Higher Education and Research Bill

Written evidence submitted by defenddigitalme (HERB 39)

Higher Education and Research Bill

About defenddigitalme

Defenddigitalme is a volunteer non-profit campaign group for children’s privacy rights formed in 2015 in response to concerns from parents and privacy advocates about increasingly invasive uses of children’s personal data. More information: http://defenddigitalme.com/ The campaign asks the Department for Education ( DfE ) to change their policies and practices to protect 20 million children ’ s identifiable personal and confidential data in the National Pupil Database (NPD):

• stop giving out identifiable personal data to commercial third parties and press without consent

• start telling school staff, pupils, and parents what DfE does with individuals’ personal data

• be transparent about policy and practice

Summary

1. We broadly support use of the data for public benefit derived from academic research and the principles of the UCAS release. But vague definitions and open wording should be careful to avoid future unintended and avoidable outcomes, avoid any watering down of the current consent model, and safeguard children’s rights in data security and transparency.

2. The Bill which some fear ‘risks the commoditisation of higher education’ [1] must not commoditise children’s personal data and compromise their future. It is insufficient to have safeguards only in guidance 72(5) and upcoming legislation (GDPR) requires attention to processing, consent, the right to revoke it, to access one’s own and seek redress for inaccurate data.

3. Clause 71 as regards data collection: safeguards and oversight are needed for consent and the rights of children to object to uses, aligned with UCAS current policy and practice. Applicants today have a layered consent model to agree who can use their data and for what purposes and can opt out from some purposes: [2] Their autonomy to control their own personal data will be lost if copies of the dataset are released to the Secretary of State, whose definition of ‘approved’ users and ‘research’ is open to change at will over time, and without safeguards may outstrip the applicants given range of consent. Collection of data for any open ended purposes by the Secretary of State without safeguards of transparency or oversight in Clause 71 (4)(c) research into any other topic approved by the Secretary of State’ should be amended to address this.

4. In Clause 72 on uses, to safeguard the intended benefits of academic research using the knowledge in these data, one must not only promote, but be seen to promote public trust [3] , good handling, and guard against risks of giving away sensitive data. Current plans foresee copies of the 700,000 applicants’ full dataset will be passed on regularly by UCAS.

5. Firstly, this will give access to data for the purposes of public benefit research purposes by trained and accredited academic approved users in so-called ‘safe settings’ (purpose built rooms without Internet access, secure access systems, accreditation of trained users, no phones policy, and similar processes) using deidentified data. The current partner is the ADRN where research must be for non-commercial purposes, and demonstrate clear scientific merit and potential public benefit. [4]

6. Opening Applicant Data for extraction by the Secretary of State and use across Government [by dint of the Digital Economy Bill] may be intended to provide data on social mobility [5] , but it will also enable access to a more joined-up dataset, a lifetime of personal confidential identifiable data from 2 years of age into work after Higher Education, including datasets in HMRC, DWP, and The UK Department for Business, Energy & Industrial Strategy (BEIS) [6] , from millions of individuals going back to 2007 and going forward in perpetuity. Data will never be deleted, and may be used indefinitely or see its scope changed, without any sunset clause.

7. In addition however, purposes could be quite different. In parallel policy and process the Secretary of State will have a full copy of identifiable data without indication in the Bill how it could be used at their discretion, under what safeguards and in perpetuity. Clause 72 (6) says "Qualifying research" has the same meaning as in section 71, which means the Clause 71 (4)(c) research into any other topic approved by the Secretary of State’. Clause 72 should be amended to address this.

8. We suggest considering the history of legislation since 2000, scope creep, and current issues in the National Pupil Database (NPD) in making change to how Applicants data will be used in future. Legislative purposes of "conducting research or analysis, producing statistics or providing information, advice or guidance" have meant children’s personal data collected in schools in England has been commoditised , and privacy compromised by the State being ‘opened up’ in 2012.

9. To avoid repeating similar legislative changes which have resulted in poor data practices using school pupil data in England age 2-19, we would like to ask the Committee to consider whether the intent of the Bill is to give out identifiable confidential data of young people, potentially under 18, for commercial use? Or press and charities access? For unfettered access by government departments and agencies without transparent oversight such as police and Home Office? These are today’s uses by third-parties [7] of school children’s identifiable and sensitive data from the NPD.

10. It is against this backdrop of past legislation, their current unforeseen impact, and future legislative and technological change and scope, that the importance of these two small clauses 71 and 72 must not be lost in the whole bigger Bill.

Powers of Secretary of State to obtain information or advice, clauses 71 Power to require application-to-acceptance data and 72 Use of application-to-acceptance data for research purposes. [8]

11. We respond with a submission in follow up to the evidence session on September 6, 2016. We broadly support the principles in the UCAS amendments around students data and academic research for public benefit. We note the request from Which ? to ensure more organisations like them are given access to a ‘rich dataset’. And we heard an important question whether young people have sufficient information to help them as prospective students make life choices.

12. It is rarely asked, what information do Applicants and young people actually want and need, versus what Data Processors and Data Consultancy firms would like to be able to offer them as a service? It is simplistic to assume more data equals better knowledge. Today’s Applicants have a lifetime ahead increasingly entwined with technology in the Internet of Things, and sensors on every corner of smart cities using their digital identity. Decisions made about their data and using their data, affect who has what degree of control and influence over young people. We urge balance considering the views of commercial operations and charities who profit from using data.

13. We have interviewed students about similar legislation which opened up their identifiable school data, and has resulted in what many students today see as misuse of their confidential personal data, by commercial companies and journalists for ranking, comparison websites and reports young people find unnecessary. Measures of public acceptance for data use in bona fide academic research in the public interest, and differences in the levels of trust that people attribute to different settings and organisations , were made in The Royal Statistical Society’s Data Trust Deficit, with Lessons for Policy Makers [9] (2014). This included views from people aged 16-75 on the use of their personal data in datasets within government. These findings were similar to those from the ESRC Public Dialogues on Using Administrative Data in 2013. Young people, age 14-19 were asked in 2010 by The Royal Academy of Engineering [10] about attitudes to use of their health data. Few have high trust that government has their best interests at heart using confidential personal data at individual level.

14. Taking the National Pupil Database as a case study, While data have been used by academic researchers in the public interest through the ADRN for example, sensitive i dentifiable individual-level data have been released by the Department for Education in a parallel process since 2012 - to commercial companies, charities and press - as well as for use in public interest research from academic institutions. Recipients of sensitive identifying individual-level personal data include national papers [11] and television journalists [12] . School children’s confidential records have been copied into an ever growing state database of 20 million [13] named individuals. Identifiable personal data has been handed out over 650 times since 2012 and in July 2015, no data recipient had ever been audited. If conditions had been met for the legal processing of sensitive data was unknown [14] . All the named data, starting from the Early Years settings and the various School Census, for children aged 2-19 at the time of collection, are processed to the National Pupil Database (NPD) it is one of the richest education datasets in the world. [15] (NPD User Guide, 2015) [16] . We obtained the size of the database through Freedom-of-Information [17] as it is unpublished. ‘The total number of Unique Pupil Numbers (UPNs) in the NPD as at 28/12/2015 was 19,807,973, collected since 2000.

15. The Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009 (Amended 2013) grants access to pupil data to persons who, for the purpose of promoting the education or well-being of children in England are- (i) conducting research or analysis, (ii) producing statistics, or (iii) providing information, advice or guidance, and who require individual pupil information for that purpose. Similar open ended wording in this Bill risks the same outcome.

16. The legislation of Clause 72 must avoid repeating this with Applicant Data that opening up data for public interest research, comes to mean a wide range of purposes. Clause 72 needs to consider how freely and with what oversight the Secretary of State can define existing, or designate new ‘approved’ users or bodies and purposes of ‘qualifying research’.

17. The forthcoming Digital Economy Bill 2016 will still further expand who may have access to all those confidential datasets across government and public bodies, and for what purposes individuals’ personal data may be used, and the draft bill includes provision for Student Loans providers access to student data, and on Debt recovery, to single out just two.

18. A mendments are needed to clauses 71 and 72 to ensure that the public benefit intent of the Bill is deliverable without putting young people's privacy and public trust at risk today, or in the future. Children’s data becomes adults’ data, and builds a population-wide database over time. In framing safeguards it may be helpful to think not as Applicant data, but for what purposes or organisation and with what oversight committee members would like their own personal data used.

19. Changes in data legislation, must thoroughly understand and account for advancement in data science and today’s machine-made decisions using big datasets and interventions with individuals which can result. It should give thought to what opportunity data subjects have to see their own data and correct inaccuracies, as data are increasingly used ‘behind the scenes’ negatively affecting the knowledge-balance and relationship of trust between provider, State and individual.

20. Public trust in academic public interest research use of their personal data and trust in government use of data are quite different. [18] In UCAS own research only 3% of students had low trust levels in UCAS , but over a quarter of surveyed students demonstrated a low level of trust in government at 26%. [19] The Royal Statistical Society work on the Data Trust Deficit with lessons for policymakers found similar. [20]

21. Providing the public ways to access copies of their own data (Subject Access Request) and the publication of Transparency Registers or personal reports to list all releases of data (showing how data have been used) can also demonstrate the public benefit intended from that use and foster trust. Academic public interest application for data uses in safe settings are published by the Administrative Data Research Network (ADRN) [21] the current UCAS research third party. Uses of the Government copy of the database would by contrast be used without oversight and carried out in secret.

22. The current transparency tool at the Department for Education, the spreadsheet register [22] of third-party recipients to whom it has released data since 2012 through its own application and approvals process which works as long as a commitment to transparency is upheld. However the DfE has failed to publish all releases. An August 2016 FOI request shows undocumented releases of identifiable data, to the Cabinet Office, Home Office, and Police since 2012. [23]

Clause 71: Power to require application-to-acceptance data ( Collection of Data from Admissions)

A. Understanding the importance of the age and type of the applicants (data subjects): children under 18, including foreign nationals living abroad.

B. The General Data Protection Regulation (GDPR) legislation and Data Protect Act 1998: consent children’s data processing, right to opt out of secondary uses, revoke consent, Subject Access Request

C. Collection requirements for defined purposes and fair processing and the research exemption

23. UCAS collects personal data from over 700,000 applicants each year. T he Bill covers all applicants including those not admitted to higher education at the end of the application process. This means the personal confidential data from people will be aged 17 and, less commonly, even younger at the time of application, and include foreign nationals living abroad.

24. T he age of the data subjects matters when considering children’s data protection and privacy rights under UK law and the future European General Data Protection Regulation (EUGDPR), Human Rights law, and with regard to children’s consent, and how this may affect the legal application and use of data and for what purposes.

25. A question should be asked, whether our State database copy should include the identifiable personal data of foreign nationals living abroad, regardless of whether they take up the place or not, to be stored and shared in perpetuity?

26. Applicants can ’t opt out on collection of UCAS sharing their data during admissions purposes, for regulatory or statutory purposes, or for public interest academic research (currently explicitly and only with the ADRN):

"We also share personal information from your application with University of Essex for use through the Administrative Data Research Network (ADRN), including linking to other data sets, for as long as is necessary to enable research about higher education, where there is a potential public benefit. Data is only made available for approved non-commercial research projects. Your data is only made available through the secure access provided by the ADRN and researchers can only access your data once your identifying details, such as name and date of birth are removed." [24]

27. However there is a nuanced consent process for other third party purposes which must be respected by all uses of the data after collection. A pplicants have the option to consent or opt out separately from data use for other purposes: [25]

• With universities and colleges if students are unplaced

• With the Student Loans Company

• With third parties such as banks and insurance companies

• Additionally, applicants can opt to receive targeted mailings or products from UCAS Media Ltd on behalf of selected companies and organisations offering services to students. UCAS do not share applicants’ personal data with these organisations .

• Applicants opting to receive these mailings can choose separately whether to receive information about careers, education and health issues as distinct from commercial marketing information.

• Applicants can also opt out of receiving information at any time.

28. If the government held copy of the database is going to be used for anything of the above choices, such as with the Student Loans Company (see point on the Digital Economy Bill), then applicants consent choices must be respected. The Secretary of the State and its designated approved parties must respect these uses. "Qualifying research" is so open as to be meaningless. Is applicant data from children to be used by any public body or commercial third to find interesting things, interesting group characteristics, or interesting individual characters [26] ? Clause 71 (4)(c) research into any other topic approved by the Secretary of State’ should be amended to address this.

29. There is no current consent model that enables this linkage or opt out across multiple datasets of lifetime data . Research purposes cannot be used as an exemption for just "anything else" as loosely defined as ‘in the public interest’. These data are given in trust to the receiving institutions for the purposes that are communicated to the data subject and those they expect at the time of collection. Learning from what has happened to pupil data should show why wording matters.

30. UCAS respects the Data Protection Act 1998 and caters to the upcoming EUGDPR legislation (Article 7(3) of the GDPR which gives data subjects the right to withdraw consent at any time and requires "it shall be as easy to withdraw consent as to give it ." How will the State enable the right to prevent sharing with the very bodies which students have already said no in the original provision to UCAS and how will scope creep prevent the unfettered expansion of these uses in future?

31. The July Supreme Court ruling on the limitation of purposes, no provision for removal of information at third parties contraven ing Google Spain [27] , and interference with privacy, should be examined with respect to the new plans for gathering data and as to its legislative basis on consent and right to revoke consent. [28]

32. What happens to consent when the policy or the law changes retrospectively? We ask you to consider school pupil data as a case study of how data given for one purpose in the past, has become used for very different purposes and by very different recipients over time. Consent has been ignored. The uses that were limited in 2003, to a " small number of technical staff engaged in collating the pupil level data and creating the profiles have access to pupils' UPNs and names. Analysts in the Department and partner agencies ( Ofsted , QCA and LSC) have access to anonymised profiles for use for statistical purposes only. [29] " this has been long since exceeded. If legislation permits this, it is almost inevitable.

33. The Information Commissioner’s Office has made it clear to the Department that aligned with the Principle of the Data Protection Act 1998 it supports data subject good practice rights of access [30] to enable individuals to check that the data held in a database are accurate and correct them if necessary. This is despite the general exemption Section 33 of the Data Protection Act for ‘research’ because the ‘research’ definition is conditional. The First Data Protection Principle requiring personal data to be fairly and lawfully processed still needs to be adhered to, even if the ‘research exemption’ applies. [31] Personal data will be exempt from the data subject’s rights of access where ‘the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them’ (section 33(4)). Pupil data however can be released on named basis [32] so should not be exempt from Subject Access.

34. Given that these data are used for direct interventions it is vital data are accurate. The effect of an incorrect address being used by academic researchers for a health or education survey is potentially quite different from it being used by the Home Office. The Department refuses subject access requests, basing withholding on exemption Section 33 in the Data Protection Act. This exemption is used where data are held for research purposes, where data are not used to have any direct effect or intervention with individuals we believe this is incorrectly applied. At present national newspaper journalists have greater access to children’s identifiable data in the NPD than parents or children themselves. How will this process be enabled for Adults in later life to ask what data is held by the State database copy?

35. Given the age of many of the students using UCAS services, protecting their data and maintaining their trust is critical and they are minors in law. How their data will be held, managed, and used for research when it accessed via the ADRN (the current named UCAS trusted third-party in the applicant consent form) is communicated to students, and sets their expectations. An equal level of assurance must be offered to students in relation to the supply of data to the government and whomever the Secretary of State requires UCAS to provide data to. This is essential to maintaining confidence and trust in UCAS’ admissions services.

36. Children’s personal data, which are now available from birth in health and may be joined to education data available from age 2, means that longitudinal data increasingly offers a richness and depth of life stories that has not been available before. For academic researchers this presents an opportunity to see into lives, and infer connections, and patterns that they could not otherwise. The same is true for other data users. This knowledge creates a power imbalance between what is known to the data user and what is known by the subject. Power has potential to be used for good, or not.

37. Data Protection needs reframed in many discussions as not about protecting data, although data security plays a big role in the discussion, but the purpose of protecting data is to protect the person from whom the data comes, from potential harm through abuse of power; labelling, stigma and discrimination, or any kind of unwanted intervention as a result.

Clause 72: Use of application-to-acceptance data for research purposes (Use of Data)

A. Understanding this is not about sharing statistics

B. Risks of use of the data by open ended approved researchers and bodies

C. Data retention

38. Clause 72 (2)(b) must be amended on the face of the Bill because while it is intended to ensure that no individual to whom the information obtained under section 71 relates may be identified from the publication, it does not prevent their identification from release or data use by third parties. Data passed about will be identifiable individual level personal data. The phrase ‘Publishing’ data, is generally considered synonymous with making public. Privacy is engaged at the point of release from the Data Controller, in this case if the Secretary of State database copy releases any data to a third party (use The Telegraph as a past example from the National Pupil Database) an individual might feel their privacy had been compromised, but the government Department use would describe the data as ‘unpublished’ and be permitted by the legislation. This wording of Clause 72 (3) (a) and (b) allow unlimited copying and passing of data between any "approved person" or body approved by the Secretary of State.

39. Clause 72 (4) appears intended to prescribe limits on the onward sharing by approved researchers and approved bodies to others. However, it makes no reference to restrict an approved body from providing information obtained under section 71 to third parties who are (a) not another approved researcher or (b) another approved body. Without amendment this clause would leave wording that might allow approved researchers and bodies to pass to anyone else, who is not ‘approved’.

40. Identifiable data are being used to link multiple databases together for research, and for other government purposes. Current government policy and practice is to join up and use longitudinal data, from across children’s lifetime (age 2-19) from the National Pupil Database (NPD) to the Higher Education data, and with further lifetime datasets, HMRC and DWP data, under the auspices of ‘destinations’ data. This Applicant Data will fill the gap in the middle for some. This will affect every adult in the country who has studied in England’s higher education using the UCAS system backdated since 2007.

41. At the moment in clause 72 (3b) the Secretary of State may designate other approved persons at will, "an individual approved by the Secretary of State" which enlarges the scope of who can use data, or the Secretary of State can change for what purposes data may be used; "Qualifying research".

42. While 72 (2b) the Secretary of State or an approved person may not identify individuals through publishing the product of research conducted using information, this does not limit the identification by the Secretary of State, or anyone they approve, using the identifiable data. For individuals, the fact that someone like the Secretary of State or another government agency could view their identifiable data, would for many be considered a breach of privacy and not the purposes for which the person gave their data to the Admissions process, even if ‘public benefit’ was in their consented purposes.

43. The intention of UCAS is to share data with researchers via the ADRN, which through its own processes and safeguards ensures that research is intended to have a public benefit. If the Secretary of State designates other approved persons how do we ensure that applicants’ data is only used for public benefit purposes and what those purposes will be and its limits?

44. Since 2012 the Department for Education has approved releases to Police (31) and Home Office (20) (Back Office uses). They have failed to publish these uses in the third party register. If now Applicant data in the Secretary of State’s copy is used for these purposes how will Parliament or public know, and trust that it is being used for the right reasons, when necessary and proportionate?

45. We would like to understand whether there has been discussion on what rules there may be for government on retention? Once UCAS has released the full dataset annually, will the Secretary of State be able to keep and use it forever? If yes, there should be consideration given to this because it will in effect create a copy of a large part of the population in a national database for all purposes across government, and outwith UCAS oversight. ( i.e . Schools are very surprised today that pupils’ data is being given from the school census via the National Pupil Database to the Home Office).

46. Data policy and practice about children’s confidential data will impinge on principles set out in the United Nations Convention on the Rights of the Child, Article 12, the right to express views and be heard in decisions about them and Article 16 a right to privacy and respect for a child’s family and home life if these data will be used without consent. Similar rights that are included in the common law of confidentiality, Article 8 of the Human Rights Act 1998 incorporating the European Convention on Human Rights Article 8.1 and 8.2 that there shall be no interference by a public authority on the respect of private and family life that is neither necessary or proportionate , and DPA 1998, that data must be processed fairly and for limited purposes, relevant and not excessive, and kept securely for no longer than necessary .

47. Judgment of the Court of Justice of the European Union in the Bara case (C‑201/14) (October 2015) reiterated the need for public bodies to fairly process personal data before transferring it between themselves. [33]

48. The EU Charter of Fundamental Rights [34] , Article 52 also protects the rights of individuals about data and privacy and Article 52 protects the essence of these freedoms. These are fundamental rights that help children develop, and grow. This encroachment has come about over time and incremental scope creep through legislative changes since 2000.

49. We propose a forward review date built into the legislation for the use of data by the Secretary of State with respect to children’s rights because technological change, for example in between the founding of the National Pupil Database and in the sixteen years since, has outstripped the capacity of laws to keep up, and keep pupil data safe. What was designed to enable public benefit from pupil data, has resulted in what the public perceives as misuse of their personal data, namely having been obliged to provide data for a service (their child’s education) those same data are being used for purposes far beyond what parents and pupils think reasonable and fair.

Public voice and expectations about their personal data entrusted to Government

50. We submit evidence of public opinion, the qualitative and narrative responses we have gathered over the course of 2015-16 about public awareness of how personal and education data gathered in school are used by the State, through the National Pupil Database. And we reference the extended public engagement work of the ESRC [35] , Wellcome , and the 2010 Royal Society of Engineering with 14-19 year olds. Our work to date shows young people, parents and school staff are surprised by uses of children’s data from the National Pupil Database, especially by commercial use.

51. UCAS’s survey of their 2015 UK applican ts , with 37,000 responses, showed the majority of respondents were happy for their data to be shared for research purposes where there is a clear public benefit. The majority of applicants (90 per cent) agreed with the statement that they should be asked before their personal data was provided, over twenty times more than disagreed with that statement (4 per cent). [36] Interestingly 8% suggested that they would rather share no data at all with UCAS and not apply, than have it shared. In our own discussions with under 35s on the use of their data, it is often those who already feel most marginalised who are in the group most likely to want to maintain control over their data.

52. Young people, age 14-19 were asked in the 2010 study Privacy and Prejudice [37] , conducted by The Royal Academy of Engineering (Paterson, L. and Grant, L. ( eds ) supported by three Research Councils, and Wellcome , about attitudes towards the use of electronic medical records, their concerns and questions centred on privacy, and data getting into ‘the wrong hands’.

53. Trust in use of their confidential health data was affected by understanding data security, anonymisation , having autonomy and control, knowing who will have access, maintaining records accuracy, how will people be kept informed of changes, who will regulate the database, and how people will be protected from prejudice and discrimination.

54. The report concluded: "These questions and concerns must be addressed by policy makers, regulators, developers and engineers before progressing with the design, development and implementation [… ]and linking of any databases."( p40)

55. The Royal Statistical Society Data-Trust-Deficit with Lessons for Policymakers, 2014 [38] measured public trust levels and found that individuals’ trust in government to use personal data in their best interest is low. Only 11% of those asked in the 2014 surveys had a high level of trust in government to use their personal data in their best interest.

56. If public trust is to be increased, the use of personal data needs to return data sovereignty to individuals. Baroness Kidron talked in the House of Lords in January 2014 (Hansard), of creating a regulatory framework that protects young people from routine collection of their data, from it being stored and sold in perpetuity without recourse.

57. Between autumn 2015 and summer 2016, we asked school staff, parents and young people about control of their data.
We gathered interviews from students under 35 if they had been to school in England, and in different parts of the country. We introduced the idea of the NPD. None had heard of it. We explained that data has been opened up to third parties since 2012, the approvals process, rules for use, and the wording of the legislation. Comments from interviews include:

D. Ben 26, from Reading: "I don’t think commercial businesses should have access to student data. You have not necessarily been exploited, but definitely used."

E. Catherine, 21, from Gloucestershire: "Parents and pupils should have access to their own data and should know who else has it. I don’t think anyone else should have access to the identifiable data without consent."

F. Johann 18, from Paris (completed A-levels in England): "I’m not surprised my data is used by others, probably some of it is used for good causes, but we should know who has it […] we should define our privacy (not the government) and they should ask us before they use it for anything we don’t expect."

G. Ruby 28, from Newcastle: "I’m surprised to hear my school data could be used outside schools without my consent. It’s a personal thing and can affect lives."

58. Public and school professionals’ familiarity with the National Pupil Database is almost zero. Respect for the opinion and rights of children (many now in the NPD) about how their data can and should be used must be restored, as the foundation of all data use is public trust. Their understanding of how their student data are used by others is likely similar.

Conclusion

59. Exploiting personal data from individuals for short term economic well-being under the umbrella of ‘public benefit’, must not be at the long term expense of societal benefit which can be gained from trusted use of public data.

60. Public benefit has been the key purpose of using data in academic research and used to address ‘some of the most pressing challenges facing society,’ (ESRC, 2016) for a number of years. However recent legal and policy changes in who can access pupil data from education 2 -19 and what they use it for, have expanded the scope of use under the blanket definition of "in the Public Interest" and "research" has come to mean a wide variety of purposes beyond academic study. The term for public benefit is therefore not a strong safeguard to prevent identifiable data used for commercial purposes.

61. There is disparity between government departments and safe research data handling infrastructures, which means in consistent policy and practices exist in parallel. Secure handling is key to public trust, poor policy and practices jeopardise this and risk data misuse and potential resulting harm. The Secretary of State open ended Clause

62. This Bill as it is will duplicate the identifiable data of 700,00 under 18 applicants, incrementally growing a state database in perpetuity with potential for scope creep in use, users and without consideration of the rights of the individuals. The existing UCAS consent model which gives young people degrees of control over secondary purposes of data use should not be watered down or revoked.

63. The government-wide use of all public data is set out in the Digital Economy Bill 2016, will use more identifiable data for a wider range of purposes, together with increasing the use of data that have been linked with multiple datasets across different sources. R espondents to the Cabinet Office 2016 consultation, Better Use of Data in Government, "felt strongly that publicly-held data should not be accessed by researchers for commercial or profit-making purposes." [39]

64. The upcoming GDPR has particular provision for children and requires a focus on affirmative consent for secondary use and the right and easy route to revoke it at any point. GDPR Article 9 requires more – "explicit" consent – for the processing of "special categories of personal data." and not all uses are exempt under the ‘research’ exemptions. Judgment of the Court of Justice of the European Union (C‑201/14) [40] (Oct 2015) reiterates this across public bodies sharing data.

65. The Joint Committee on Human Rights previously found, "failure to root human rights in the mainstream of departmental decision-making ." [41] Children’s human rights are failed by current practice in the use of personal data entrusted to the State and released onwards to third parties.We suggest avoid repeating this in Applicant data in this legislation.

66. Consistent safe data policies, settings in which data are accessed, standards and oversight - how public data not only 'can be' used, but 'should be' used, accommodating consensual data subject rights - are needed across public data, to make data secure, future-proof public trust, and above all to ensure our young people feel sovereignty of their personal data is returned to them, so that they no longer feel, they have " not necessarily been exploited, but definitely used."

67. The CMA report (June 2015) [42] on consumer data, highlighted that to secure the benefits of data, people should know when and how their data is being collected and used and decide if and how to participate .

68. The House of Commons Science and Technology Committee 2014 in their report, Responsible Use of Data [43] , said the Government has a clear responsibility to explain to the public how personal data is being used. This needs to be actioned by government. Their Big Data Dilemma 2015-16 report, concluded:

" seeking to balance the potential benefits of processing data (some collected many years before and no longer with a clear consent trail) and people ’ s justified privacy concerns will not be straightforward. It is unsatisfactory, however, for the matter to be left unaddressed by Government and without a clear public-policy position set out. The Government should clarify its interpretation of the EU Regulation on the re-use and de anonymisation of personal data, and [… ] strike a transparent and appropriate balance between those benefits and privacy concerns." [44]

69. Amendments are needed to safeguard children from use of their data gathered by the State or commercial companies in the course of their education and its use without transparency, or clear oversight, exposure to risk from third parties, decisions based on inaccurate data, or misinformed intervention without clear course of redress .

70. We believe amendments to Clause 71 and Clause 72 are needed and while broadly supporting the UCAS proposals, ask for better wording, safeguards and oversight, to ensure that the current consent model is not undermined, and the future public benefit intent of the Bill is deliverable without putting young people's privacy and trust at risk today and forever.

September 2016

The submission is sent from the coordinator of the children's civil liberties and privacy campaign group defenddigitalme. The coordinator Jen Persson has also been a lay person on the ADRN approvals panel since April 2015. The submission represents strictly the work and opinion on behalf of the campaign group.

---

[1] https://hansard.parliament.uk/commons/2016-07-19/debates/16071936000002/HigherEducationAndResearchBill

[2] https://www.ucas.com/corporate/about-us/our-personal-data-policy

[3] http://www.bbc.co.uk/news/health-26259101

[4] https://adrn.ac.uk/application-process/requirements/

[5] https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/543500/bis-16-285-higher-education-research-bill-summary.pdf

[6] Nick Boles MP, Jan 25th 2016, at the Education Select Committee

[7] NPD third party online release register https://www.gov.uk/government/publications/national-pupil-database-requests-received

[8] http://www.publications.parliament.uk/pa/bills/cbill/2016-2017/0004/17004.pdf

[9] https://www.statslife.org.uk/news/1672-new-rss-research-finds-data-trust-deficit-with-lessons-for-policymakers

[10] http://jenpersson.com/wp-content/uploads/2016/08/Privacy_and_Prejudice.pdf

[11] FOI request September 2015 https://www.whatdotheyknow.com/request/293030/response/723407/attach/5/The%20Times.pdf WhatDoTheyKnow.com

[12] https://www.whatdotheyknow.com/request/293030/response/723407/attach/10/BBC%20Newsnight.pdf

[13] https://www.whatdotheyknow.com/request/pupil_data_national_pupil_databa_2?nocache=incoming-764676#incoming-764676

[14] http://defenddigitalme.com/2016/06/sensitive_pupil_data/

[15] DfE Common basic data set (CBDS): database https://www.gov.uk/government/publications/common-basic-data-set-cbds-database

[16] Copy of the 2015 NPD user guide http://defenddigitalme.com/wp-content/uploads/2016/08/NPD_user_guide.pdf

[17] FOI request for total pupil numbers in the NPD https://www.whatdotheyknow.com/request/pupil_data_national_pupil_databa_2

[18] https://www.ipsos-mori.com/researchpublications/researcharchive/3422/New-research-finds-data-trust-deficit-with-lessons-for-policymakers.aspx

[19] http://defenddigitalme.com/wp-content/uploads/2016/09/ucas_applicant_data_survey_key_results_0.pdf

[20] https://www.statslife.org.uk/news/1672-new-rss-research-finds-data-trust-deficit-with-lessons-for-policymakers

[21] https://adrn.ac.uk/research-projects/approved-projects/

[22] NPD third party online release register https://www.gov.uk/government/publications/national-pupil-database-requests-received

[23] FOI July 2016, Pippa King https://www.whatdotheyknow.com/request/pupil_data_sharing_with_the_poli WhatDoTheyKnow.com

[24] https://www.ucas.com/corporate/about-us/privacy-policies-and-declarations/ucas-declaration

[25] https://www.ucas.com/corporate/about-us/our-personal-data-policy

[26] https://www.whatdotheyknow.com/request/293030/response/723407/attach/5/The%20Times.pdf

[27] http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-05/cp140070en.pdf Google Spain ruling

[28] http://panopticonblog.com/2016/08/25/donald-wheres-schedule-3-condition-share-information-aboot-troosers/

[29] Hansard 14 Apr 2003 : Column 557W-continued http://www.publications.parliament.uk/pa/cm200203/cmhansrd/vo030414/text/30414w22.htm

[30] https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/subject-access-request/

[31] https://adrn.ac.uk/protecting-privacy/legal/dpa/

[32] http://defenddigitalme.com/2016/02/scope-creep-in-national-pupil-database-now-means-names-released/

[33] Judgment of the Court of Justice of the European Union in the Bara case (C‑201/14) http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150110en.pdf

[34] http://fra.europa.eu/en/charterpedia/article/52-scope-and-interpretation-rights-and-principles EU Charter of Fundamental Rights, The European Union Agency for Fundamental Rights (FRA)

[35] http://www.esrc.ac.uk/public-engagement/public-dialogues/

[36] http://defenddigitalme.com/wp-content/uploads/2016/09/ucas_applicant_data_survey_key_results_0.pdf

[37] Paterson, L. and Grant, L. The Royal Academy of Engineering (2010), Privacy and Prejudice: Young people’s views on Electronic Patient Records. http://jenpersson.com/wp-content/uploads/2016/08/Privacy_and_Prejudice.pdf

[38] Royal Statistical Society Data Trust Deficit with Lessons for Policy Makers (2014) https://www.statslife.org.uk/news/1672-new-rss-research-finds-data-trust-deficit-with-lessons-for-policymakers

[39] http://www.publications.parliament.uk/pa/bills/cbill/2016-2017/0045/17045.pdf

[40] http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150110en.pdf  

[41] Joint Committee on Human Rights Data Protection and Human Rights Fourteenth Report of Session 2007–08 http://www.publications.parliament.uk/pa/jt200708/jtselect/jtrights/72/72.pdf

[42] CMA report (2015) Commercial use of consumer data https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/435817/The_commercial_use_of_consumer_data.pdf

[43] The House of Commons Science and Technology Committee 2014 Report, Responsible Use of Data http://www.publications.parliament.uk/pa/cm201415/cmselect/cmsctech/245/245.pdf

[44] The Science and Technology Committee Big Data Dilemma Report (2015-16) http://www.publications.parliament.uk/pa/cm201516/cmselect/cmsctech/468/468.pdf