The Information Commissioner’s Office (ICO) has raised concerns about the Department for Education’s (DfE) daily school attendance data collection, introduced this year in 65% of English schools. The data watchdog says the DfE initially failed to carry out a data protection impact assessment (DPIA) before it began storing information, as required by law. Documents released under the Freedom of Information (FOI) act also show the DfE was asked to pause the “high-risk data collection” and carry out a risk assessment, but declined to do so.

School pupils’ data collection has raised concerns with the ICO. (Photo by LStockStudio/Shutterstock)

Digital rights group, Defend Digital Me, which submitted the FOI request, says it is concerned by the policy-level decision-making around the system and “lack of care and attention” that was given before starting data collection process at scale. The group says it poses a risk to the “fundamental rights and freedoms” of school pupils, who can be as young as four. It plans to legally challenge the DfE.

In documents shared with Defend Digital Me from the ICO, an email chain shows stakeholders in the ICO policy team flagging their concerns to the DfE about the lack of DPIA and failure to meet its obligations. Once it had received the DPIA, the ICO described its concerns about the data collecting and processing trial in over ten pages. One of its concerns was the storing of data for an “excessive” 66 years as well as the DfE’s “failure to demonstrate the necessity of the data processing”.

Defend Digital Me’s legal team has written to the DfE to seek “urgent answers” on the lack of transparent information being provided to schools, parents and children about the data collection, processing and sharing.

As reported by Tech Monitor, the attendance tracker was announced by the DfE earlier this month, with its private sector tech provider Wonde acting as the data processor. Privacy rights experts said at the time that they were concerned about the vague terms in the agreement between the company and the education department, which said data could be shared with other government departments and potentially third parties.

School attendance data collection: excessively frequent and unnecessary

The DfE announced it would be trialling a new daily attendance data collection in January, collecting information from digital registers in real time. The department says the data collection aims to “help address absences more quickly” with a whitepaper confirming that DfE wanted to work to establish a better, more timely flow of pupil-level attendance data.

Schools were asked to sign up to a daily attendance tracker ‘trial’. According to Defend Digital Me, it was not clear how the DfE plan to intervene with the pupils whose information it was collecting. The group considers the data collection to be an “obviously excessively frequent, unnecessary and disproportionate” one. The DfE also told schools that it had worked with the ICO on its DPIA – emails show that the ICO requested this to be edited or retracted.

The education department then awarded a £270,000 contract for “Project_6468 Acquisition of Attendance Data” to Wonde Ltd, based in Suffolk. The tender says that it was for services to “extract school data that is required to enable the buyer to extract certain attendance records from schools”.

Defend Digital Me wrote to the ICO in February 2022 with its concerns about the tracker. “If this is about absence, why is the national department collecting data daily from millions of children who never miss school?” it said on a blog post. It also flagged concerns about whether the data would be shared with members of the Attendance Alliance at the DfE and who would explain to pupils and families about how the data would be shared.

Confusion over DfE data storage plans

Documentation released as part of the FOI request shows that at the time the data collection started, the DfE had not worked with the ICO on its DPIA and that the DPIA had not been signed off prior to the data processing beginning, which is a legal requirement.

Once the ICO had received and reviewed the DPIA, it communicated its many concerns back to the DfE in March. In its 20-page response, the data watchdog expresses concern that the DfE’s DPIA does not confirm whether the contractual arrangement between DfE and Wonde fully complies with the “requirements for processor contracts.” It also notes that it is not apparent from the DPIA how the 66-year timeframe for retaining data is justified. The DfE says this is required for evaluation and monitoring purposes. The ICO adds that the DPIA needs more detail on how pupils’ data will be anonymised and archived.

DfE’s DPIA also states that the data will be stored in the Microsoft Azure cloud, based in the Republic of Ireland and the Netherlands and that it has obtained “offshoring approval”. The ICO has said this term is “not defined” and that it’s also not clear whether the “required safeguards for such transfers are in place.” Further, it says that this statement contrasts with Wonde’s data storage policy, which says the information is kept on AWS servers in Ireland.

Legal challenge in the works against DfE’s data collection faux pas

Defend Digital Me’s legal team is liaising with the DfE to get answers on how the data will be analysed and to provide transparency around the use of the tracker. It said the department’s initial response confirmed that the daily attendance data is “likely to be used to support legal interventions, including issuing fixed penalty notices and prosecuting parents”.

“The DfE’s response also leaves important questions hanging, regarding how daily pupil data could be used in future phases of the project and who it could be shared with,” says the organisation in a blog post. “Our legal team is continuing correspondence with the department.” Defend Digital Me has also launched a crowdfunder to raise money for the legal challenge it wants to bring against the DfE.

Other stakeholders in education have raised their own concerns about the revelations, with Geoff Barton, general secretary of the ASCL union, telling Schools Week that he demands a full explanation about what went wrong and the concerns that were raised. He confirms to the outlet that the DfE emailed schools which would have “formed the impression” that the DPIA had been done with the ICO.

“This is completely unacceptable and if schools had known that an important part of the process for safeguarding data had not actually been completed, it is unlikely they would have signed up to the trial,” Barton said.

A reminder of why we need ‘robust legislation’

Mariano delli Santi, a legal and policy officer at the Open Rights Group, told Tech Monitor that DfE’s plans are exposing children to “risk of being stigmatised as an absentee” for the rest of their lives. This could lead, he says, to dramatic consequences for their opportunity to ssucceedin life.

The EU’s GDPR affords protection against “data-driven decisions” and the requirements to consider the potential implications for deploying digital systems, he says, such as with a DPIA: “Data protection impact assessments are the reason we are able to address these challenges, and ensure that innovation and digitalisation does not impair our children’s opportunity to succeed in life.”

Delli Santi says that this example from DfE is a “stark reminder” of the importance of robust legislation, which comes as the UK government seeks to move away from GDPR with its own regime for safeguarding information, the Data Protection and Digital Information Bill.

“With the Data Protection and Digital Information Bill, collecting data for “safeguarding vulnerable individuals” would become legal even without considering the practical consequences for the wellbeing of the individuals it ought to protect,” Delli Santi says. “Also, the requirement to conduct DPIAs and to consult with the ICO would be scrapped, taking away a useful tool to reflect on risks and challenge reckless behaviour.”

He believes that the government needs to start listening to the criticism from the industry and privacy organisations and “reconsider their plans to bonfire legal standards” that protect everyone.

Tech Monitor has contacted the DfE for comment.

Tech Monitor is hosting the Tech Leaders Club on 15 September. Find out more on NSMG.live

Read more: AI in classrooms is no substitute for real teachers