National Pupil Database

Last updated

The National Pupil Database (NPD) is a database controlled by the Department for Education in England, based on multiple data collections from individuals age 2-21 in state funded education and higher education. Data are matched using pupil names, dates of birth and other personal and school characteristics, including special educational needs, disability, and indicators for free school meals, a child in care, and families in the armed forces. Personal details are linked to pupils' attainment and exam results over a lifetime school attendance.

Contents

In October 2018 the database contained over 21 million individual named pupil records.[ citation needed ] It is deemed by the Department to be “one of the richest education datasets in the world". [1] This is just one of the distributed datasets that the Department for Education controls, and separate from the further Individualised Learner Record (ILR) in the Learning Records Service, for example.

Schools use Management Information Systems (MIS) to collect and analyse pupil level information at local level. Data from these systems are used to complete the termly school census returns provided to Local Authorities (regional) or directly to the Department for Education (national) three times a year. The National Pupil Database has expanded in its scope of the items collected, and from children of a wider age range over time. Data once stored in the National Pupil Database, are never deleted.

The Higher Education Statistics Agency passes students' personal confidential data collected from universities to the Department for Education, where it is linked to individuals' school records in the National Pupil Database, expanding the lifetime record for millions of people that the Department retains indefinitely.[ citation needed ]

Scope of the NPD

The National Pupil Database covers only pupils in state (or partially state-funded) schools in England. However similar systems operate across the rest of the United Kingdom.

Sources of pupil data in the NPD

Details of all data sources contained within the linked set of data which form the National Pupil Database, and the coverage of children within each source. [5]

Data SourceAges
School Census/PLASC2-18
PRU Census [historic to 2013]2-18
Early Years Census2-4
Alternative Provision Census2-18
Early Years Foundation Stage Profile2-4
Reception Baseline Assessment4-5
Year 1 Phonics Test5
Key Stage 1 SATs6-7
Multiplication Times Tables Test8-9
Key Stage 2 SATs10-11
Key Stage 4 Awarding Body data14-21
Key Stage 4 Achievement & Attainment Tables data15-16
Key Stage 5 Awarding Body data14-21
Key Stage 5 Achievement & Attainment Tables data16-18
Individual Learner Records (ILR)14-21
HESA data17-21
Children Looked After0-18
Children In Needunborn-18
PLAMS Post-16 Learning Aims16-18
NCCIS National Client Caseload Information15-24
Independent Specialist Providers (ISP)

Data types held

The pupil level data are personal confidential data which include sensitive personal data as defined by the Data Protection Act 1998. [6] [ better source needed ] The National Pupil Database contains:[ citation needed ]

There are about 400 possible variables to collect on individual pupils. The full national code sets of all the items of data that can be collected on individual children can be downloaded from the Department for Education, listed in the common basic data set (CBDS), including health and SEND (special educational needs and disability).

Use of pupil level data

For uses of Key Stage attainment datasets and School Census dataset see also England: School Census. Raw pupil level personal data are held in the Department for Education National Pupil Database (NPD). The linked datasets contain data which are identifying, and too sensitive or disclosive to be published, although these data are given out to third parties in raw form.

David Cameron announced in 2011, the government would be “opening up access to anonymised data from the National Pupil Database […].” This was an expansion to other third parties, since these data had already been used for many years and extensively by academic public interest researchers.

Since 2012, Secretary of State has had powers to share raw data from National Pupil Database under terms and conditions with named bodies and third parties who for the "purpose of promoting the education or well-being of children in England are conducting research or analysis, producing statistics, or providing information, advice or guidance", and who meet the Approved Persons criteria of the 2009 Prescribed Persons Act, updated in 2012/13.

The data when released, however are not anonymised, but are sensitive and identifying. [8] "According to centrally held records at the time of writing, from August 2012 to 20 December 2017, 919 data shares containing sensitive, personal or confidential data at pupil level have been approved for release from the National Pupil Database. For the purpose of this answer, we have assumed the term sensitive, personal or confidential uses of information to be data shares classified as either Tier 1 or Tier 2 as set out in the National Pupil Database area on GOV.UK. [In addition] There were 95 data shares approved between March 2012 and this classification system being introduced."

In a presentation to the NPD User group in September 2016, [9] the Director of the DfE Data Modernisation group acknowledged the release of sensitive data: "People are accessing sensitive data, but only to then aggregate. The access to sensitive data is a means to an end to produce the higher level findings.”

The data items for release are classed into four tiers by the Department for Education, as described in the NPD User Guide. [10] Following the change of legislation, releases of the data since 2012 from the Department for Education to third parties have not been anonymous, but have been of identifiable and highly sensitive (Tier 1), identifiable and sensitive (Tier 2), aggregated but may be identifying due to small numbers (Tier 3) and identifying non-sensitive items (Tier 4). Raw, closed data are released on a regular basis to third parties, and the majority of releases are of Tier 1 and 2 data.

A list of completed National Pupil Database Third Party Requests and those in the pipeline, are published on a quarterly retrospective basis.

Government uses of the data are based on a model of data sharing, passing raw data from one location to another, which is viewed by some as 'obsolete'. Intra departmental transfers of data include to the Cabinet Office for preparation of Electoral Registration Transformation work in 2013, to match participant data in the National Citizen Service, and for use in the Troubled Families programme, as well as arms length bodies such as NHS Digital for a survey "What About Youth" mailed home to 300,000 15 year olds in 2014. Not all government uses of the data are recorded in the Third Party Release Register, such as internal use. The volume of Police and Home Office use first made public through Freedom of Information requests in 2016, were first officially published by the Department, in the Third Party Release Register in December 2017, under "External Organisation Data Shares". [11] Police requests were only documented going as far back as July 2015. This omits police access to records before this date, as noted in a ministerial correction (HCWS272) [12] made by Nick Gibb, Minister of State for School Standards, on the numbers of pupils data released to the Home Office and police. “Information supplied by the Data Modernisation Division of the DfE has been identified as containing incorrect facts in the response provided to Parliamentary Questions concerning the volume of children's records passed onto the police and the Home Office (PQ48634, PQ48635 and PQ52645) and in figures quoted during a House of Lords Debate on the 31 of October 2016 on the Education (Pupil Information) (England) (Miscellaneous Amendments) Regulations 2016."

Of the documented 887 requests for identifiable data that have been through the DMAP request process in March 2012 – December 2016, only 29 have been for aggregated data, according to analysis by the NGO defenddigitalme. There were 15 rejected applications between March 2012 and September 2016, including a request "by mistake" [13] from the Ministry of Defence to target its messaging for recruitment marketing. Approved uses include identifying and sensitive data released to Fleet Street papers, “to pick interesting cases/groups of students," and about 60% of applications approved (as distinct from volume of data used) for identifying and sensitive, pupil level data, were from think tanks, charities, and commercial companies. [14]

The Telegraph newspaper was granted identifying and sensitive data in 2013, for all pupils in the KS2, KS4 and KS5 cohorts for the years 2008-2012. [15]

Academic uses of school census data make up about 40% of the requests for identifying, pupil level data, processed through and approved by the DMAP process. The raw data are sent to the requestor's own location. There is no charge made for fulfilling requests. "DfE does not charge for data (and has not since the NPD process began), nor does DfE charge for the processing and delivery of extracts to customers."

There is however no transparency of the volume of how many children's data have been given away in approved uses either, because “the Department does not maintain records of the number of children included in historic data extracts.” (PQ109065) [16]

Public interest research use of pupil level data through other routes of access to the data, include projects linking individual data together with other education and employment data from citizens' interactions with other government departments and public services. For example, the LEO dataset is made up of information from the National Pupil Database (NPD), the Individualised Learner Record (ILR), the Higher Education Statistics Agency (HESA), Her Majesty's Revenue and Customs data (HMRC), The National Benefit Database, the Labour Market System and Juvos, the unemployment research database. Further work by DfE compares self-reported salaries from the 2008/09 DLHE survey with earnings data from the LEO dataset coming directly from HMRC tax records.

In June 2018, the UK Parliament gave powers to the Office for Students through the Higher Education and Research Act 2017 (Cooperation and Information Sharing) Regulations 2018 (No.607) [17] to distribute personal data to thirteen third party organisations. In 2019 The Higher Education and Research Act 2017 (Further Implementation etc.) Regulations 2019 [18] will expand which data that may be, and will include the entirety of the National Pupil Database and Alternative Provision data. In debate, [19] Shadow Secretary for Higher Education Gordon Marsden MP, asked the government whether, "it the intention of the new regulations that through the new data powers they give OfS to receive data in regulations 28 and 32 they can also enable the distribution by OfS of population-wide personal data?" The data in question, "includes the personal, confidential data of every pupil from state education since 1996, past, present and future and in perpetuity—over 25 million people, and growing every year—distribution to its own third-party prescribed persons, including potentially Pearson Education Ltd, among other commercial parties, for such wide-ranging company purposes, through the powers of last year's regulations, which set out who the OfS could give data to, and for purposes defined only by that company's memorandum and articles of association."

Since legislation changed over time to permit new uses and access to personal data by new third parties, over 15 million people whose data was already in the National Pupil Database and who had already left school pre-2012, have not been informed how their personal data may be used, for what purposes, and by whom, such new Regulations demonstrates.

Controversial collections and distribution of identifying personal data from the database

In July 2015, the Department for Education and Home Office Border Removals Team agreed a Memorandum of Understanding [20] to share pupil data including names, date of birth, gender, home address and school address for up to 1,500 children a month, from the last 5 years of their records, for various purposes of direct interventions.

This policy became public knowledge through the expansion of the school census in October 2016 which added country of birth and nationality to the collection.

In October 2017, the Department for Education confirmed in an interview with Sky News that, information obtained from the National Pupil Database was used to contact families to "regularise their stay or remove them" [21] and confirmed in January 2019 that this policy continues. [22]

An expansion of the Alternative Provision census starting in January 2018, added further sensitive data to the National Pupil Database including pregnancy, physical and mental health, and a code for young offender, as reason for transfer out of mainstream education. [23] The AP Guidance 2017-18 indicates that the age group has been lowered. "Within the AP census, pupils should be aged between 2 (as at 31 December 2017) and 18 (at 31 August 2017) - those pupils born between 01/09/1998 and 31/12/2015."

Campaigners and charities warned that the changes would lead to sensitive details being collected without the knowledge of parents and pupils, in breach of data protection law and raised concerns that "there are not enough safeguards to ensure that sensitive data does not end up being passed on to third parties and damaging the privacy of those it covers." [24]

In October 2020, the Information Commissioner's Office published an executive summary of a compulsory audit it had carried out of the Department for Education in spring 2020. The audit found that data protection was not being prioritised and this had severely impacted the DfE's ability to comply with the UK's data protection laws. A total of 139 recommendations for improvement were found, with over 60% classified as urgent or high priority. [25]

New data access model for data re-use by third parties

The sharing of identifying pupils’ personal data with third parties was put on hold in May 2018 for three months.  The Department for Education halted the distribution of personal information about  school children in England, to restart it aligned with a Five Safes model, according to the Office for Statistics Regulation's recommendations. Although this was intended as an improvement towards safer pupil data, in spring 2019 data distribution continued, more than six months after the safer model was introduced.

The new infrastructure was part of a set of recommendations [26] made by the UK Statistics Authority in 2018, which included that the Department carry out a Data Protection Impact Assessment. A summary was published in May 2019. [27] It included recognition of the risk that people, “may not be aware that their personal data may be shared with other organisations.”

In May 2019, the Department for Education released the first summary data protection impact assessment. It revealed that sexual orientation and religion are added to pupil records, for students from Higher Education.

The Information Commissioner's Office confirmed in interim investigation findings in autumn 2019, that, "This investigation has demonstrated that many parents and pupils are either entirely unaware of the school census and the inclusion of that information in the NPD, or are not aware of the nuances within the data collection, such as which data is compulsory and which is optional. This has raised concerns about the adequacy DfE's privacy notices and their accountability for the provision of such information to individuals regarding the processing of personal data for which they are ultimately data controllers.”

Data request process

Access is granted through an applications process to the Department for Education Education Division and internal Data Management Advisory Panel (DMAP), and is subject to requesters complying with terms and conditions imposed under contractual licence arrangements. The DMAP Terms of Reference was first published in July 2016 by the Department for Education, but became obsolete after a 2018 panel reconfiguration.

The Department for Education application procedures for handling requests for data from the National Pupil Database, from March 2012, enabled interested parties to request extracts of data from the National Pupil Database (NPD) using forms available on the Department for Education website. Data supply agreements, agreement schedules and individual declarations for researchers and third-party organisations who have received DfE approval for applications for data extracts are completed before users are sent the password protected data.

The sensitive and identifying items that require DMAP approval include name, date of birth, postcode, candidate numbers, Pupil Matching Reference (Non Anonymised), detailed types of disability, indicators of adoption from care, reasons for exclusions (theft, violence, alcohol etc).

There is no ethics committee review for the release of identifying or sensitive data directly from the National Pupil Database by the Data Management Advisory Panel or Education Division.

There was no privacy impact assessment of the National Pupil Database for over twenty years, until 2019. [28]

Some of the history behind its collection, use and changes to legislation are outlined in a presentation given at an Open Data Institute ODI Friday lunchtime talk: Getting to grips with the National Pupil Database in 2013. (Soundcloud licensed under a Creative Commons License.)

The release of data permitting pupil level release of individuals’ identifiable data to third parties from the National Pupil Database was updated by 2013 changes to legislation. Section 114 of the Education Act 2005, and section 537A of the Education Act 1996, together with the 2009 Prescribed Persons Act, were amended in 2010 and 2013, to allow the release of individual children's data to third parties. Which data items are involved is based on the 2006 Act around the register data a school must hold, which has subsequently had many amendments.

The Data Protection Act 1998, in particular, Principle 1, sets out a fairness obligation which cannot be set aside merely because of the presence of a legal basis such as a Statutory duty. On 1 October 2015 this latter point was again made explicit for public bodies in the judgment of the Court of Justice of the European Union in the Bara case (C‑201/14), in which it ruled that “[the Directive] must be interpreted as precluding national measures…which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing,” i.e. individuals must be informed when public bodies share personal data and why.

For sensitive data (Tier 1 and Tier 2 of the National Pupil database include all the data items classified as ‘sensitive’) an additional condition from Schedule 3 of The Data Protection Act 1998 must also be met to justify a legal basis for disclosure. These conditions are a high bar, for example, in the interests of justice.

The Data Protection Act 1998 (s33) gives research exemptions for the purposes of statistical and historic research purposes, most significantly on the principles of indefinite retention and data minimisation, as well as Subject Access rights, for as long as data are processed for the legitimate interests of the Data Controller. To qualify for the research exemption, [29] the research must be able to comply with the following ‘relevant conditions’:

(a) that the data are not processed to support measures or decisions with respect to particular individuals, and

(b) that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

Campaigners from the children's privacy NGO defenddigitalme, have questioned whether this legal basis is met for some releases between 2012 and 2017 from the National Pupil Database and whether new uses put the research status of the National Pupil Database at risk. [30]

As observed in 2014 by independent experts, "the central concern is that parents and pupils themselves are not sufficiently aware of the way the data is being shared with third parties." [31] "There appears to have been no concerted effort to bring the consultation or the NPD initiative to the attention of parents or pupils." [32]

In November 2019, the ICO found: "the issues that the DfE experienced with the collection of the nationality data in terms of parent and pupil awareness of the optional nature of the collection of that data has highlighted concerns regarding compliance with articles 12, 13 and 14 of the GDPR. Our view is that the DfE is failing to comply fully with the GDPR in respect of these articles. The investigation has demonstrated that many parents and pupils are either entirely unaware of the school census and the inclusion of that information in the NPD, or are not aware of the nuances within the data collection, such as which data is compulsory and which is optional. This has raised concerns about the adequacy DfE's privacy notices and their accountability for the provision of such information to individuals regarding the processing of personal data for which they are ultimately data controllers." [33]

In November 2022 the ICO issued a reprimand to the DfE following "the prolonged misuse of the personal information of up to 28 million children." [34] John Edwards, UK Information Commissioner, stated that:

"No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.

“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.

“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”

Related Research Articles

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

Medical privacy, or health privacy, is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

ContactPoint was a government database in England that provided a way for those working with children and young people to find out who else is working with the same child or young person, making it easier to deliver more coordinated support. It was created in response to the abuse and death of eight-year-old Victoria Climbié in 2000 in England. Various agencies involved in her care had failed to prevent her death, in particular by individually never realising other agencies had been in contact with Victoria.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handling sensitive information.

Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others.

Data protection (privacy) laws in Russia are a rapidly developing branch in Russian legislation that have mostly been enacted in the 2005 and 2006. The Russian Federal Law on Personal Data, implemented on July 27, 2006, constitutes the backbone of Russian privacy laws and requires data operators to take "all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental access". Amendment was signed on December 20, 2020 and came into effect on March 1, 2021. The amendment requires "personal data made publicly available" needs to receive consent from the data subject. Russia's Federal Service for Supervision of Communications, Information Technology and Mass Media is the government agency tasked with overseeing compliance.

<span class="mw-page-title-main">Department for Education</span> Ministerial department of the UK Government

The Department for Education (DfE) is a ministerial department of the Government of the United Kingdom. It is responsible for child protection, child services, education, apprenticeships, and wider skills in England.

The Personal Data Privacy and Security Act of 2009, was a bill proposed in the United States Congress to increase protection of personally identifiable information by private companies and government agencies, set guidelines and restrictions on personal data sharing by data brokers, and to enhance criminal penalty for identity theft and other violations of data privacy and security. The bill was sponsored in the United States Senate by Patrick Leahy (Democrat-Vermont), where it is known as S.1490.

<span class="mw-page-title-main">John Nash, Baron Nash</span>

John Alfred Stoddard Nash, Baron Nash is a Venture Capitalist, also formerly a Conservative Parliamentary Under Secretary of State for Schools. Nash was chair of the British Venture Capital Association (1988–89), on the board of the Conservative think-tank, the Centre for Policy Studies and a Trustee of the Education Policy Institute. With his wife, Caroline Nash, he founded the charity Future, which was appointed by the Labour Government in 2008 to sponsor Future Academies, a trust managing school academies in London and Hertfordshire with a total of 7000 pupils; he is joint chairman of the governors of Pimlico Academy, one of the institutions run by Future Academies. Future also supports other organisations focussed on less advantaged children and young people.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

The Ley Federal de Protección de Datos Personales en Posesión de los Particulares, is a law of Mexico, approved by the Mexican Congress on April 27, 2010. The law aims to regulate the right to informational self-determination. The law was published on July 5, 2010, in the Official Gazette and entered into force on July 6, 2010. Its provisions apply to all natural or legal persons who carry out the processing of personal data in the applicable exercise of their activities. Companies such as banks, insurance companies, hospitals, schools, telecommunications companies, religious organizations, and professionals such as lawyers, doctors, and others, are required to comply with the provisions of this law.

Data re-identification or de-anonymization is the practice of matching anonymous data with publicly available information, or auxiliary data, in order to discover the person the data belong to. This is a concern because companies with privacy policies, health care providers, and financial institutions may release the data they collect after the data has gone through the de-identification process.

The School Census is a statutory data collection for all maintained (state-funded) schools in England. This includes nursery, primary, secondary, middle-deemed primary, middle-deemed secondary, local authority maintained special and non-maintained special schools, academies including free schools, studio schools and university technical colleges and city technology colleges. Service children's education schools also participate on a voluntary basis. Schools that are entirely privately funded are not included. It is a statutory obligation for schools to complete the census and schools must ask parents for information, tell parents and pupils where data are optional, and tell them what it will be used for before submitting it to Local Authorities or Department for Education. There is no obligation for parents or children to provide all of the data.

The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests.

<span class="mw-page-title-main">Personal Information Protection Law of the People's Republic of China</span> Chinese personal information rights law

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

References

  1. "The National Pupil Database User Guide [p.5]" (PDF). The Department for Education. Retrieved 30 May 2017.
  2. Welsh data
  3. Scottish data
  4. Northern Ireland data
  5. "Find and explore data in the National Pupil Database - GOV.UK". find-npd-data.education.gov.uk. Retrieved 2022-11-07.
  6. "The Data Protection Act 1998". legislation.gov.uk. Retrieved 11 May 2017.
  7. "Schools told to 'guess' pupil ethnicity" . The Independent. Archived from the original on 2022-06-18. Retrieved 24 October 2016.
  8. Moran, MP, Layla (18 January 2018). "Pupils: Personal Records:Written question - 120141". parliament.uk. Retrieved 1 March 2018.
  9. "Presentation to the NPD User Group by the Director of the DfE Data Modernisation group" (PDF). Bristol University. September 2016. Retrieved 20 May 2017.
  10. "NPD User Guide [p19]" (PDF). The Department for Education. Retrieved 30 May 2017.
  11. Department for Education (1 March 2018). "External Organisation Data Shares". uk.gov. Retrieved 1 March 2018.
  12. "Ministerial Correction:Written statement - HCWS272". 27 November 2017. Retrieved 1 March 2018.
  13. Scott, Sophie (5 June 2015). "MoD requests sensitive pupil data… by mistake". Schools Week. Retrieved 30 May 2017.
  14. "Analysis of NPD releases March 2012- December 2016". defenddigitalme. Retrieved 11 April 2017.
  15. "Pupil Data: national pupil database releases". whatdotheyknow.com. 18 September 2015. Retrieved 25 November 2015.
  16. Jones, Darren (23 October 2017). "Pupils: Personal Records:Written question - 109065" . Retrieved 1 March 2018.
  17. "The Higher Education and Research Act 2017 (Cooperation and Information Sharing) Regulations 2018". Gov.uk. May 15, 2019.
  18. "Higher Education and Research Act 2017 (Further Implementation etc.) Regulations 2019". Gov.uk. May 15, 2019.
  19. "Hansard, May 15 2019, draft Higher Education and Research Act 2017 (Further Implementation etc.) Regulations 2019, Westminster Hall debate". Hansard. May 15, 2019.
  20. "MOU between the Home Office (Casework Removals Team) and the Department for Education v1.0" (PDF). whatdotheyknow.com. 15 December 2016. Retrieved 30 May 2017.
  21. "Sky News, School census boycott over child deportation fear". Sky News. 5 October 2017.
  22. "Schools census used to enforce immigration laws, minister says". The Guardian. 13 January 2019.
  23. "Pregnant? Offender? What the government wants to know about AP pupils". Schools Week. 20 October 2017. Retrieved 14 November 2017.
  24. Savage, Michael (24 December 2017). "Plan to collect data on excluded pupils could put them at 'lifelong risk' of stigma". The Guardian . Retrieved 25 September 2021.
  25. "Statement on the outcome of the ICO's compulsory audit of the Department for Education". ico.org.uk. Information Commissioner's Office. 7 October 2020. Retrieved 25 September 2021.
  26. "Letter from the Director General for Regulation at the UK Statistics Authority to the Department for Education" (PDF). March 2018.
  27. "Data Protection Impact Assessment Summary". whatdotheyknow.com. May 2019.
  28. Jones MP, Darren (26 October 2017). "Alternative Education Census Expansion:Written question - 108570 "a formal privacy impact assessment was not completed."". parliament.uk. Retrieved 1 March 2018.
  29. "Legal framework". The Administrative Data Research Network. Retrieved 30 May 2017.
  30. "Call for review of pupil data legislation". defenddigitalme. Retrieved 30 May 2017.
  31. "Government offers school pupil data to private companies". WIRED. 25 April 2014.
  32. Boswarva, Owen (2 July 2013). "Exploiting the National Pupil Database - Consultation Responses" . Retrieved 30 May 2017.
  33. "DfE facing action over 'serious' data protection breaches". schoolsweek.co.uk. 13 November 2019. Retrieved 25 September 2021.
  34. "Department for Education warned after gambling companies benefit from learning records database". ico.org.uk. 2022-11-06. Retrieved 2022-11-07.