|
(Continued from previous page) The circumstances in which the data is sought seem to us to compound the lack of information about how data will be used. Section 117(1)(e) of the LSA 2000 requires educational institutions to permit access by partnerships to young persons at the premises of the educational establishment. We are concerned that young people may actually be asked for information whilst at school in surroundings not conducive to the exercise of individual choice and when they may not be able to consult their parents should they wish to do so. In these cases we do not believe that genuine informed consent is freely given as required by the Data Protection Act 1998. Further, blanket consents purporting to authorise access and use by third parties do not, in our view, satisfy data protection principles. The Connexions Card is a "swipe" card, the advertised purpose of which is that when it is swiped, for example at an attendance at a required activity, a credit is shown against the data subject which leads to a reward. What is not disclosed is that the purpose is also to "track" data subjects. A principal purpose of the databases is to ensure the that all young people between 13 and 19 are "tracked" as is made quite clear in the information supplied to those whose job it is to collect the data; at no time is this even mentioned to the data subjects when they supply data. The national database is a cause for quite separate concern. Dr Stephen Witt, the Head of the Connexions service at the DfES has informed us that it is intended that the national Connexions database will be cross-matched with records from other government operated databases. It is intended that child benefit records will be incorporated to assist in the provision of the 'tracking' system. It seems to us that there is no intention to inform those whose data is so used that this is being done, notwithstanding that the purpose for which the data subjects (in this case the parents) originally supplied the information was for the provision of child benefit and no other. Indeed, it appears that the whole of the national database is being assembled without any involvement or consent from data subjects who are unaware that their data, supplied for a particular purpose, is also being used to build a surveillance system. We know that the DfES is requiring local education authorities (LEAs) to supply it with the details of teenagers with criminal convictions for incorporation into a Connexions database. One LEA confirmed to us that they had been asked for this information but seemed confused as to which database it would be entered into, and unaware of the purpose to which it would be put. If they are not aware, how can the data subject know? Data subjects were not being asked for consent. It therefore seems to us that such sensitive personal data is not being dealt with according to data protection principles set out in the 1998 Act. An issue which is not adequately tackled is the possibility of a conflict of rights of access to information between a data subject and their parents, especially bearing in mind the statutory responsibility of parents for their children's education as set out in s7 Education Act 1996. In line with that, the LSA 2000 draws a line at age 16, as we have already mentioned, with reference to withdrawing consent to access to information set out in s117(2). However, we are aware that some partnerships are applying the Gillick competency test in deciding whether a parent can have access to their child's data even when the child is under 16. It may be that Gillick competency is not a suitable test when dealing with commercial consequences rather than personal ones. In the Gillick situation the child has the benefit of the advice of an impartial professional to assess the ramifications of her action; no equivalent exists in the area we deal with here and the data subject may not receive any advice upon the consequences of allowing access to their data. If advice is given, it is likely to come from the very organisation which has an interest in allowing the widest disclosure. It seems to us that detailed consideration needs to be given to this and that national uniform guidance is issued. It is not clear to us what opportunities are available to young people and their parents to check and correct information. We have seen documents which ask teachers to identify Year 9 pupils whom they believe to be 'at risk' of social exclusion, but there is no mechanism to challenge such potentially stigmatising subjective judgments. In the case of the national database, as there seems to be no provision for reference to data subjects at all, there can be no opportunity for them to know that the information is held let alone to check it. Much is made of the sharing of data but we can find no emphasis being placed upon the responsibility of all those who use data supplied through the Connexions service to check its accuracy for themselves. We have asked for assurances about how long the data is to be held, but none has been forthcoming. This has serious implications for the civil liberty of the data subject as, for the first time, information is being collated into one accessible database which has all the hallmarks of a national identity or surveillance system. Each pupil is already given a unique pupil number under which personal information is held. It seems to us that the purpose for which the information is held is spent once the pupil passes out of education and the data should then be deleted. We are concerned that this has not been confirmed in respect of all databases involved including, and we might say, especially, the central national database. We would very much appreciate your comments and observations on this matter, and look forward to hearing from you. Yours faithfully, Ian Dowty Back to PLASC 2002 - The Whole Story |