Don’t be extraordinary - why being boring may be the only way UK state school pupils can protect their privacy
Large institutions tend to focus internally, with minimal regard to the external environment. Open Data becoming institutionalised is not different, and as a leading edge country in opening data, the UK is making the predictable mistakes first:
The UK’s Department for Education (DfE) is currently considering opening data from the National Pupil Database. At a preparation event for this initiative, at which some data was released for use in an ‘appathon’, one participant believed he had identified himself in the dataset, because of a high grade in an uncommon subject. The DfE has claimed that this identification relied on the student’s private knowledge of exam results, yet they simultaneously acknowledge that schools often publish exam results in local newspapers. Sometimes, results are published by name - so it is in fact entirely possible that information in the public domain could allow others to identify fully from the NPD data, and students know a great deal about their classmates. For a student who doesn’t want all details of his or her school history to become known to strangers or future employers (after all, people usually include their exam results on CVs), this is a frightening prospect.
The implied claim from the DfE is that a pupil who wants to protect his or her privacy should simply strive not to stand out. Don’t be smart, don’t be extraordinary, don’t be unusual, don’t be talented, in short, don’t be different. The government won’t protect your academic records, but if you succeed in being completely average, it will at least be difficult for anyone to find you. This is not acceptable. But sadly it is what we have come to expect from the DfE and all the other government departments that see each individual as only a row in a database. Organisationally, the DfE deals in abstraction, process and generically applied rules - but unfortunately open data releases tend to reveal the fault lines in these kinds of assumptions. The UK’s privacy regulator, the Information Commissioner’s Office (ICO), failed to address this issue in its draft Code of Practice and the final Code (due to be published next week) will be a failure if this deficit is not addressed.
The National Pupil Database is not the only cause for concern in the UK at the moment; the National Health Service is also looking to open up patients’ medical records. While health data can be extremely useful for research purposes, an informed debate involving multiple stakeholders is still desperately needed. Tim Kelsey, the National Director for Patients and Information in the National Health Service, who is planning to open up NHS patients records without consent and with minimal consultation, is ignoring our requests for a meeting.
Privacy International believes that when the use of a service is effectively mandatory, there should be a presumption that record level data will not be released as open data without an independent and comprehensive review and understanding of institutional processes. UK Government consultations on potential open data releases should be aimed at a broad range of participants over the full twelve-week standard consultation time period. What we are seeing instead, at least in the case of the National Pupil Database, is a consultation slipped out in the notoriously quiet six-week run up to Christmas (we need your help on that)