Tell the Minister for Education: NO to POD

Please join 397 other parents and families in writing to the Minister for Education to protect every school-aged child’s right to privacy and future identity security. Tell Minister O’Sullivan that the Department of Education’s plans for the new Primary Online Database (POD) should be scrapped.

Add your name, email address and any comments below and the following email will go off on your behalf to the Minister to make your voice heard.

  • Dear Minister O’Sullivan:

    I write to you regarding the Department of Education’s planned rollout of the new Primary Online Database (POD). I call on you to withdraw this system until the legitimate issues raised by parents and the wider public can be addressed:

    • It is unacceptable for your Department to gather sensitive, private data on every individual primary school child, including their racial profile, psychological assessments, special needs, religion, and PPS number, and store it until they are at least 30 years of age;
    • It is deeply worrying that school staff will be able to enter comments on any child into a system so poorly secured that the Department cannot guarantee who will be able to access them;
    • It is unrealistic to expect school staff to transfer this highly sensitive data to the Department of Education using a 17-step process so complex its been called ‘damn near unusable’;
    • When parents decline to have their children’s information unlawfully transferred to the POD database, it is outrageous to tell teachers to just go ahead and enter it anyway;
    • It is education extortion to threaten to remove funding and teacher allocations for children whose parents have made the decision not to enter their children’s details.

    The Department may not simply ignore citizen’s data protection rights and legal protections, even when those citizens are children. Please scrap this POD scheme in the best interests of every school child in Ireland.

  • Please add any other comments you would like to be included in your letter:
  • Yours Sincerely,

  • This field is for validation purposes and should be left unchanged.
Posted in Education | Tagged , ,

Minister for Education: We will forget nothing, learn nothing

About two weeks ago, as letters started to arrive home in children’s lunchboxes, parents started raising issues with the Department of Education’s project to take children’s data (racial, psychological assessment, special needs, religion, PPS number and so on) and store it until they were 30.

Here’s the post setting out the inital issues I had with the plan.

This is a long post, but it is about the future security of children’s identity. Please read it and then take a moment to do something to change this plan.

Please, contact your school and warn them about the Data Protection breaches that they could be held liable for if they comply with the Department’s demands. Then, please contact Minister Jan O’Sullivan by email Minister@education.gov.ie and tell her you want her to stop this project and why. Use any and all of the above points, or some of your own.

And finally, please contact the Office of the Data Protection Commissioner and let her know that you aren’t happy about the proposed creation of a slap-dash, ill considered, record of your child and you think she needs to act to stop it from happening.

Data Protection Commissioner: Not as happy as claimed

Unfortunately, the Minister has responded by denying there are any problems, saying she’d look at the retention period, then saying she’d looked at it and was sure again it was needed because the Department wanted to have ‘full maximum data’.

Minister O’Sullivan also managed to call into question independence of the new Data Protection Commissioner, by announcing “that office is satisfied with what we are doing” and “the 30th birthday is probably appropriate and it satisfies the Data Commissioner as well”.

On the face of it, the Commissioner’s regulatory role was being undermined by a Government Minister preempting the outcome of any complaint by asserting the opinion of the Commissioner before any complaint had even been ruled on.

It was reassuring to read today’s interview, therefore, with Helen Dixon, the new Data Protection Commissioner. Contrary to the Minister’s assertions earlier in the week, the Commissioner did not seem to be ‘fully satisfied’ with the Department’s plans. She said;

“it seems to be the case that there’s an inadequate explanation of why they need it and why they need to hold it for as long as they are holding it.”

(This might seem like a minor point, but in fact, in EU law, the independence of Data Protection Commissioners is considered a very Big Deal. So much so that the EU Commission has repeatedly sued member states whose Governments act to undermine that independence. After the most recent such case Commission -v- Hungary, the EU Justice Commissioner and Vice President of the Commission, Viviane Reding issued a strong warning;

The independence of national data protection authorities is the very cornerstone of guaranteeing effective data protection rights for our citizens. Lack of independence means lack of effective supervision and oversight, and a lowering of the level of data protection. The Commission has intervened three times with infringement cases against Member States to stop such incursions on the independence of data protection watchdogs. I will not hesitate to intervene again if necessary.” )

Defund your child’s education if you object

In correspondence with individual parents, the Minister’s Office and the Department have taken another tack.

The Minister is threatening to defund the education of any child whose parents object to their data being hoovered up into this database. 

Personally, I think it’s a pretty low road for the person responsible for children’s education to try to hold them to ransom for the sake of an administrative hobby horse of her Department. Here’s the Minister’s Personal Private secretary, finishing off a letter to a parent who had raised serious and detailed concerns that the entire POD database plan was illegal under Data Protection law with the most basic of coercive threats.

1421821095.jpg

“If you do not consent to your child’s data being entered on POD then you should inform your school in writing that you do not wish to have your child’s information entered on POD, however from 2016/2017 this may have funding and teacher allocation implications for your school”

Similarly, when I wrote to complain, I got an even less varnished version of this threat to defund any child’s education whose parents objected to POD.

Offical's threat

 

Just take the data with or without consent

As if those threats weren’t objectionable enough, it turned out that the Department had come up with a fallback plan. In their FAQ to teachers, they told them that if any parent did dare to refuse to allow their children’s data to go into POD, the teachers were to ignore their data preferences and just upload it anyway.

Screw parents wishes we wanna

Retention period: Until the child is 30, and then some

Let’s go back to that retention period. It’s set out in Circular 0017/2014, which is closest thing we have to an administrative law underpinning this entire scheme. It says;

The Department will retain personal data in categories 1 and 2 for each pupil on POD for the longer of either the period up to the pupil’s 30th Birthday and subject to review thereafter or for a period of ten years since the student was last enrolled in a primary school.

As very few 20 year olds are to be found still enrolled in primary school, we can take it that the plan is to keep the data at least until the pupil is 30 and then it will be ‘subject to review thereafter’. In other words, there is no commitment to remove this data, ever.

This open-ended retention period, by the way, doesn’t meet the requirement by the Data Protection Acts for notifying the data subject how long the data will be held for or for what purpose (data subject here being parents and then, when they become adults, the pupils themselves). Certainly, any Government department whose Minister is willing to define the criteria for retention as ‘in order to ensure that we have full maximum data’ doesn’t seem like the kind of institution to wipe any data from its system voluntarily.

The Circular is also clear that all this data ‘will’, not ‘may’, be kept. This is an important point, because, under pressure from questions, the department has suggested that maybe they will think about keeping some of the data in an anonymised form after children leave school (and, more urgently, until journalists stop asking questions). But in fact, the Circular short-circuits all of that discussion.

Together, Category 1 and Category 2 data is all of the data the Department is collecting- names, PPS numbers, address, mother’s maiden name, religion, ethnicity, psychological assessments, special needs, the whole shebang- being kept until the citizen is, at the earliest, 30 years of age.

This is explicitly not anonymised or aggregated data.

Security of the data

This is going to get a little bit technical, so stick with me here. Firstly, let’s look at how schools are meant to get this spectacularly rich and sensitive dataset on the nation’s children to the Department of Education. They can fill the data in directly into the webform, which does connect with a secure HTTPS line. Unfortunately, the form won’t let them do many of the things you might expect to come up, like save an entry with only some of the required data filled in.

So, anticipating that the HTTPS option wouldn’t be too popular, the Department has come up with a plan for schools to fill in the data offline, into a Microsoft Office document, and then to encrypt that file using the same encryption system Edward Snowden used to communicate with journalists (GPG) and to then email them that encrypted file.

If you started to make a worried face in the second half of that sentence, that means you’ve probably already encountered trying to use GPG encryption. Here’s Arne Padmos, lecturer with the University of Rotterdam, giving his recent talk “Why is GPG ‘damn near unusable’?” to a group of computer security experts.

But not to worry, the Department told schools that they would produce ‘detailed instructions’ on how to use it. No training, mind, but a handy Word document they could refer to. You can read it all here. Some sample screenshots, to give you a feel for it;

Screenshots of the encryption instructions

 

As you can see, there is no way that this could go wrong.

Unfortunately, the Department’s focus on keeping this data encrypted in transit pays no attention to the fact that the original data file will remain unencrypted and sitting on the school computer.

Furthermore, the Department decided they would allow the POD data to be automatically copied out and synchronised with the school’s own database. So, no matter how secure the data is getting to the POD, it will then automatically, and by design, be copied out into another database that sits outside the Department’s control or audit.

This is so strange an idea, I’ll show you the bit in their documents where they chat away about it with no mention of security implications, just so you believe me.

Screenshot_2015-01-25_11_53_38So, just to keep count, the list of people with access to this data on children is now;

The Department of Education (for purposes which include statistics, but also funding of children’s education and other, non-specified uses), all the public bodies they intend to share this data with at the moment (the current non-exhaustive list is the Department of Enterprise and Employment, the Department of Social Protection, The CSO, The Child and Family Agency and, apparently, the Revenue Commissioners), everyone in any school with access to either the POD database or their own internal database and any contractors who provide the technical support for those databases.

I could go on and on, but this post is already too long to expect anyone to have reached the bottom here.

I could point out that holding a permanent record that doesn’t allow families and children to declare their ethnicity to be Black and Irish is insulting and backward. I could point out that having a free text Notes field where school staff can write anything they want about a pupil and have it stored, for reference, until that pupil is an adult active in society is a invitation for abuse. The threat of something going on a child’s Permanent Record has never been so real.

You can stop this

I think the main point is clear. This project is a mess. It must not go on as it is. But the Minister and her Department have made clear that they will not budge unless forced to do so.

So, please, contact your school and warn them about the Data Protection breaches that they could be held liable for if they comply with the Department’s demands. Then, please contact Minister Jan O’Sullivan by email Minister@education.gov.ie and tell her you want her to stop this project and why. Use any and all of the above points, or some of your own.

And finally, please contact the Office of the Data Protection Commissioner and let her know that you aren’t happy about the proposed creation of a slap-dash, ill considered, record of your child and you think she needs to act to stop it from happening.

Posted in General | Tagged , ,

Unanswered legal problems with the Government’s new database of children

Database Teddies

The Department of Education is building a database of Ireland’s children. It’s called the Primary Online Database and, currently, its intention is to collect a full profile of data on all the children in education and to store that data until they turn 30. Yes, 30.

They started last September 2014, taking data from schools directly, rather than asking parents in almost all cases. Now the department is sending home letters to parents about the database, baldly telling parents that they’re taking their child’s data.

___

UPDATE: See my follow-up post with lots of  the extra problems identified with the Minister’s POD plan
UPDATE 2: NEW! A simple web form to tell the Minister that this is a bad idea. Sign it and share it!
___

The Department is collecting data, including sensitive data such as medical information, whether the children have psychological assessments, religious and racial characteristics on children. This is something that requires careful planning to be done correctly. As the Irish Water debacle showed, an organisation can destroy public trust by careless information governance and ill-considered data demands. And any database that contains such critically sensitive data about all the citizens and residents of the state who are under 30 needs very significant and broadly based support.

This database, if leaked or misused, would compromise the identity security of every young person in the entire country. It would provide a treasure trove for blackmailers or identity thieves. It’s precisely because this sort of data is so red-hot radioactive that the Census data- the only collection comparable to this proposed datagrab- is given special legislative protections in the Statistics Act 1993.

Regrettably, it seems the Department of Education has not learned anything from the recent past. I contacted the department on the 6th January to set out some Data Protection concerns with the database. I followed this up with more than one telephone conversation. I received no written reply by the 20th January so I then made a formal complaint to the Data Protection Commissioner.

In that complaint I made the following points;

1/ Section 2(1)(c) of the Data Protection Acts (referred to hereunder as DPA) sets out the principle that data should be obtained for “one or more specified, explicit and legitimate purposes”. Children’s data was obtained from parents by their schools for specific, legitimate, internal school purposes. The Department is seeking to take that data from the school, under threat to its continued funding, and use it for different radically different purposes, none of which were specified at the time the school obtained the child’s data, or or necessary for those internal uses. This is not legitimate.

2/ In addition, the Department’s Letter to Parents states that it is the Department’s intention to store children’s data in the Primary Online Database until they reach the age of 30.

To me, this appears to be self-evidently an excessive retention period. Data may only be stored for as long as is required for the purpose for which it is collected. (per Section 2 (1)(c)(iv) DPA)

As all the purposes of this database are related to children’s primary school experiences, retention for decades after that experience ends will be a breach of the data protection acts, and contrary to Data Protection principles.

3/ I have very significant concerns about the data relating to children proposed by the Department to be obtained, processed, shared and retained until the age of 30. The material describing the contents of the POD database sets out data which is clearly sensitive personal data per the definition at Section 1 DPA.

In particular, the data fields;

Learning Support

Is the pupil in receipt of low incidence support through NCSE? (drop-down list)
Yes
No

Is pupil receiving support under the General Allocation Model? (drop-down list)
Yes
No

EAL (tick-box)
Specific Learning Disability (tick-box)
Learning Support (tick-box)
Mild/Borderline Mild GLD Resource Teaching
(tick-box)

Does the child have a psychological or medical assessment report which recommends provision of an additional teaching resource ? (drop-down
list)
Yes
No”

represent sensitive personal data as it relates to “the physical or mental health or condition or sexual life of the data subject,”.

However, the Department is proceeding on the assertion that all this data is ‘non-sensitive’ data and does not require parental consent for processing.

Furthermore, the database includes a free text “Notes” tab.

“Notes about a pupil may be entered into the ‘Notes’ tab. At present, notes entered here can be seen by Department of Education staff”

(per P 10 of the Instruction Manual on the POD. The existence of this data field is not notified to parents in any notice addressed to them. )

There is no way for this data to be obtained or retained in compliance with the DPA, as there is no description or limits on what notes may be added to each child’s entry into the database- whether sensitive, relevant, necessary or appropriate. Whether the data is routinely accessed by the Department is irrelevant as it is being retained by the Dept and is accessible to any departmental user with Administrator status.

Furthermore it is not unknown for children to change schools precisely to obtain a fresh start, and it is unsatisfactory that the unlimited and unmonitored notes by staff of one institution would be transferred to the new school, colouring that school’s opinion of the child before they had even started.

4/ The Department of Education’s use case statement which may be accessed on the Department of Social Protections own website does not include the proposed use of children’s PPSNs as described in the Department’s letter to parents regarding this database.

From the records available to me, the proposed use case the Department’s letter describes has not been notified to the Department of Social Welfare and, therefore, has not been agreed with the Minister, as required under S 262(4) and Sec 262(6) of the Social Welfare Consolidation Act 2005.

In the absence of such consent a child’s school would be in breach of the data protection acts were they to transfer his or her PPSN data to the Department as a new Data Controller.


5/ I note that by letter dated 15th January the Minister for Education’s private secretary wrote to parents who have complained about this database and told them that;

“If you do not consent to your child’s data being entered on POD then you should inform your school in writing that you do not wish to have your child’s information entered on POD, however from 2016/2017 this may have funding and teacher allocation implications for your school going forward”

This threat effectively negates any consent that might be given, as it is clearly represents a coercive effort to force consent in the face of the defunding of their child’s education. In addition, the threat to partially defund a school on the basis of purely automatic processing of data in a database it represents a breach of
Section 6B of the DPA,

“a decision which produces legal effects concerning a data subject or otherwise significantly affects a data subject may not be based solely on processing by automatic means of personal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him”

To read more about how this database is being implemented in a way to undermine trust and effectiveness, take a look at data protection expert Daragh O’Brien’s two posts on the subject, here and here. Those posts give context to this ill-conceived project, by showing how and why the State consistently fails to respect citizens’ data rights.

If you agree with my points, please do contact your child’s school and let them know that you don’t give consent to your child’s data being entered onto POD, and let the Minister for Education, Jan O’Sullivan TD know your concerns about her plan by email minister@education.gov.ie and/or make a complaint to the Data Protection Commissioner’s office (details here) if you have no satisfactory outcome from your contacts.

Photo: Database Teddies by Linda Hartley

Posted in General | Tagged , ,

Private phone messaging apps compared

Recently, for reasons, I had occasion to examine the current state of the market for encrypted messaging apps on phones. Tested: Wickr, BBM, Threema, Confide, Cyber Dust, Cyphr, Telegram. Thoughts to follow: (Notes: -All of these apps start off wanting access to your contacts. You should always say no and invite the people you do want to communicate with manually. -I have no way to check the cryptographic reliability of any of the below apps. So, one could be a …

Continue Reading »

Posted in General | Tagged

Thoughts on Ireland’s new Surveillance Order

Some tiny Saturday thoughts on today’s Page 1 scoop by Karlin Lillington re the state’s creation of a new statutory framework for secret Ministerial surveillance orders and, quite seriously, for FISA-style secret court hearings. 1) The Minister has activated a law that has been overtaken by events. 2) The Department of Justice has claimed the SI was signed to comply with EU treaty obligations. 3) But since 2008, when the law was drafted, EU law has been transformed in its …

Continue Reading »

Posted in General | Tagged

Have Uber delete their records of you using Data Protection law

Send Uber a message that requires them, under Data Protection law to delete your data, when you delete their app.

Continue Reading »

Posted in General | Tagged ,

Water and Power

Self-organised, decentralised political movements were once the stuff of science fiction and political theory. Now, the phones in people’s pockets give everyone the chance to voice, bear witness, organise and persuade.

Continue Reading »

Posted in General |

Apple Watch, HealthKit & the meaning of normal

The coming smartwatch data flood is going to pose a challenge for doctors to assess.

Continue Reading »

Posted in General | Tagged , ,

The BAI, Mooney and the struggle to control the Internet

A few weeks ago the Broadcasting Authority of Ireland issued a decision in response to a complaint by Mr. Dónal O’Sullivan-Latchford on behalf of the Family and Media Association. He had complained about an episode of the Mooney Show on RTE Radio One which had featured a discussion with a gay man about his life and relationships, together with a member of GLEN who explained the current legal choices for gay people in relationships. The complainant claims that same-sex marriage …

Continue Reading »

Posted in General | Tagged , , , , ,

Why I’m not a Progressive

I struggled with the title for this post. What I really wanted to call it was “You are not a Progressive”. I’ve compromised on this impulse to tell people that their beliefs are just wrong. But you can’t be a Progressive, in the current political sense of the word, because there is no such thing as historical Progress. Progress is a journey, travelling towards a predetermined destination. But things do not gradually get better over time, moving towards a pre-destined …

Continue Reading »

Posted in Irish Politics | Tagged