The government could face legal action over the way it handles student data as pressure mounts to release a full audit of its practices.

The campaign group DefendDigitalMe has sent a pre-complaint letter to the Department for Education over its handling of ‘extremely sensitive information’ about children, warning it will seek judicial review if it does not receive a ‘satisfactory response’.

The organization said the department had “repeatedly” failed to provide details of the steps it had taken to ensure it complied with data protection law and failed to properly inform parents of what was done with their children’s data.

A damning audit of the Office of the Information Commissioner (ICO) in 2020 found that the DfE had breached data protection laws in the way it handled student data.

The audit was triggered by complaints about the National Student Database (NPD), which contains information on millions of past and present students.

A summary of the report warned that data protection “was not a priority”, which had “seriously affected the DfE’s ability to comply with UK data protection laws”.

The watchdog issued 139 recommendations for improvement, more than 60% of which were classified as “urgent or high priority”. The DfE said it had reviewed “all processes for the use of personal data”.

‘No sense of urgency’

But the government hasn’t released an update on its work to address ICO concerns since January 2021. The full report, which the DfE promised to publish, is also still secret more than two years later.

DefendDigitalMe director Jen Persson said there seemed to be “no sense of urgency”.

Jen Persson

“[There is] no commitment to even acknowledge that they have a serious problem, when there is no mechanism in place to automatically indicate that a child at risk should have a sealed record protected from distribution.

“When you ask ordinary students and teachers, they are shocked to find out more than statistics leave school and are given to an unlimited number of companies.”

His organization wants a response detailing how the DfE now complies with data protection law.

The ministry said School week that although he had “no obligation” to publish the full report, he had “a commitment in the future to publish the full report once we have completed the work to the satisfaction of the ICO”.

As part of its investigation, the ICO looked at how the NPD, the learning records service and the DfE’s “internal databases” were managed.

DfE faces questions over student data sharing

The sharing of NPD data with outside organizations has been the subject of controversy for some years, and children’s rights groups have called for it to be stopped.

This came to a head in 2016 when the government started collecting data on pupils’ nationality and country of birth, eventually admitting it had planned to share the data with the Home Office for control of the school. ‘immigration. Collection was canceled in 2018.

The DfE publishes anonymised sections of the NPD to organizations – including private companies – who request them. However, the ICO found that the reasons for doing so were not always justified.

But access to student data is important for academics and research organizations, such as the National Foundation for Educational Research.

Its research director, Lesley Duff, said the analysis of important data sources has played a “critical role in creating new evidence for teachers and other practitioners about what works in the education system”.

It could also provide “important information that helps the government develop new policies to improve educational outcomes”.

However, she warned that it was “imperative that all data be treated and managed with extreme sensitivity, in accordance with GDPR principles, and only shared with accredited academics and researchers who have been trained to use the data in a safe and secure manner”.