The Information Commissioner’s Office (ICO) has raised concerns about the Department for Education’s (DfE) daily collection of school attendance data, introduced in 65% of English schools this year. The data watchdog says the DfE did not initially carry out a data protection impact assessment (DPIA) before starting to store information, as required by law. Documents released under the Freedom of Information Act (FOI) also show the DfE was asked to suspend ‘high risk data collection’ and carry out a risk assessment, but refused to do so. .
Digital rights group Defend Digital Me, which submitted the freedom of information request, says it is concerned about policy-level decision-making about the system and the ‘lack of care and attention’ which was granted before starting the large-scale data collection process. The group says this poses a risk to the “fundamental rights and freedoms” of pupils, who can be as young as four years old. He plans to legally challenge the DfE.
In documents shared with the ICO’s Defend Digital Me, an email chain shows stakeholders from the ICO’s policy team reporting concerns to the DfE over the lack of DPIA and non-compliance with its obligations. . After receiving the DPIA, the ICO outlined its concerns about the attempted data collection and processing in over ten pages. One of his concerns was the storage of the data for an “excessive” length of 66 years as well as “the DfE’s failure to demonstrate the necessity of the data processing”.
Defend Digital Me’s legal team have written to the DfE asking for “urgent responses” to the lack of transparent information provided to schools, parents and children about the collection, processing and sharing of data.
As reported by Technical monitor, the attendance tracking was announced by the DfE earlier this month, with its private sector technology provider Wonde acting as data processor. Privacy experts said at the time that they were concerned about the vague terms of the agreement between the company and the Ministry of Education, according to which the data could be shared with other ministries and potentially third parties.
Collection of data on school attendance: excessively frequent and unnecessary
The DfE has announced that it will pilot a new daily collection of attendance data in January, collecting information from digital registers in real time. The department says the data collection aims to ‘help deal with absences faster’ with a white paper confirming the DfE wanted to work to establish a better and faster flow of attendance data at pupil level.
Schools were asked to sign up for a daily attendance tracking ‘trial’. According to Defend Digital Me, it was unclear how the DfE planned to intervene with students whose information it collected. The group considers that the collection of data is “obviously excessively frequent, unnecessary and disproportionate”. The DfE also told the schools that it had worked with the ICO on its DPIA – emails show the ICO asked for this to be changed or removed.
The Department for Education then awarded a £270,000 contract for ‘Project_6468 Acquisition of Attendance Data’ to Suffolk-based Wonde Ltd. The RFP says it was for “school data extraction services necessary to enable the buyer to extract certain school attendance records.”
Content from our partners
Defend Digital Me wrote to the ICO in February 2022 with their concerns about the tracker. “If it’s about absence, why is the national department collecting data daily from millions of children who never miss school?” he says on a blog post. He also flagged concerns about whether the data would be shared with members of the Attendance Alliance at the DfE and who would explain to pupils and families how the data would be shared.
Confusion over DfE data storage plans
Documentation released as part of the FOI request shows that at the time data collection began, the DfE had not worked with the ICO on its DPIA and the DPIA had not been signed prior to commencement. data processing, which is a legal requirement. .
Once the ICO received and reviewed the DPIA, it raised many concerns with the DfE in March. In its 20-page response, the data watchdog is concerned that the DfE’s DPIA does not confirm whether the contractual arrangement between the DfE and Wonde fully complies with the “processing contract requirements”. It also notes that it is not clear from the DPIA why the data retention period of 66 years is justified. The DfE says this is necessary for evaluation and monitoring purposes. The ICO adds that the DPIA needs more details on how student data will be anonymized and archived.
The DfE’s DPIA also says the data will be stored in the Microsoft Azure cloud, based in the Republic of Ireland and the Netherlands and that it has obtained “relocation approval”. The ICO said that term was “undefined” and it was also unclear if the “required safeguards for such transfers were in place”. Further, he says this statement contrasts with Wonde’s data storage policy, which states that information is stored on AWS servers in Ireland.
Ongoing legal challenge against DfE data collection faux pas
The Defend Digital Me legal team is in contact with the DfE to get answers on how the data will be analyzed and to ensure transparency around the use of the tracker. He said the department’s initial response confirmed that daily attendance data is “likely to be used to support legal interventions, including issuing fixed fine notices and prosecuting parents.”
“The DfE’s response also leaves important questions unanswered, regarding how daily student data might be used in future phases of the project and with whom it might be shared,” the organization says in a blog post. “Our legal team is continuing to correspond with the department.” Defend Digital Me has also launched a crowdfunder to raise money for the legal challenge it wants to bring against the DfE.
Other education stakeholders have raised their own concerns over the revelations, Geoff Barton, general secretary of the ASCL union, telling School week that it demands a full explanation of what went wrong and the concerns that were raised. He confirms to the outlet that the DfE sent emails to schools that allegedly “formed the impression” that the DPIA was done with the ICO.
“This is completely unacceptable and if the schools had known that a significant part of the data backup process had not been completed, they are unlikely to have signed up for the trial,” Barton said.
A reminder of why we need ‘strong legislation’
Mariano delli Santi, legal and policy officer at the Open Rights Group, told Tech Monitor that DfE projects put children at “risk of being stigmatized as absent” for the rest of their lives. This could, he says, have dramatic consequences for their chances of succeeding in life.
The EU GDPR provides protection against “data-driven decisions” and requirements to consider potential implications for the deployment of digital systems, he says, as with a DPIA: data protection are the reason we are able to meet these challenges, and ensure that innovation and digitization do not compromise our children’s chances of succeeding in life. »
Delli Santi says this example from the DfE is a “stark reminder” of the importance of strong legislation, which comes as the UK government seeks to move away from GDPR with its own data protection regime, the draft data protection law and digital information.
“With the Data Protection and Digital Information Bill, the collection of data to ‘protect the vulnerable’ would become legal even without considering the practical consequences for the well-being of the people it should protect” , says Delli Santi. “Furthermore, the requirement to conduct DPIAs and consult the ICO would be removed, removing a useful tool for thinking through risk and challenging reckless behavior.”
He believes the government needs to start listening to criticism from industry and privacy organizations and “reconsider its plans to ignite legal standards” that protect everyone.
Technical monitor has contacted the DfE for comment.
Tech Monitor hosts the Tech Leaders Club on September 15. Learn more about NSMG.live
