Higher Education and Research Bill
Written evidence submitted by defenddigitalme (HERB 39)
Higher Education and Research Bill
Defenddigitalme is a volunteer non-profit campaign group for children’s privacy rights formed in 2015 in response to concerns from parents and privacy advocates about increasingly invasive uses of children’s personal data. More information: ’
• stop giving out identifiable personal data to commercial third parties and press without consent
• start telling school staff, pupils, and parents what DfE does with individuals’ personal data
• be transparent about policy and practice
We broadly support use of the data for public benefit derived from academic research and the principles of the UCAS release. But vague definitions and open wording should be careful to avoid future unintended and avoidable outcomes, avoid any watering down of the current consent model, and safeguard children’s rights in data security and transparency.
2. The Bill which some fear ‘risks the commoditisation of higher education’  must not commoditise children’s personal data and compromise their future. It is insufficient to have safeguards only in guidance 72(5) and upcoming legislation (GDPR) requires attention to processing, consent, the right to revoke it, to access one’s own and seek redress for inaccurate data.
3. Clause 71 as regards data collection: safeguards and oversight are needed for consent and the rights of children to object to uses, aligned with UCAS current policy and practice. Applicants today have a layered consent model to agree who can use their data and for what purposes and can opt out from some purposes:  Their autonomy to control their own personal data will be lost if copies of the dataset are released to the Secretary of State, whose definition of ‘approved’ users and ‘research’ is open to change at will over time, and without safeguards may outstrip the applicants given range of consent. Collection of data for any open ended purposes by the Secretary of State without safeguards of transparency or oversight in Clause 71 (4)(c) research into any other topic approved by the Secretary of State’ should be amended to address this.
4. In Clause 72 on uses, to safeguard the intended benefits of academic research using the knowledge in these data, one must not only promote, but be seen to promote public trust  , good handling, and guard against risks of giving away sensitive data. Current plans foresee copies of the 700,000 applicants’ full dataset will be passed on regularly by UCAS.
5. Firstly, this will give access to data for the purposes of public benefit research purposes by trained and accredited academic approved users in so-called ‘safe settings’ (purpose built rooms without Internet access, secure access systems, accreditation of trained users, no phones policy, and similar processes) using deidentified data. The current partner is the ADRN where research must be for non-commercial purposes, and demonstrate clear scientific merit and potential public benefit. 
6. Opening Applicant Data for extraction by the Secretary of State and use across Government [by dint of the Digital Economy Bill] may be intended to provide data on social mobility  , but it will also enable access to a more joined-up dataset, a lifetime of personal confidential identifiable data from 2 years of age into work after Higher Education, including datasets in HMRC, DWP, and The UK Department for Business, Energy & Industrial Strategy (BEIS)  , from millions of individuals going back to 2007 and going forward in perpetuity. Data will never be deleted, and may be used indefinitely or see its scope changed, without any sunset clause.
In addition however, purposes could be quite different. In parallel policy and process the
Secretary of State will have a full copy of identifiable data without indication in the Bill how it could be used at their discretion, under what safeguards and in perpetuity. Clause 72 (6) says "Qualifying research" has the same meaning as in section 71, which means the Clause 71 (4)(c) research into any other topic approved by the Secretary of State’. Clause 72 should be amended to address this.
8. We suggest considering the history of legislation since 2000, scope creep, and current issues in the National Pupil Database (NPD) in making change to how Applicants data will be used in future. Legislative purposes of "conducting research or analysis, producing statistics or providing information, advice or guidance" have meant children’s personal data collected in schools in England has been commoditised , and privacy compromised by the State being ‘opened up’ in 2012.
To avoid repeating similar legislative changes which have resulted in poor data practices using school pupil data in England age 2-19, we would like to ask the Committee to consider whether the intent of the Bill is to give out identifiable confidential data of young people, potentially under 18, for commercial use? Or press and charities access? For unfettered access by government departments and agencies without transparent oversight such as police and Home Office? These are today’s uses by third-parties
of school children’s identifiable and sensitive data from the NPD.
10. It is against this backdrop of past legislation, their current unforeseen impact, and future legislative and technological change and scope, that the importance of these two small clauses 71 and 72 must not be lost in the whole bigger Bill.
Powers of Secretary of State to obtain information or advice, clauses 71 Power to require application-to-acceptance data and 72 Use of application-to-acceptance data for research purposes. 
11. We respond with a submission in follow up to the evidence session on September 6, 2016. We broadly support the principles in the UCAS amendments around students data and academic research for public benefit. We note the request from Which ? to ensure more organisations like them are given access to a ‘rich dataset’. And we heard an important question whether young people have sufficient information to help them as prospective students make life choices.
12. It is rarely asked, what information do Applicants and young people actually want and need, versus what Data Processors and Data Consultancy firms would like to be able to offer them as a service? It is simplistic to assume more data equals better knowledge. Today’s Applicants have a lifetime ahead increasingly entwined with technology in the Internet of Things, and sensors on every corner of smart cities using their digital identity. Decisions made about their data and using their data, affect who has what degree of control and influence over young people. We urge balance considering the views of commercial operations and charities who profit from using data.
13. We have interviewed students about similar legislation which opened up their identifiable school data, and has resulted in what many students today see as misuse of their confidential personal data, by commercial companies and journalists for ranking, comparison websites and reports young people find unnecessary. Measures of public acceptance for data use in bona fide academic research in the public interest, and differences in the levels of trust that people attribute to different settings and organisations , were made in The Royal Statistical Society’s Data Trust Deficit, with Lessons for Policy Makers  
14. Taking the National Pupil Database as a case study, While data have been used by academic researchers in the public interest through the ADRN for example, sensitive i   School children’s confidential records have been copied into an ever growing state database of 20 million  named individuals. Identifiable personal data has been handed out over 650 times since 2012 and in July 2015, no data recipient had ever been audited. If conditions had been met for the legal processing of sensitive data was unknown  .  Guide, 2015)  . 
15. The Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009 (Amended 2013) grants access to pupil data to persons who, for the purpose of promoting the education or well-being of children in England are- (i) conducting research or analysis, (ii) producing statistics, or (iii) providing information, advice or guidance, and who require individual pupil information for that purpose. Similar open ended wording in this Bill risks the same outcome.
16. how freely and with what oversight the Secretary of State can define existing, or designate new ‘approved’ users or bodies and purposes of ‘qualifying research’.
17. The forthcoming Digital Economy Bill 2016 will still further expand who may have access to all those confidential datasets across government and public bodies, and for what purposes individuals’ personal data may be used, and the draft bill includes provision for Student Loans providers access to student data, and on Debt recovery, to single out just two.
18. mendments are needed to ensure that the public benefit intent of the Bill is deliverable without putting young people's privacy and public trust at risk today, or in the future. Children’s data becomes adults’ data, and builds a population-wide database over time. In framing safeguards it may be helpful to think not as Applicant data, but for what purposes or organisation and with what oversight committee members would like their own personal data used.
19. Changes in data legislation, must thoroughly understand and account for advancement in data science and today’s machine-made decisions using big datasets and interventions with individuals which can result. It should give thought to what opportunity data subjects have to see their own data and correct inaccuracies, as data are increasingly used ‘behind the scenes’ negatively affecting the knowledge-balance and relationship of trust between provider, State and individual.
20. Public trust in academic public interest research use of their personal data and trust in government use of data are quite different.  In UCAS own research only 3% of students had low trust levels in UCAS , but over a quarter of surveyed students demonstrated a low level of trust in government at 26%.  The Royal Statistical Society work on the Data Trust Deficit with lessons for policymakers found similar. 
21. Providing the public ways to access copies of their own data (Subject Access Request) and the publication of Transparency Registers or personal reports to list all releases of data (showing how data have been used) can also demonstrate the public benefit intended from that use and foster trust. Academic public interest application for data uses in safe settings are published by the Administrative Data Research Network (ADRN)  the current UCAS research third party. Uses of the Government copy of the database would by contrast be used without oversight and carried out in secret.
22. The current transparency tool at the Department for Education, the  A ata, to the Cabinet Office, 
A. children under 18, including foreign nationals living abroad.
B. consent children’s data processing, right to opt out of secondary uses, revoke consent, Subject Access Request
C. Collection requirements for defined purposes and fair processing and the research exemption
23. he Bill covers all applicants including those not admitted to higher education at the end of the application process. This means the personal confidential data from people will be aged 17 and, less commonly, even younger at the time of application, and include foreign nationals living abroad.
24. T he age of the data subjects matters when considering children’s data protection and privacy rights under UK law and the future European General Data Protection Regulation (EUGDPR), Human Rights law, and with regard to children’s consent, and how this may affect the legal application and use of data and for what purposes.
25. A question should be asked, whether our State database copy should include the identifiable personal data of foreign nationals living abroad, regardless of whether they take up the place or not, to be stored and shared in perpetuity?
26. Applicants can ’t opt out on collection of UCAS sharing their data during admissions purposes, for regulatory or statutory purposes, or for public interest academic research (currently explicitly and only with the ADRN):
"We also share personal information from your application with University of Essex for use through the Administrative Data Research Network (ADRN), including linking to other data sets, for as long as is necessary to enable research about higher education, where there is a potential public benefit. Data is only made available for approved non-commercial research projects. Your data is only made available through the secure access provided by the ADRN and researchers can only access your data once your identifying details, such as name and date of birth are removed." 
However there is a nuanced consent process for other third party purposes which must be respected by all uses of the data after collection. A
have the option to consent or opt out separately from data use for other purposes:
• With universities and colleges if students are unplaced
• With the Student Loans Company
• With third parties such as banks and insurance companies
• Additionally, applicants can opt to receive targeted mailings or products from UCAS Media Ltd on behalf of selected companies and organisations offering services to students. UCAS do not share applicants’ personal data with these organisations .
• Applicants opting to receive these mailings can choose separately whether to receive information about careers, education and health issues as distinct from commercial marketing information.
• Applicants can also opt out of receiving information at any time.
28. If the government held copy of the database is going to be used for anything of the above choices, such as with the Student Loans Company (see point on the Digital Economy Bill), then applicants consent choices must be respected. The Secretary of the State and its designated approved parties must respect these uses. "Qualifying research" is so open as to be meaningless. Is applicant data from children to be used by any public body or commercial third to find interesting things, interesting group characteristics, or interesting individual characters  ? Clause 71 (4)(c) research into any other topic approved by the Secretary of State’ should be amended to address this.
29. There is no current consent model that enables this linkage or opt out across multiple datasets of lifetime data . Research purposes cannot be used as an exemption for just "anything else" as loosely defined as ‘in the public interest’. These data are given in trust to the receiving institutions for the purposes that are communicated to the data subject and those they expect at the time of collection. Learning from what has happened to pupil data should show why wording matters.
30. UCAS respects the Data Protection Act 1998 and caters to the upcoming EUGDPR legislation (Article 7(3) of the GDPR which gives data subjects the right to withdraw consent at any time and requires "it shall be as easy to withdraw consent as to give it ." How will the State enable the right to prevent sharing with the very bodies which students have already said no in the original provision to UCAS and how will scope creep prevent the unfettered expansion of these uses in future?
31. contraven Google Spain  
32. What happens to consent when the policy or the law changes retrospectively? We ask you to consider school pupil data as a case study of how data given for one purpose in the past, has become used for very different purposes and by very different recipients over time. Consent has been ignored. small number of technical staff engaged in collating the pupil level data and creating the profiles have access to pupils' UPNs and names. Analysts in the Department and partner agencies ( Ofsted , QCA and LSC) have access to anonymised profiles for use for statistical purposes only.  If legislation permits this, it is almost inevitable.
33.   
35. Given the age of many of the students using UCAS services, protecting their data and maintaining their trust is critical and they are minors in law. How their data will be held, managed, and used for research when it accessed via the ADRN (the current named UCAS trusted third-party in the applicant consent form) is communicated to students, and sets their expectations. An equal level of assurance must be offered to students in relation to the supply of data to the government and whomever the Secretary of State requires UCAS to provide data to. This is essential to maintaining confidence and trust in UCAS’ admissions services.
38. Clause 72 (2)(b) must be amended on the face of the Bill because while it is intended to ensure that no individual to whom the information obtained under section 71 relates may be identified from the publication, it does not prevent their identification from release or data use by third parties. Data passed about will be identifiable individual level personal data. The phrase ‘Publishing’ data, is generally considered synonymous with making public. Privacy is engaged at the point of release from the Data Controller, in this case if the Secretary of State database copy releases any data to a third party (use The Telegraph as a past example from the National Pupil Database) an individual might feel their privacy had been compromised, but the government Department use would describe the data as ‘unpublished’ and be permitted by the legislation. This wording of Clause 72 (3) (a) and (b) allow unlimited copying and passing of data between any "approved person" or body approved by the Secretary of State.
39. Clause 72 (4) appears intended to prescribe limits on the onward sharing by approved researchers and approved bodies to others. However, it makes no reference to restrict an approved body from providing information obtained under section 71 to third parties who are (a) not another approved researcher or (b) another approved body. Without amendment this clause would leave wording that might allow approved researchers and bodies to pass to anyone else, who is not ‘approved’.
40. Identifiable data are being used to link multiple databases together for research, and for other government purposes. Current government policy and practice is to join up and use longitudinal data, from across children’s lifetime (age 2-19) from the National Pupil Database (NPD) to the Higher Education data, and with further lifetime datasets, HMRC and DWP data, under the auspices of ‘destinations’ data. This Applicant Data will fill the gap in the middle for some. This will affect every adult in the country who has studied in England’s higher education using the UCAS system backdated since 2007.
41. At the moment in clause 72 (3b) the Secretary of State may designate other approved persons at will, "an individual approved by the Secretary of State" which enlarges the scope of who can use data, or the Secretary of State can change for what purposes data may be used; "Qualifying research".
42. While 72 (2b) the Secretary of State or an approved person may not identify individuals through publishing the product of research conducted using information, this does not limit the identification by the Secretary of State, or anyone they approve, using the identifiable data. For individuals, the fact that someone like the Secretary of State or another government agency could view their identifiable data, would for many be considered a breach of privacy and not the purposes for which the person gave their data to the Admissions process, even if ‘public benefit’ was in their consented purposes.
43. The intention of UCAS is to share data with researchers via the ADRN, which through its own processes and safeguards ensures that research is intended to have a public benefit. If the Secretary of State designates other approved persons how do we ensure that applicants’ data is only used for public benefit purposes and what those purposes will be and its limits?
44. Since 2012 the Department for Education has approved releases to Police (31) and Home Office (20) (Back Office uses). They have failed to publish these uses in the third party register. If now Applicant data in the Secretary of State’s copy is used for these purposes how will Parliament or public know, and trust that it is being used for the right reasons, when necessary and proportionate?
45. If yes, there should be consideration given to this because it will in effect create a copy of a large part of the population in a national database for all purposes across government, and outwith UCAS oversight. ( i.e . Schools are very surprised today that pupils’ data is being given from the school census via the National Pupil Database to the Home Office). as been discussion on what rules there may be for government on retention? Once UCAS has released the full dataset annually, will the Secretary of State be able to keep and use it forever?
46. Data policy and practice about children’s confidential data will impinge on principles set out in the United Nations Convention on the Rights of the Child, Article 12, the right to express views and be heard in decisions about them and Article 16 a right to privacy and respect for a child’s family and home life if these data will be used without consent. Similar rights that are included in the common law of confidentiality, Article 8 of the Human Rights Act 1998 incorporating the European Convention on Human Rights Article 8.1 and 8.2 that there shall be no interference by a public authority on the respect of private and family life that is neither necessary or proportionate data must be processed fairly and for limited purposes, relevant and not excessive, and kept securely for no longer than necessary
47.  ‑201/14) October 2015
Public voice and expectations about their personal data entrusted to Government
51. UCAS’s survey of their 2015 UK applican ts , with 37,000 responses, showed the majority of respondents were happy for their data to be shared for research purposes where there is a clear public benefit. The majority of applicants (90 per cent) agreed with the statement that they should be asked before their personal data was provided, over twenty times more than disagreed with that statement (4 per cent).  Interestingly 8% suggested that they would rather share no data at all with UCAS and not apply, than have it shared. In our own discussions with under 35s on the use of their data, it is often those who already feel most marginalised who are in the group most likely to want to maintain control over their data.
54. The report concluded:
D. Ben 26, from Reading:
E. Catherine, 21, from Gloucestershire:
Johann 18, from Paris (completed A-levels in England):
G. Ruby 28, from Newcastle:
60. for public benefit allenges
61. consistent jeopardis ,
63. espondents to the Cabinet Office 2016 consultation, Better Use of Data in Government, "felt strongly that publicly-held data should not be accessed by researchers for commercial or profit-making purposes." 
64.  (Oct 2015) reiterates this across public bodies sharing data. Judgment of the Court of Justice of the European Union (C‑201/14)
65. failure to root human rights in the mainstream of departmental decision-making  , "
66. Consistent safe not necessarily been exploited, but definitely used."
68.  eport
seeking to balance the potential benefits of processing data (some collected many years before and no longer with a clear consent trail) and people ’ s justified privacy concerns will not be straightforward. It is unsatisfactory, however, for the matter to be left unaddressed by Government and without a clear public-policy position set out. The Government should clarify its interpretation of the EU Regulation on the re-use and de anonymisation of personal data, and [… ] strike a transparent and appropriate balance between those benefits and privacy concerns." 
70. ensure that the current consent model is not undermined, and the future public benefit intent of the Bill is deliverable without putting young people's privacy and trust at risk today and forever.
The submission is sent from the coordinator of the children's civil liberties and privacy campaign group defenddigitalme. The coordinator Jen Persson has also been a lay person on the ADRN approvals panel since April 2015. The submission represents strictly the work and opinion on behalf of the campaign group.
 Nick Boles MP, Jan 25th 2016, at the Education Select Committee