Misplaced Pages

National Pupil Database

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

The National Pupil Database (NPD) is a database controlled by the Department for Education in England , based on multiple data collections from individuals age 2-21 in state funded education and higher education. Data are matched using pupil names, dates of birth and other personal and school characteristics, including special educational needs, disability, and indicators for free school meals, a child in care, and families in the armed forces. Personal details are linked to pupils' attainment and exam results over a lifetime school attendance.

#247752

64-659: In October 2018 the database contained over 21 million individual named pupil records. It is deemed by the Department to be “one of the richest education datasets in the world". This is just one of the distributed datasets that the Department for Education controls, and separate from the further Individualised Learner Record (ILR) in the Learning Records Service, for example. Schools use Management Information Systems (MIS) to collect and analyse pupil level information at local level. Data from these systems are used to complete

128-601: A Creative Commons License .) The release of data permitting pupil level release of individuals’ identifiable data to third parties from the National Pupil Database was updated by 2013 changes to legislation. Section 114 of the Education Act 2005 , and section 537A of the Education Act 1996 , together with the 2009 Prescribed Persons Act, were amended in 2010 and 2013 , to allow the release of individual children's data to third parties. Which data items are involved

192-516: A compulsory audit it had carried out of the Department for Education in spring 2020. The audit found that data protection was not being prioritised and this had severely impacted the DfE's ability to comply with the UK's data protection laws. A total of 139 recommendations for improvement were found, with over 60% classified as urgent or high priority. The sharing of identifying pupils’ personal data with third parties

256-628: A presentation to the NPD User group in September 2016, the Director of the DfE Data Modernisation group acknowledged the release of sensitive data: "People are accessing sensitive data, but only to then aggregate. The access to sensitive data is a means to an end to produce the higher level findings.” The data items for release are classed into four tiers by the Department for Education, as described in

320-452: A problem until a national newspaper informed them. Individualised Learner Record The Individualised Learner Record ( ILR ) is the primary data collection about further education and work-based learning in England. It is requested from learning providers in England's further education system. The data is used widely, most notably by the government to monitor policy implementation and

384-438: A regular basis to third parties, and the majority of releases are of Tier 1 and 2 data. A list of completed National Pupil Database Third Party Requests and those in the pipeline, are published on a quarterly retrospective basis. Government uses of the data are based on a model of data sharing, passing raw data from one location to another, which is viewed by some as 'obsolete'. Intra departmental transfers of data include to

448-401: Is based on the 2006 Act around the register data a school must hold, which has subsequently had many amendments. The Data Protection Act 1998, in particular, Principle 1, sets out a fairness obligation which cannot be set aside merely because of the presence of a legal basis such as a Statutory duty. On 1 October 2015 this latter point was again made explicit for public bodies in the judgment of

512-463: Is concerning." He also said that the bill "appears to weaken citizens’ control over their personal data", something that is "likely to undermine trust in government and make citizens less willing to share their personal data". David Kaye, a special rapporteur for the United Nations , wrote an open letter to the UK government in 2017, raising concerns about the bill. Kaye questioned the legality of

576-547: Is granted through an applications process to the Department for Education Education Division and internal Data Management Advisory Panel (DMAP), and is subject to requesters complying with terms and conditions imposed under contractual licence arrangements. The DMAP Terms of Reference was first published in July 2016 by the Department for Education, but became obsolete after a 2018 panel reconfiguration. The Department for Education application procedures for handling requests for data from

640-507: Is that parents and pupils themselves are not sufficiently aware of the way the data is being shared with third parties." "There appears to have been no concerted effort to bring the consultation or the NPD initiative to the attention of parents or pupils." In November 2019, the ICO found: "the issues that the DfE experienced with the collection of the nationality data in terms of parent and pupil awareness of

704-509: The GOV.UK Verify scheme, a model based on the government not centrally storing data. The Conservative Party manifesto commitment to introduce age verification followed the publication of research into children viewing pornography online that was commissioned by the NSPCC . The polling agency that carried out the research, OnePoll , has been criticised for the techniques it used, raising questions about

SECTION 10

#1732859490248

768-469: The "purpose of promoting the education or well-being of children in England are conducting research or analysis, producing statistics, or providing information, advice or guidance", and who meet the Approved Persons criteria of the 2009 Prescribed Persons Act, updated in 2012/13. The data when released, however are not anonymised, but are sensitive and identifying. "According to centrally held records at

832-590: The Autumn of 2016. It then moved to the House of Lords . Royal assent was achieved by the end of Spring 2017. The final stages of the legislative process occurred during the wash-up period before the 2017 general election , as was the case with the Digital Economy Act 2010 which completed its course through Parliament during the wash-up before the 2010 general election . Although privacy and technical safeguards for

896-748: The BBFC's draft guidance to age verification service providers began in March 2018. The age verification provisions were due to come into effect in April 2018, were delayed until the end of 2018 and then further delayed until spring 2019. In March 2019 the BBFC published its guidance, and draft regulations – the Online Pornography (Commercial Basis) Regulations 2019 – were produced for approval by Parliament. The UK government stated in April 2019 that it planned to introduce mandatory age verification on 15 July 2019. In June 2019

960-573: The British and Irish Law, Education and Technology Association, also criticised the proposal to increase maximum jail term in its submission to the Government's consultation. The proposal was described as 'unacceptable', 'unaffordable', and 'infeasible'. It has been suggested that this provision may be intended to dissuade users of technology such as Kodi software from downloading content that breaches copyright regulations. A number of expert witnesses to

1024-837: The Cabinet Office for preparation of Electoral Registration Transformation work in 2013, to match participant data in the National Citizen Service , and for use in the Troubled Families programme, as well as arms length bodies such as NHS Digital for a survey "What About Youth" mailed home to 300,000 15 year olds in 2014. Not all government uses of the data are recorded in the Third Party Release Register, such as internal use. The volume of Police and Home Office use first made public through Freedom of Information requests in 2016, were first officially published by

1088-614: The Co-operative Group and former head of the Government Digital Service , expressed the opinion that "the government relies on bulk data sets too often, instead of simply asking for the individual data set pertaining to the information needed". The civil liberties and privacy advocacy group Big Brother Watch told the committee said that bill overlooked the work of the Government Digital Service in setting up

1152-729: The Court of Justice of the European Union in the Bara case (C‑201/14) , in which it ruled that “[the Directive] must be interpreted as precluding national measures…which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing,” i.e. individuals must be informed when public bodies share personal data and why. For sensitive data (Tier 1 and Tier 2 of

1216-462: The Culture Secretary, Jeremy Wright , announced that the implementation of the law had again been postponed for a period in the region of six months. The ORG also raised concerns over the risk of misuse of bulk data sharing. The provisions regarding copyright infringements were criticised for the vagueness of the definition and the severity of the maximum sentence (10 years in prison). BILETA,

1280-615: The Data Modernisation Division of the DfE has been identified as containing incorrect facts in the response provided to Parliamentary Questions concerning the volume of children's records passed onto the police and the Home Office (PQ48634, PQ48635 and PQ52645) and in figures quoted during a House of Lords Debate on the 31 of October 2016 on the Education (Pupil Information) (England) (Miscellaneous Amendments) Regulations 2016." Of

1344-511: The Department for Education and Home Office Border Removals Team agreed a Memorandum of Understanding to share pupil data including names, date of birth, gender, home address and school address for up to 1,500 children a month, from the last 5 years of their records, for various purposes of direct interventions. This policy became public knowledge through the expansion of the school census in October 2016 which added country of birth and nationality to

SECTION 20

#1732859490248

1408-412: The Department for Education released the first summary data protection impact assessment . It revealed that sexual orientation and religion are added to pupil records , for students from Higher Education. The Information Commissioner's Office confirmed in interim investigation findings in autumn 2019, that, "This investigation has demonstrated that many parents and pupils are either entirely unaware of

1472-560: The Department for Education, listed in the common basic data set (CBDS) , including health and SEND (special educational needs and disability). For uses of Key Stage attainment datasets and School Census dataset see also England: School Census. Raw pupil level personal data are held in the Department for Education National Pupil Database (NPD). The linked datasets contain data which are identifying, and too sensitive or disclosive to be published, although these data are given out to third parties in raw form. David Cameron announced in 2011,

1536-488: The Department for Education, where it is linked to individuals' school records in the National Pupil Database, expanding the lifetime record for millions of people that the Department retains indefinitely. The National Pupil Database covers only pupils in state (or partially state-funded) schools in England. However similar systems operate across the rest of the United Kingdom . Details of all data sources contained within

1600-491: The Department, in the Third Party Release Register in December 2017, under " External Organisation Data Shares ". Police requests were only documented going as far back as July 2015. This omits police access to records before this date, as noted in a ministerial correction (HCWS272) made by Nick Gibb, Minister of State for School Standards, on the numbers of pupils data released to the Home Office and police. “Information supplied by

1664-639: The Digital Economy Bill Committee expressed concerns about the bill. Jerry Fishenden , co-chair of the Cabinet Office’s Privacy and Consumer Advisory Group until he resigned in protest on 2 May 2017, expressed the opinion that the bill was based on an "obsolete" model of data sharing. He commented: "I find it surprising the bill doesn’t have definition of what data sharing is, both practically and legally… I’d like to see some precision around what’s meant by data sharing. The lack of detail

1728-913: The Labour Market System and Juvos, the unemployment research database. Further work by DfE compares self-reported salaries from the 2008/09 DLHE survey with earnings data from the LEO dataset coming directly from HMRC tax records. In June 2018, the UK Parliament gave powers to the Office for Students through the Higher Education and Research Act 2017 (Cooperation and Information Sharing) Regulations 2018 (No.607) to distribute personal data to thirteen third party organisations. In 2019 The Higher Education and Research Act 2017 (Further Implementation etc.) Regulations 2019 will expand which data that may be, and will include

1792-529: The Learning Records Service. Digital Economy Act 2017 The Digital Economy Act 2017 (c. 30) is an act of the Parliament of the United Kingdom . It is substantially different from, and shorter than, the Digital Economy Act 2010 , whose provisions largely ended up not being passed into law. The act addresses policy issues related to electronic communications infrastructure and services, and updates

1856-462: The NPD User Guide. Following the change of legislation, releases of the data since 2012 from the Department for Education to third parties have not been anonymous, but have been of identifiable and highly sensitive (Tier 1), identifiable and sensitive (Tier 2), aggregated but may be identifying due to small numbers (Tier 3) and identifying non-sensitive items (Tier 4). Raw, closed data are released on

1920-436: The NPD process began), nor does DfE charge for the processing and delivery of extracts to customers." There is however no transparency of the volume of how many children's data have been given away in approved uses either, because “the Department does not maintain records of the number of children included in historic data extracts.” ( PQ109065 ) Public interest research use of pupil level data through other routes of access to

1984-524: The National Pupil Database by the Data Management Advisory Panel or Education Division. There was no privacy impact assessment of the National Pupil Database for over twenty years, until 2019. Some of the history behind its collection, use and changes to legislation are outlined in a presentation given at an Open Data Institute ODI Friday lunchtime talk: Getting to grips with the National Pupil Database in 2013. (Soundcloud licensed under

National Pupil Database - Misplaced Pages Continue

2048-480: The National Pupil Database including pregnancy, physical and mental health, and a code for young offender, as reason for transfer out of mainstream education. The AP Guidance 2017-18 indicates that the age group has been lowered. "Within the AP census, pupils should be aged between 2 (as at 31 December 2017) and 18 (at 31 August 2017) - those pupils born between 01/09/1998 and 31/12/2015." Campaigners and charities warned that

2112-430: The National Pupil Database, from March 2012, enabled interested parties to request extracts of data from the National Pupil Database (NPD) using forms available on the Department for Education website . Data supply agreements, agreement schedules and individual declarations for researchers and third-party organisations who have received DfE approval for applications for data extracts are completed before users are sent

2176-494: The National Pupil database include all the data items classified as ‘sensitive’) an additional condition from Schedule 3 of The Data Protection Act 1998 must also be met to justify a legal basis for disclosure. These conditions are a high bar, for example, in the interests of justice. The Data Protection Act 1998 (s33) gives research exemptions for the purposes of statistical and historic research purposes, most significantly on

2240-534: The OfS could give data to, and for purposes defined only by that company's memorandum and articles of association ." Since legislation changed over time to permit new uses and access to personal data by new third parties, over 15 million people whose data was already in the National Pupil Database and who had already left school pre-2012, have not been informed how their personal data may be used, for what purposes, and by whom, such new Regulations demonstrates. In July 2015,

2304-604: The act, which contains the age verification mandate. Clause 131 of the government's draft Online Safety Bill , published in May 2021, gave effect to this intention. Addressing the House of Commons DCMS Select Committee , the Secretary of State, Rt. Hon. Oliver Dowden MP confirmed he would be happy to consider a proposal during pre-legislative scrutiny of the Online Safety Bill by a joint committee of both Houses of Parliament to extend

2368-478: The changes would lead to sensitive details being collected without the knowledge of parents and pupils, in breach of data protection law and raised concerns that "there are not enough safeguards to ensure that sensitive data does not end up being passed on to third parties and damaging the privacy of those it covers." In October 2020, the Information Commissioner's Office published an executive summary of

2432-517: The collection. In October 2017, the Department for Education confirmed in an interview with Sky News that, information obtained from the National Pupil Database was used to contact families to "regularise their stay or remove them" and confirmed in January 2019 that this policy continues. An expansion of the Alternative Provision census starting in January 2018, added further sensitive data to

2496-402: The conditions for and sentencing of criminal copyright infringement. It was introduced to Parliament by culture secretary John Whittingdale on 5 July 2016. Whittingdale was replaced as culture secretary by Karen Bradley on 14 July 2016. The act received royal assent on 27 April 2017. The provisions of the act include: The bill completed its passage through the House of Commons during

2560-476: The data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject. Campaigners from the children's privacy NGO defenddigitalme, have questioned whether this legal basis is met for some releases between 2012 and 2017 from the National Pupil Database and whether new uses put the research status of the National Pupil Database at risk. As observed in 2014 by independent experts, "the central concern

2624-581: The data is collected in the Individualised Learner Record for each academic year (from 1 August to 31 July). In January 2020, the Sunday Times reported that "Betting companies have been given access to an educational database containing names, ages and addresses of 28 million children and students in one of the biggest breaches of government data", which referred to Learner Records Service data. It said that over 12,000 organisations had access to

National Pupil Database - Misplaced Pages Continue

2688-523: The data, include projects linking individual data together with other education and employment data from citizens' interactions with other government departments and public services. For example, the LEO dataset is made up of information from the National Pupil Database (NPD), the Individualised Learner Record (ILR), the Higher Education Statistics Agency (HESA), Her Majesty's Revenue and Customs data (HMRC), The National Benefit Database,

2752-898: The documented 887 requests for identifiable data that have been through the DMAP request process in March 2012 – December 2016, only 29 have been for aggregated data, according to analysis by the NGO defenddigitalme. There were 15 rejected applications between March 2012 and September 2016, including a request "by mistake" from the Ministry of Defence to target its messaging for recruitment marketing. Approved uses include identifying and sensitive data released to Fleet Street papers, “to pick interesting cases/groups of students," and about 60% of applications approved (as distinct from volume of data used) for identifying and sensitive, pupil level data, were from think tanks, charities, and commercial companies. The Telegraph newspaper

2816-414: The entirety of the National Pupil Database and Alternative Provision data. In debate, Shadow Secretary for Higher Education Gordon Marsden MP, asked the government whether, "it the intention of the new regulations that through the new data powers they give OfS to receive data in regulations 28 and 32 they can also enable the distribution by OfS of population-wide personal data?" The data in question, "includes

2880-443: The government to bring in the porn age ban in January 2020, a move that was supported by children's charities. Their argument that there is accepted legal precedent that a government cannot pass a law, secure royal assent for it and then frustrate the will of Parliament by deciding not to introduce it saw them win permission in July 2020 for a judicial review. The government announced in October 2020 its intention to repeal part 3 of

2944-425: The government would be “opening up access to anonymised data from the National Pupil Database […].” This was an expansion to other third parties, since these data had already been used for many years and extensively by academic public interest researchers . Since 2012, Secretary of State has had powers to share raw data from National Pupil Database under terms and conditions with named bodies and third parties who for

3008-542: The linked set of data which form the National Pupil Database, and the coverage of children within each source. The pupil level data are personal confidential data which include sensitive personal data as defined by the Data Protection Act 1998. The National Pupil Database contains: There are about 400 possible variables to collect on individual pupils. The full national code sets of all the items of data that can be collected on individual children can be downloaded from

3072-423: The nuances within the data collection, such as which data is compulsory and which is optional. This has raised concerns about the adequacy DfE's privacy notices and their accountability for the provision of such information to individuals regarding the processing of personal data for which they are ultimately data controllers." In November 2022 the ICO issued a reprimand to the DfE following "the prolonged misuse of

3136-463: The optional nature of the collection of that data has highlighted concerns regarding compliance with articles 12, 13 and 14 of the GDPR. Our view is that the DfE is failing to comply fully with the GDPR in respect of these articles. The investigation has demonstrated that many parents and pupils are either entirely unaware of the school census and the inclusion of that information in the NPD, or are not aware of

3200-414: The password protected data. The sensitive and identifying items that require DMAP approval include name, date of birth, postcode, candidate numbers, Pupil Matching Reference (Non Anonymised), detailed types of disability, indicators of adoption from care, reasons for exclusions (theft, violence, alcohol etc). There is no ethics committee review for the release of identifying or sensitive data directly from

3264-672: The performance of the sector, and by organisations that allocate FE funding. ILR data is collected from providers receiving funding from the Education and Skills Funding Agency (ESFA). It has changed name since it began, to the PLR (Personalised Learner Record) and together, forms the Learner Records Service dataset. In October 2019, the official statistics released by the Department for Education indicated it controlled over 28.4 million named, individual records. The ILR Specification defines

SECTION 50

#1732859490248

3328-407: The personal information of up to 28 million children." John Edwards, UK Information Commissioner, stated that: "No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even

3392-409: The personal, confidential data of every pupil from state education since 1996, past, present and future and in perpetuity—over 25 million people, and growing every year—distribution to its own third-party prescribed persons, including potentially Pearson Education Ltd , among other commercial parties, for such wide-ranging company purposes, through the powers of last year's regulations, which set out who

3456-483: The principles of indefinite retention and data minimisation, as well as Subject Access rights, for as long as data are processed for the legitimate interests of the Data Controller. To qualify for the research exemption, the research must be able to comply with the following ‘relevant conditions’: (a) that the data are not processed to support measures or decisions with respect to particular individuals, and (b) that

3520-427: The privacy implications of collecting user data, and the possible ineffectiveness of a method focused on restricting payments to pornographic websites. Myles Jackman , ORG's legal director, highlighted the potential vulnerability of age verification systems to hacking , and suggested that it would result in more people using virtual private networks , or anonymous web browsers such as Tor . A public consultation on

3584-618: The proposed framework in relation to the International Covenant on Civil and Political Rights . Jeni Tennison , CEO of the Open Data Institute , commented on the lack of transparency regarding existing public sector data sharing agreements and how the bill's measures fit with them. She spoke of her belief that the bill lacks the transparency needed to avoid the kind of problems that arose with NHS Digital 's abandoned Care.data programme. Mike Bracken , chief digital officer at

3648-423: The quality of the resulting data. For instance, the company offered a questionnaire to children aged 11–16 despite its own terms and conditions of use stating that users must be at least 16 years old. In October 2019, Nicky Morgan MP said that the government had shelved plans to introduce age verification checks for Internet pornography. Four age verification providers subsequently launched legal action to force

3712-471: The safer model was introduced. The new infrastructure was part of a set of recommendations made by the UK Statistics Authority in 2018, which included that the Department carry out a Data Protection Impact Assessment. A summary was published in May 2019. It included recognition of the risk that people, “may not be aware that their personal data may be shared with other organisations.” In May 2019,

3776-427: The school census and the inclusion of that information in the NPD, or are not aware of the nuances within the data collection, such as which data is compulsory and which is optional. This has raised concerns about the adequacy DfE's privacy notices and their accountability for the provision of such information to individuals regarding the processing of personal data for which they are ultimately data controllers.” Access

3840-469: The sharing of citizens' data are not included in the act, the government stated that it intended to publish codes of practice following a public consultation. The consultation took place in the Autumn of 2017. The Open Rights Group (ORG), a digital rights campaigning organisation, raised concerns over aspects of the Bill. The provisions for the age verification of pornographic website users raised concerns about

3904-464: The termly school census returns provided to Local Authorities (regional) or directly to the Department for Education (national) three times a year. The National Pupil Database has expanded in its scope of the items collected, and from children of a wider age range over time. Data once stored in the National Pupil Database, are never deleted. The Higher Education Statistics Agency passes students' personal confidential data collected from universities to

SECTION 60

#1732859490248

3968-556: The time of writing, from August 2012 to 20 December 2017, 919 data shares containing sensitive, personal or confidential data at pupil level have been approved for release from the National Pupil Database. For the purpose of this answer, we have assumed the term sensitive, personal or confidential uses of information to be data shares classified as either Tier 1 or Tier 2 as set out in the National Pupil Database area on GOV.UK. [In addition] There were 95 data shares approved between March 2012 and this classification system being introduced." In

4032-434: Was put on hold in May 2018 for three months.  The Department for Education halted the distribution of personal information about  school children in England, to restart it aligned with a Five Safes model, according to the Office for Statistics Regulation 's recommendations. Although this was intended as an improvement towards safer pupil data, in spring 2019 data distribution continued , more than six months after

4096-481: Was granted identifying and sensitive data in 2013, for all pupils in the KS2, KS4 and KS5 cohorts for the years 2008-2012. Academic uses of school census data make up about 40% of the requests for identifying, pupil level data, processed through and approved by the DMAP process. The raw data are sent to the requestor's own location. There is no charge made for fulfilling requests. "DfE does not charge for data (and has not since

#247752