted to do the job they trained for and have a vocational passion to complete. Yes the staff need data, but proportionate to the individual need, for the time period it is needed. We need to protect the extra vulnerable in many extra ways.

And we also need to protect the fundamentals in the Universal Declaration of human rights for all. Everyone in the community should find the free and full development of his personality is possible. Everyone has the right to work, to free choice of employment. In effect, these basic human rights seek to prevent discrimination and interference.

Our young people don’t care about the risks of personal data sharing?

Our young people are more savvy than we give them credit for. In a world of shared selfies and social media, it can be wrongly assumed that they are careless with their own privacy. This  Electronic Patient Records work run by the Academy of Engineering in 2010, with support from the Wellcome Trust, came out with a report and seven key questions p.39 which are very pertinent today. The young people identified themselves the risks of prejudice and discrimination. The concerns they raise are no different from concerned adults. Our young people are switched on to the risks of personal data sharing.

When it comes to our children’s data, organisations should be going the extra mile to be transparent. I believe they should carefully consider how the public will perceive anything that looks hidden. Consents should be all up front on the top layer of sign up forms. One consent per sentence. If you want to contact my children, ask me first. And if you offer a public service, would you consider first not piggy-backing a commitment to sharing with other bodies or commercial companies on to the consent package?

Why these blanket consents fail our children

These blanket consents are ubiquitous in modern data sharing, from the obvious supermarket sign ups, to which even David Cameron does not consent, to the totally surprising in education and health. Yet he happily signed us up under a blanket assumed opt in to be ‘willing research patients.’ This mixing of purposes under one blanket consent, in which looking after your data privacy is to one’s disadvantage, or criticised as selfish, is an abuse of trust. And an abuse of our children’s future freedoms. They fail to give proper governance of who will own the data once shared. They fail to give proper information of what it may be used for. And they fail to clearly limit the time period for which the consent is given, and after which data will be destroyed.

Not only trust, but the needs of genuine purposes in the public interest are undermined by mixing all these purposes into one consent. Worse still, assuming yes for all these conflated uses unless you opt out.

If there had been singular purpose, would have been easier to understand and less likely to have failed to win our support.

I for one, am fed up with blanket consent. We can do it differently. We can do better for our children.


{cartoon: From via Scott Stantis 2007}