Privacy notices are there to tell users of services about how information about them is being collected, used and linked together. As a parent you may wish to know if information about your child is being linked together with other information about you/them and who can see this information. Whilst this seems straightforward, privacy notices are often opaque, referring to broad categories of data use and the specific ways data might be used and linked with other data can be hard to discern.
In 2023 the Government are changing the way they collect data about children who have an Education, Health and Care Plan or for whom there has been a request for a plan. The data they collect and use is changing from aggregated data (that does not identify individual children) to individual personal level data on every child.
The Department for Education have provided guidance for local authorities about how to write privacy notices on their websites to reflect this change.
However, in their suggested privacy notice they talk about the sharing of data but do not mention that children’s data may be linked to other data sources about families. This is what is written into the Department for Education accompanying guidance document:
Person level data will enable a better understanding of the profile of children and young people with EHC plans and allow for more insightful reporting. The person information will allow for linking to other data sources to further enrich the data collected on those with EHC plans. DfE (2022) p.11
Local authorities will be required to pass personal level data about children to the Department for Education and yet it remains very unclear how they will use it.
Parents may also be forgiven for feeling concerned about the safety of their children’s information once it is passed on. The Information Commissioner’s Office has reported a serious breach in children’s data use in which children’s data held by the DfE was offered to gambling companies.
Department for Education reprimanded by ICO for children’s information data breach
The Department for Education (“DfE”) has been reprimanded by the ICO for a data breach arising from the unlawful processing of personal data, including children’s data contained in approximately 28 million records, between 2018 and 2020. The DfE had provided the screening company Trust Systems Software UK Ltd (“Trustopia”) with access to the Learning Records Service (“LRS”), a database containing pupil’s learning records used by schools and higher education institutions. Despite not being a provider of educational services, Trustopia was allowed access to the LRS and used the database for age verification services, which were offered to gambling companies (to confirm their customers were over 18).
The ICO determined that the DfE had failed to protect against the unauthorised processing of data contained in the LRS. As the data subjects were unaware of the processing and unable to object or withdraw consent to the processing, the ICO deemed that DfE had breached Article 5(1)(a) UK GDPR. Additionally, the DfE had failed to ensure the confidentiality of the data contained in the LRS in breach of DfE’s security obligations pursuant to Article 5(1)(f) UK GDPR.
In the reprimand the ICO noted that, but for the DfE being a public authority, the ICO would have fined the DfE just over £10 million. The reprimand from the ICO sets out the remedial actions that the DfE needs to take to improve its compliance with the UK GDPR, including: (1) improving the transparency of the LRS so that data subjects are able to exercise their rights under the UK GDPR; and (2) reviewing internal security procedures to reduce the likelihood of further breaches in the future. The DfE has since removed access to the LRS for 2,600 of the 12,600 organisations which originally had access to the database.
Department for Education (2022) Special educational needs person level survey 2023: guide.