Letter to the Data Protection Commissioner
Ms. E. France
Dear Ms. France,
We write on behalf of Action on Rights for Children in Education (ARCH), an organisation whose membership principally consists of parents and children, both at school and home educated. During the last few months we have been contacted by many people expressing concern about the new Connexions service being developed by the DfES. This service, as you may already know, aims to bring together different kinds of provision for teenagers into a "joined-up, one-stop shop" which will offer careers advice and help with any difficulties young people might have in education and the work-place.
Careers services and other agencies which have formerly offered discrete services, such as benefits agencies, youth services, local education authorities, social services departments, health authorities, youth offending teams and the police, are being required to share the information they hold about young people. We are concerned that the principles set out in the Data Protection Act 1998 are not being followed.
We have attempted without success to obtain basic assurances from the DfES about the information held and we now write to you to voice our concerns, in the hope that you will be able to provide the answers we seek. Indeed, we hope that you have already been consulted in the development of Connexions, as it seems to us that it involves difficult areas of competing interests with regard to confidentiality of, and access to, data.
Formerly, young people leaving school were left to decide for themselves the direction their lives took. In making this decision, they could approach careers advisers on a voluntary basis and be sure that those agencies worked within a well developed code of confidentiality. The Connexions scheme is one which advertises a far more pro-active approach and seems to proceed from the need independently to identify young people at risk of becoming "lost" to the system, so that an intervention can take place to prevent this. It seems to us that the only way in which this intervention, unsought as it may be by the data subjects, can be effected is by the assembling of data about them without their knowledge or consent. We do not believe that there is a perceived need for the construction of the rigorous procedures to protect the integrity of personal data that ought to be applied to such a scheme.
Behind the delivery of Connexions services the DfES maintains a national database, and each local provider of services (termed a 'Connexions partnership') is also required to maintain their own database containing personal details about each 13 to 19-year-old in their area. According to guidance issued by the DfES, there will also be regional databases.
As a separate entity there is a "Connexions Card" database, administered by Capita plc under contract to the DfES, which collates information about 16 to 19-year-olds who are using the Connexions Card.
Connexions was introduced in April 2001 without any reference to data protection issues at all. This is all the more surprising as the scheme relies upon the establishment of a multiplicity of databases and the sharing of information between the agencies we have already mentioned. It was only after vigorous protest at a local level, in which we participated, that some guidance was drafted. A copy of this can be found at http://www.dfee.gov.uk/careerpubs/uploads/cp/information_sharing_guidance.doc It is in our view inadequate.
It is our belief that the Connexions scheme was developed by the DfES without thought being given to data protection issues, and it is now being made to fit them. We are aware that some local Connexions providers are struggling to incorporate procedures to ensure that they adhere to data protection principles. We believe that they are right to perceive that this area is problematic, and right in their assessment that the government is providing little or no guidance that assists in identifying the difficulties and ensuring that they are overcome.
Our concern is that, in the absence of a central policy, there may be many other Connexions providers who do not perceive the problems and who are therefore taking no steps, or no adequate steps, to deal with them.
The Connexions scheme is underpinned by powers set out in ss 114 to 121 of the Learning and Skills Act 2000 (LSA 2000), the provisions of which seem to us to conflict with data protection principles. Section 117 purports to empower "a person involved in the provision of services in pursuance of s114(1)" to require to be supplied with data which includes not only the names and addresses of pupils, students and their parents but also any information held by an educational institution about the pupil or student. This would appear to be a blanket provision entitling anyone "involved in the provision of services" to obtain the information without the knowledge of a pupil or her parents. s114(2)(a) provides that arrangements for services may be made "with local authorities and other persons". The question as to whether "a person" in s117 can be from a virtually unlimited class may depend on whether s114(2)(a) can be widely construed or whether the eiusdem generis rule of statutory construction applies to limit it to a person in an analogous position to those employed by local authorities.