School breaking Data Protection Act

[ThePainOfLego]

We recently received a letter from the Primary School called "Pupil Premium Data Request". It asks for details regarding the children and parents (including date of births and NI numbers). It has a disclaimer on the bottom about by providing these details you are giving permission for the school to check if your child qualifies for the pupil premium.

I will not be filling this in as (1) we don't qualify for pupil premium or free school meals (2) I do not want to give the school these personal details.

Am I BU in thinking there should be more wording about not keeping details, only using them for a specific purpose, not passing them on etc etc? There is something about the vagueness of this letter that makes me really uncomfortable, even though I like and trust the school.

But if they aren't writing they won't use the information for other things, en surely they can

It's v good practice to write this on the bottom of the form - but they don't. If its a template it wouldnt be difficult to change the template

Red toothbrush, this is anonomised records

IguanaTail Sun 14-Feb-16 18:56:25

It's a school, filled with enhanced-DBS checked adults. What would they possibly do with that data? Schools have access to huge amounts of sensitive data.

The DPA is only as good as the people tasked with protecting that data. Just because someone has an enhanced DBS doesn't mean they won't do anything improper with the information.

I recall a recent thread, can't remember the OP, but the subject was about those FLbots and similar. One poster said that someone at her DCs school had contacted her trying to push her MLM product onto her, and could clearly have only gained the contact info from school records, a clear breach of DPA.

And who knows who else she'd contacted using school info.

So it can happen.

My job involves EYPP, we can only use the returned data for the EYPP.

It may be anonomised publically ivy but that doesn't mean it can't be hacked, and if people should know if even their anonomised data is used for other purposes.

YANBU OP. The YABUs are being very naive, especially given the recent hacking scandals.

Care.data failed and was pulled due to the fact that there were massive concerns over the fact that anonymised data was too easy to use to identify people.

So we now find that this is proposed via the back door using a data base that already exists and no one was actively asked about joining.

With children.

YANBU OP. The YABUs are being very naive, especially given the recent hacking scandals.

I assume that none of your data is online anywhere then? Banking, shopping, work, online forums...?

Data protection? Oh purlease.
Our school says on the form that they get some sort of money/ funding, even for those not entitled to free school meals, so asked for everyone to fill it in.

Hacking is illegal.

The DPA requires organisations to take "reasonable steps" to protect data they hold. If a locked filing cabinet in a locked office is forced during a burglary, that is not a breach of the DPA on the part of the data holder.
The same applies to hacking - if security is in place but is forced illegally - it's not a breach of the DPA.

"asks for details regarding the children and parents (including date of births and NI numbers). It has a disclaimer on the bottom about by providing these details you are giving permission for the school to check if your child qualifies for the pupil premium."

You are only allowed to use the data for the reason you asked for it. So in this case, they can only use it for the school to check if your child qualifies for pupil premium

Seriously!!!!

You must understand the need for this form.
It's so damned hard for KS1 to find out who is eligible for PP due to the FSM for all.
What will the school do with your data? Really?
You've likely had more detailed data sold on from your bank!
I wasn't allowed the address of a colleague at work, to send a card when she was in Mat leave!
So imagine what they can't do with your data! (So I left the stamped card with the lady in the office who added the address and posted for me )

If you are 100% sure you don't qualify just write a note explaining that.

I'm concerned about the data being collected for Scottish children from the start of their preschool funding that follows them throughout their school life, linked to either their birth certificate or their passport number.
The database being used by the majority of Scottish councils is provided and maintained by a private company, it is kept on their servers.
The basic template form for the information that can be added to the database is pages long including ethnicity, nationality, religion, medical history, parents employment and contact details, whether the child is 'looked after' etc etc. Apparently councils can choose which information is deemed essential so the people entering this data can decide to collect only that information but it seems many councils are collecting it all.
Bear in mind the previous information required to receive funding was basically child name, DOB and address

School and nurseries etc would need to collect more detail - eg emergency medical information, emergency contact details but they could be kept 'in house' and destroyed when the child left the setting. This information will now follow the child into different settings etc...in some ways positive that the information needs to be entered once in one council area then only updated as a child moves from preschool to nursery to primary to secondary.
But still some of this information does not seem to be essential to a child's education or even school planning (lunch menus, religious provision, extra language support) - it just seems like collecting information for information sake...
And I do wonder what happens to it when they leave education...

YABU, you don't have to fill the form in and you aren't eligible, so no harm done.

It would be more financially beneficial for them to include a bit about who may be entitled and what the money pays for.
Then, the ones who aren't claiming will probably do so.

What a non issue, just don't fill it in if you don't qualify, I don't see the problem.

No, YANBU.

As a society we seriously undervalue our data - it is an incredibly valuable commodity and so many people just blithely hand it over with little thought to where it will end up.

I don't buy the advice just not to fill it in, no harm done etc...the school shouldn't be asking for it in the first place without a robust and detailed privacy policy in place.

The trouble is, it will generally be the least well-educated and informed people that just hand data like this over unquestioningly. These individuals are much more likely to come from poorer households, so its stuff like this that has a disproportionately adverse impact on the poorer and less well-educated sections of society and that's really not ok.

OP, you are absolutely right to challenge this.

I don't buy the advice just not to fill it in, no harm done etc...the school shouldn't be asking for it in the first place without a robust and detailed privacy policy in place.

Unless you know the school that the OP is referring to, you can't know whether they have this or not.
Most schools have a data protection policy - which is available on request. The OP has not said she has asked for this, nor whether it is robust and detailed.

Op has already stated that there is just a disclaimer at the bottom of the form, no mention of any privacy policy or how the data will be used.

Even if it did, I have yet to see a privacy policy emanating from any part of the public sector that comes close to passing muster.

I'd bet my boots that the school's 'privacy policy' is just a restatement of the DPA, not actual details of how the school sells uses data.

What evidence do you have that schools are selling parents data?

And to whom?

It is not necessary to reference the school policy on every document - if the schol is collecting data, is it handled in line with the school policy, unless the data collection form says it will be handled otherwise.

I have yet to see a privacy policy emanating from any part of the public sector that comes close to passing muster.

If you want to see some good practice in the public sector, then check out the policies (including training requirements) put in place by those schools, and councils, that have been investigated by the Information Commissioner over the last couple of years.
They are an excellent example of closing the stable door after the horse has bolted - but hopefully, other organisations will eventually learn from the experience of the few.

Pippa please don't feel schools are trying to make parents with less money feel crap, the PP money makes such a difference in schools. I get where you're coming from but please don't let it make you feel like that.

This is exactly what schools are desperate to avoid - the stigma that parents feel is attached to their child for being entitled to FSM. I wonder how many millions of pounds remain in the government's coffers that schools could make such great use of but for this.

Thanks, it's difficult not to let things like this bother you though, when you feel like your personal circumstances are everyone else's business already.

When you're on benefits you get all sorts of intrusive crap to deal with, much of which is necessary but some isn't. Like random 'checking up' phone calls asking you how much is in your bank account, whether you have any savings, how much is in your sodding paypal account, FGS. Because apparently people don't always declare that.

And you end up crying at the tills in Sainsburys because someone is nice to you about having to call someone over, to make sure you're not cheating with your effing milk tokens.

So for some people, yes, this would make them feel bad. I have a child on PP. If I didn't claim it, or know about it, or understand it, and got a letter like this, I would not return the form.

I don't think the point is that they will use the data for other purposes, but that it can be stolen and used for other purposes. How do they keep it? Are they keeping it securely? Public organisations are very bad at keeping personal data secure and many have been fined by the ICO.

It is a breach of the DPA to ask for data you don't need. You know that 100% of your parents don't qualify for pupil premium. So it would be better to say "if you think you may qualify, please fill in this form". Then you are not holding disproportionate amounts of data for those parents who don't qualify (I can't see another reason why a school could ever need someone's NI number but it is golddust for someone wanting to commit ID theft).

As for everyone in a school being DBS checked what difference does that make? All DBS checks mean is you've not been caught yet. I thought people had realised that they are no guarantee of a good character!

I have looked at the extensive policies on the school website. The does not appear to be any kind of policy regarding data retention or privacy.

Whilst I have nothing to hide, I object to the school/council being able to check mine and my husbands employment history and pay for the last 6 years (as this is what I understand qualifies you for FSM) and, as far as I know, hold this information indefinitely and check at any time in the future.

I mention the data protection act as there is no mention of the protection of my data in the letter.

I have also been thinking about this. Wouldnt it be better for FSM/PP entitlement to be based on parents claiming universal credit and applied directly to the school through this?