What happens when public data is shared with the wrong people?
Case study: Department for Education
The Department for Education (DfE) maintains records about everybody who has received state-funded education in England since 1996 in the National Pupil Database. It routinely shares this information with third parties. Civil society scrutiny unearthed failures in DfE’s data practices leading to a highly critical ICO audit in 2020, and a reprimand in 2022 for a data breach that led to education data being used by betting firms to verify the age of online gamblers.
This case study is part of a series exploring how public sector organisations involve the public, workers and civil society in decisions about data and AI, and some of the consequences when they do not. Read more about our work on public involvement in public sector data and AI.
Since 1996, the Department for Education (DfE) has created a lifetime record for every child in state-funded education in England within the National Pupil Database (NPD). Since 2002, this has included names, among other identifiable data. And since 2014 DfE has provided a Learning Records Service (LRS) that provides information about people’s education and qualifications. This data is stored about everyone, up to the age of 80.
Records from these datasets are shared within government, including for operational purposes with the Home Office and DWP, and with third parties, including commercial companies. For example, colleges use the LRS to check the qualifications of new applicants; academics access pupil-level data to carry out research, such as how educational experience or special educational needs might affect other aspects of people’s lives such as their health or interactions with the justice system.
However, not all these uses are in line with public expectations, or the law. In 2016, human rights organisations called for a boycott of the collection of the nationality and country of birth of pupils, as it was going to be used to support immigration enforcement. (Other pupil data is still used monthly for that purpose.) In 2020, there was public outcry when the Sunday Times reported that betting firms were using LRS data accessed via the company Trustopia to check the age of online gamblers.
Civil society groups have played an active role in bringing these practices to light and improving DfE’s compliance with the law. The Information Commissioner’s Office (ICO) began an investigation into the DfE’s data sharing practices in 2019 following complaints by Defend Digital Me and Liberty, which it extended following the Trustopia LRS data breach. The audit was completed in February 2020 and concluded that DfE demonstrated “an approach which is designed to find a legal gateway to ‘fit’ the application [to access data] rather than an assessment of the application against a set of robust measures designed to provide assurance and accountability”. Its full results are yet to be published.
In 2022, following its investigation into the LRS data breach, the ICO issued a reprimand to the DfE, finding that they failed to protect against unauthorised processing of learner data by third parties and that students were unaware of the processing and could not object or otherwise withdraw from it. DfE would have been subject to a £10m fine were it not for a new ICO policy of not levying fines on public sector bodies. The DfE subsequently revoked access to the database from 2,600 organisations.
