Data Protection Commissioner finds POD was, and still is, unlawful

The Data Protection Commissioner’s Office today confirmed that, having investigated the Primary Online Database, they found that parental concerns raised were valid and that, even following changes to the scheme in April, the POD would require further legislation to be lawful. 

Unless that legislation is introduced, schools transferring the requested pupils data to the Departmemt of Education will not have the nessecary lawful basis to do so.

The Primary Online Database is the Department of Education and Skills’ project to create a centralised database on all the country’s children.

It was originally grounded on a Departmental Circular of Jan 2014.

Following parental questioning of the legality of the scheme, the Minister for Education strongly defended it, saying 

“I have gone back and asked for the reasons why it’s up to the 30th birthday and I am told it is in order to ensure that we have full maximum data that we need.”

“I did say I would examine it but it looks to me that up to the 30th birthday is probably appropriate and it satisfies the Data Commissioner as well which is obviously very important,” she added.

Despite these assertions, the retention period for children’s data was reduced until they turned 19 and other changes made piecemeal before the whole Circular was scrapped and replaced with a second scheme based on a new Circular- which is still not lawful. 

You can see rather nice visual history to this retreat here.

A senior official in the Data Protection Commissioner’s office today confirmed that the legislation the Department of Education had relied upon to justify the legality of transferring data from schools to the Department did not cover most of the data requested.

a number of POD fields are not listed in Regulation 189 and, as such, they do not constitute “prescribed” information for the purposes of Section 266 of the 2005 Act.
 The data fields concerned are as follows: Mother’s Maiden Name; Enrolment Date; Enrolment Source; Leaving Date; Leaving Destination; Integrated Indicator; Indicator for Receipt of Learning Support; Pupil Type and Special Class Type. We consider that an amending statutory instrument should have been signed before these data fields were included in POD. 

The full text of the email from the senior official in the Data Protection Commissioner’s office is below.
***

 Dear Mr McGarr

I refer to your previous correspondence to this Office concerning the Primary Online Database (POD).

As you know, we opened an investigation in relation to the POD in accordance with Section 10(1)(a) of the Data Protection Acts, 1988 & 2003.
The investigation involved extensive contact with the relevant officials in the Department of Education and Skills including written communications, conference calls and meetings. The Department cooperated fully with our investigation. I am now writing to advise you of the outcome of that investigation.

The aim of our investigation has been to establish whether the POD and its implementation is in compliance with the Data Protection Acts, 1988 & 2003. In that regard, we identified a number of deficiencies which have been the focus of directions on our part to the Department of Education and Skills over the last number of months. Some of the areas where we identified issues corresponded with issues referred to in complaints received from you and from other parents.

Retention Period and Fair Processing Notice

The retention age for pupil data in the POD was set at 30 years of age. Following the intervention of this Office in which we drew the Department’s attention to the valid concerns raised by you and other parents, the retention period has now been revised downwards to the pupil’s 19th birthday. In a further corrective action, the Department of Education revised its original “Fair Processing Notice” and it published its revised notice in April 2015 – which gives more detailed information to explain how the personal data of pupils on the POD will be processed. The revised “Fair Processing Notice” also indicates that some changes have been made by the Department to the original list of data fields referred to in the previous notice.
PPSN

The collection and sharing of PPSN data was raised as a matter of concern by you and some other parents. This Office is satisfied that, in principle, the collection and sharing of PPSN data between schools and the Department of Education and Skills for the purposes of the POD, and the subsequent use of PPSN numbers by the Minister for Education in the discharge of his/her statutory functions can lawfully be undertaken. Under Section 262(4) of the Social Welfare Consolidation Act, 2005 (“the 2005 Act”) a specified body may require access to an individual’s PPSN in any case where (a) the individual in question is entering into a “transaction” with the specified body; and (b) the specified body requires the individual’s PPSN number for the purposes of that transaction. The Minister for Education is a “specified body” for the purposes of Section 262(4). Transaction in this context is defined to included “a supply of a service relating to a public function of a specified body which relates to a natural person.” The provision of primary education to children resident in the State, delivered through a network of recognised schools necessarily involves the supply of a service by the Minister to natural persons relating to a public function of the Minister.

 It is also the case that all children have a right to free primary education under Article 42.4 of the Constitution. That right is also the subject of primary legislation. In particular, the Education Act, 1998 expressly provides that it shall be a function of the Minister for Education that he/she shall ensure that there is made available to each person resident in the State a level and quality of education appropriate to meeting the needs and abilities of that person.

Moreover, we are satisfied that Section 262(6)(b) of the 2005 Act authorises the Minister for Education and Skills to use pupils’ PPSN numbers in performing his/her public functions as those functions relate to pupils.
The Minister’s functions also include the following:

  • to plan and coordinate the provision of education in recognised schools and centres for education.
  • to provide funding to each recognised school and centre for education
  • and to provide support services to recognised schools and centres for education
  •  to monitor and assess the quality, economy, efficiency and effectiveness of the education system provided in the State by recognised schools and centres for education.

Legal Basis for Sharing of Data

With regard to the sharing of broader categories of personal data, it is worth noting that the 2005 Act authorises a “specified body” to share “prescribed” information with the Minister for Education and Skills. This is achieved by Section 266 of the 2005 Act and a list of “specified bodies” is contained in Schedule 5 of the Act. This list includes any recognised school or centre for education within the meaning of Section 2 of the Education Act, 1998. It follows that any primary school that is a “recognised school” for the purposes of Section 2 of the Education Act, 1998 is constituted as a “specified body” for the purpose of Section 266 of the Social Welfare Consolidation Act, 2005 and may share “prescribed” information with the Minister for Education. The nature and extent of the “prescribed” information that may be passed by a specified body to the Minister under Section 266 of the 2005 Act is defined in the Social Welfare (Consolidated Claims, Payments and Control) Regulations, 2007 (SI 142/2007). Specifically therein Regulation 189 prescribes a whole range of data fields such as name, address, date of birth, PPSN, roll number, class group and year, special needs, etc. All of the prescribed information listed in Regulation 189 is relevant to the operation of the POD – i.e. POD requires each primary school to enter data into the database by reference to all of the data fields identified in Regulation 189. We are satisfied, in principle, that those data fields that are required for the purposes of POD and are listed in Regulation 189 can lawfully be shared by schools with the Department of Education and Skills.

However, a number of POD fields are not listed in Regulation 189 and, as such, they do not constitute “prescribed” information for the purposes of
Section 266 of the 2005 Act. The data fields concerned are as follows: Mother’s Maiden Name; Enrolment Date; Enrolment Source; Leaving Date; Leaving Destination; Integrated Indicator; Indicator for Receipt of Learning Support; Pupil Type and Special Class Type. We consider that an amending statutory instrument should have been signed before these data fields were included in POD. Having identified this deficiency in the legitimising of the processing, we directed the Department of Education and Skills to have an amending statutory instrument introduced.

The statutory instrument concerned is one which falls under the remit of the Minister for Social Protection. Having conveyed our direction on this particular issue to the Department of Education and Skills, it has informed us that it has raised the matter with the Department of Social Protection and that they have jointly agreed to work towards introducing an amending statutory instrument as soon as possible. We will, of course, continue to monitor progress on this matter and we will take whatever actions we deem necessary if this matter is not progressed to finality within a reasonable timeframe.

Register of Users of PPSN

You also raised concerns that the Register of Users of PPSN numbers published on the website of the Department of Social Protection does not include the use of PPSN data for the purposes of POD. Corrective action has also been taken on that matter. The entry for the Department of Education and Skills on that Register now shows at No. 5 that the Department uses the PPSN number as a unique identifier for all pupils entered on the POD.
Conclusion

In conclusion, then, a number of deficiencies in the implementation of this project were identified. I am satisfied that on foot of directions from this Office, the Department of Education and Skills has taken or is in the process of taking corrective action in relation to these deficiencies.
Yours sincerely 

XXXX XXXX

Senior Investigations Officer
17/06/2015
[This email is not a legal notice or a decision of the Data Protection

Commissioner to which Section 26 of the Data Protection Acts, 1988 & 2003

applies].

ENCLOSURES:

————————————————————————————————————————————————————

An Coimisinéir Cosanta Sonraí

Teach na Canálach

Bóthar an Stáisiúin

Cúil an tSúdaire

Co. Laoise

Office of the Data Protection Commissioner

Posted in Education | Tagged | 2 Comments

POD Data fields a mix of the irrelevant, the unsettling and the possibly illegal

Unknown-1
Tweeter @johnhamill151 FOI’d his children’s data from POD and yesterday published what he got back.

To his surprise, he discovered the Department was storing data in POD on his kids which was completely unrelated to their primary school education and data of a sort he had never been aware would be collected or stored.

Medical Data on special needs must be sensitive personal data

These fields included data on children’s special needs assessments such as “GAM_MILD_OR_BRDRLINE_MILD_GLD” or “GAM_SPECIFIC_LEARN_DISABILITY”.

The Department continues to insist that this does not constitute Sensitive Personal Data. They desperately want to claim that because such data will require parent’s consent to be collected. The new Circular governing POD has not changed this miscatagorisation.

In an email to me dated 20th Jan 2015, a department official in the POD section said that

I don’t think one could draw a conclusion that those in receipt of EAL have a physical or mental health condition…The questions measure receipt of special educational supports and nothing else.

In the face of this evidence of actual medical diagnostic data (mild, borderline mild, specific learning disability) being collected and stored, I don’t think that this is a sustainable defence of this illegal processing of sensitive personal data.

Department processing irrelevant data

The purpose of the primary online database-according to the department- is to assist with the statistical analysis of the population of primary schools.

Unfortunately it appears that the department has decided to collect a series of fields in relation to children that have nothing to do with their primary school education. These fields include data on leaving certificate subjects, data on Junior Cert subjects, data on FETAC courses and even data on whether primary school children are sitting the leaving cert applied exams (Hint: no, they’re not).

Jhamill151 tweet

The Department of Education’s ongoing problem with race
After the unfortunate business of the first POD Circular’s efforts erase all non-White options for Irishness, by carefully removing them from the CSO’s list of cultural backgrounds, you might think that the Department of Education might be a bit more sensitive as to ethnic and cultural indicator data it collects and stores on children.

This is, after all, one of only two forms of data it will admit to being Sensitive Personal Data.

Sadly, it appears that there are still fields in the POD database for “MOTHER_TOUNGE_IRI_ENG_IND” and most mysteriously “YEAR_OF_ARRIVAL_IN_IRELAND” which will presumably be the same as date of birth for most children.

It is rather difficult not to think that any data entered against either or both field, neither of which were part of the usual consent form supplied to parents, could be used as a marker of ‘foreignness’, in case the parents withheld consent for data under the “ETHNICITY” field to be collected.

And finally…
It’s very unclear as to what it is for, but it does seem like a strange decision to have a data field labelled “IGNORED_EXEMPTION_QUESTION_IND”. If you have asked to be exempted from the database, what, exactly is being ignored?

 

The full set of data fields disclosed is below.

POD FOI Data Fields

Posted in Education | Tagged | 1 Comment

POD: A strange tale of a weird idea


Posted in Education | Tagged | Leave a comment

Dept of Education abandon March deadline for POD, confirm both new Circular and revised data use statement needed first

The text of the latest statement from the Department of Education to Primary Schools:

Dear Principal,

Thank you for your continued participation and engagement in the POD project.

As you know both schools and the Department have received a number of comments and queries on certain aspects of the operation of POD. The Department has considered all the submissions received and is committed to taking this feedback on board, in consultation with relevant stakeholders. As a result, an updated Fair Processing Notice and a POD circular, along with supplementary information and guidance for schools and parents will issue in early April. The deadline for schools to populate POD with their pupil and class data is hereby extended until Friday the 30th April 2015.

The POD helpdesk is available Monday to Friday 8:30am-5pm on 01 8892311. If you have any queries or comments please do not hesitate to contact us at pod@education.gov.ie. Please note that schools can refer parents/guardians to the helpdesk if they wish to do so.

Kind regards,

XXXX

Statistics Section, Department of Education and Skills.

used under cc licence photo by garlandcannon

Posted in Education | Tagged | 1 Comment

Department of Education issue new, water-muddying message re POD to schools

Text of today’s message:

Dear Principal,

Thank you all for your continued participation and engagement in the POD project.

Please note that the Department is committed to taking on board feedback from schools and parents about POD. In light of this please be aware of the following changes that will be released on POD on 4th March 2015 at 10.00am. In order to facilitate these changes POD will be unavailable between 8.00am and 10.00am on Wednesday the 4th March.

Secure Upload Facility

The updated version of POD will contain a secure upload facility for schools that wish to upload their pupil data using the Department’s excel template. This will replace the encryption process that is currently in place to transmit excel templates. The template is available from the Department’s POD helpdesk pod@eduaction.gov.ie

Ethnic or Cultural Background

The DES has reviewed the question in POD on Ethnic or Cultural Background, the following categories will now be used which better reflect the categories in the CSO 2011 Census of population question. The change in wording will be applied automatically to the system from 4th March, and no additional update will be required at school level. Amended categories in red. [here, marked with an *]

White Irish

Irish Traveller

Roma

Any other White Background

*Black or Black Irish – African

*Black or Black Irish – Any other Black Background

*Asian or Asian Irish – Chinese

*Asian or Asian Irish – Any other Asian background

Other (inc. mixed background)

No consent

An updated suggested consent form incorporating these changes will be available for downloading by parents from the Department’s website on 4th March at www.education.ie. These changes will also be reflected on the POD database.

Action required by schools –

Schools that have not yet sought parental/guardian consent for the collection of this data should ensure that they use the wording as per the revised version of the suggested consent form.

Schools that have already secured parental/guardian consent – Where a parent has raised a concern around the ethnic and cultural background question please inform them that the new version of the form will be available for downloading from the Department’s website. A parent wishing to amend what they originally submitted, may return the updated form to the school.

If a new form is submitted, schools will only need to amend the original input if there is a change in category.

For schools that use an administrative software package the Department has been in touch with the software providers and they have made the appropriate changes to their data collection systems.

Learning Support

As a considerable number of schools have indicated that they are having difficulty completing the questions on GAM/NCSE and low incidence, this portion of POD is no longer compulsory for the 2014/2015 school year.

Note that while this means that we may not receive full information on this topic from all schools, the information returned by schools in these questions is still of statistical value and will be used to show aggregate information on how schools are currently allocating resources under GAM.

Schools will receive further instructions for the GAM/NCSE and low incidence questions for the 2015/2016 school year. It is important to note that this data does not roll over with the pupil each year.

The Department has received a number of comments and queries on certain aspects of POD including the retention period for POD data and other data protection concerns. The Department is taking this feedback very seriously and is currently considering the submissions received from parents and other stakeholders. The Department is consulting with the Data Protection Commissioner’s Office and once this evaluation is complete the Department will issue an updated circular on POD later in this academic year.

From the 2016/2017 academic year, it is intended that teacher allocations and capitation grants will be made on the basis of POD data, and the previous basis for allocations, the National Annual School Census will cease operation from that point. The Department will endeavour to work with schools and parents to help avoid the loss of funding or resources.

We would like to take this opportunity to thank all schools that have completed the Primary Online Database. For schools that have yet to enter their pupils on POD, please complete this process by the 31st March 2015 – thank you.

A POD helpdesk has been set up which is available to assist schools with any POD queries. The helpdesk is available Monday to Friday 8:30am-5pm on 01 8892311. If you have any queries or comments please do not hesitate to contact us at pod@education.gov.ie. Please note that schools can refer parents/guardians to the helpdesk if they wish to do so.

Yours faithfully
XXXX

Posted in Education | 1 Comment

Dept of Education refuses FOI on POD as ‘not in the public interest’

2nd March 2015

Mr Simon McGarr

Re: FOI request 2015/45

I refer to the request which you made under the Freedom of Information Act 2014 for records held by this body:

‘I wish to make a request under the Freedom of Information Acts (as amended) for copies of any and all documents including but not limited to observations, letters, emails and/or submissions whether held in paper, electronic or any format relating to the Primary Online Database between the Department and Minister for Education and Skills and the Data Protection Commissioner and/or her Office.’

I, XXXX, Higher Executive Officer have now made a final decision to refuse your request on 27/02/2015.

The purpose of this letter is to explain that decision. This explanation has the following parts:

1. a condensed schedule of all of the records covered by your request;
2. an explanation of the relevant findings concerning the records to which access is denied, and
3. a statement of how you can appeal this decision should you wish to do so.

This letter addresses each of these three parts in turn.

1. Schedule of records

Outlined below are the documents that this body considers relevant to your request.
1. Emails between Department of Education and Skills and the Data Protection Commissioner’s Office regarding the Primary Online Database – 9 emails between 9/12/13 and 30/1/15
2. Notes and agendas of meetings between the Department of Education and Skills and the Data Protection Commissioner’s Office regarding the Primary Online Database – 3 (11/12/13 and 10/2/15)

2. Findings, particulars and reasons for decisions to deny access

The decision to deny access to records has been made under Section 29 of the FOI Act 2014, Deliberations of FOI bodies
29. (1) A head may refuse to grant an FOI request—
(a) if the record concerned contains matter relating to the deliberative processes of
an FOI body (including opinions, advice, recommendations, and the results of
consultations, considered by the body, the head of the body, or a member of the
body or of the staff of the body for the purpose of those processes), and
(b) the granting of the request would, in the opinion of the head, be contrary to the
public interest,

Under the provisions of Section 29(1) of the Freedom of Information Act 2014, I consider that the public interest would not be best served at this time on the basis that it would reveal details regarding the deliberative process on the current development of a revised circular on the Primary Online Database. The Department has yet to finalise its deliberations and such release could prejudice the Department’s ability to properly conclude those deliberations.

3. Rights of appeal

You may appeal this decision. In the event that you need to make such an appeal, you can do so by writing to the Freedom of Information Unit, Department of Education and Skills, Marlborough Street, Dublin 1. Your correspondence should include a fee of €30 for processing the appeal. (Payment should be made by way of personal cheque or postal money order to the accountant the Department of Education and Skills/Please note that from 19 September, 2014, the Department of Education and Skills will no longer accept cheque payments from business users in accordance with the Department of Finance Circular 01/2013. For further information regarding payment methods for business users, please email foi@education.gov.ie).

You should make your appeal within 4 weeks from the date of this notification, however, the making of a late appeal may be permitted in appropriate circumstances. A week is defined in the Act to mean 5 consecutive weekdays, excluding Saturdays and public holidays (Sunday are also excluded, as they are not weekdays). The appeal will involve a complete reconsideration of the matter by a more senior member of the staff of this Department.

Should you have any questions or concerns regarding the above, please contact me by telephone on xxxx.

Yours sincerely,

________________________

Xxxx
Statistics Section.

Posted in Education | Tagged | Leave a comment

Tell the Minister for Education: NO to POD

Please join [countentries formid=1] other parents and families in writing to the Minister for Education to protect every school-aged child’s right to privacy and future identity security. Tell Minister O’Sullivan that the Department of Education’s plans for the new Primary Online Database (POD) should be scrapped.

Add your name, email address and any comments below and the following email will go off on your behalf to the Minister to make your voice heard.

  • Dear Minister O’Sullivan:

    I write to you regarding the Department of Education’s planned rollout of the new Primary Online Database (POD). I call on you to withdraw this system until the legitimate issues raised by parents and the wider public can be addressed:

    • It is unacceptable for your Department to gather sensitive, private data on every individual primary school child, including their racial profile, psychological assessments, special needs, religion, and PPS number, and store it until they are at least 30 years of age;
    • It is deeply worrying that school staff will be able to enter comments on any child into a system so poorly secured that the Department cannot guarantee who will be able to access them;
    • It is unrealistic to expect school staff to transfer this highly sensitive data to the Department of Education using a 17-step process so complex its been called ‘damn near unusable’;
    • When parents decline to have their children’s information unlawfully transferred to the POD database, it is outrageous to tell teachers to just go ahead and enter it anyway;
    • It is education extortion to threaten to remove funding and teacher allocations for children whose parents have made the decision not to enter their children’s details.

    The Department may not simply ignore citizen’s data protection rights and legal protections, even when those citizens are children. Please scrap this POD scheme in the best interests of every school child in Ireland.

  • Please add any other comments you would like to be included in your letter:
  • Yours Sincerely,

  • This field is for validation purposes and should be left unchanged.
Posted in Education | Tagged , , | Leave a comment

Minister for Education: We will forget nothing, learn nothing

About two weeks ago, as letters started to arrive home in children’s lunchboxes, parents started raising issues with the Department of Education’s project to take children’s data (racial, psychological assessment, special needs, religion, PPS number and so on) and store it until they were 30.

Here’s the post setting out the inital issues I had with the plan.

This is a long post, but it is about the future security of children’s identity. Please read it and then take a moment to do something to change this plan.

Please, contact your school and warn them about the Data Protection breaches that they could be held liable for if they comply with the Department’s demands. Then, please contact Minister Jan O’Sullivan by email Minister@education.gov.ie and tell her you want her to stop this project and why. Use any and all of the above points, or some of your own.

And finally, please contact the Office of the Data Protection Commissioner and let her know that you aren’t happy about the proposed creation of a slap-dash, ill considered, record of your child and you think she needs to act to stop it from happening.

Data Protection Commissioner: Not as happy as claimed

Unfortunately, the Minister has responded by denying there are any problems, saying she’d look at the retention period, then saying she’d looked at it and was sure again it was needed because the Department wanted to have ‘full maximum data’.

Minister O’Sullivan also managed to call into question independence of the new Data Protection Commissioner, by announcing “that office is satisfied with what we are doing” and “the 30th birthday is probably appropriate and it satisfies the Data Commissioner as well”.

On the face of it, the Commissioner’s regulatory role was being undermined by a Government Minister preempting the outcome of any complaint by asserting the opinion of the Commissioner before any complaint had even been ruled on.

It was reassuring to read today’s interview, therefore, with Helen Dixon, the new Data Protection Commissioner. Contrary to the Minister’s assertions earlier in the week, the Commissioner did not seem to be ‘fully satisfied’ with the Department’s plans. She said;

“it seems to be the case that there’s an inadequate explanation of why they need it and why they need to hold it for as long as they are holding it.”

(This might seem like a minor point, but in fact, in EU law, the independence of Data Protection Commissioners is considered a very Big Deal. So much so that the EU Commission has repeatedly sued member states whose Governments act to undermine that independence. After the most recent such case Commission -v- Hungary, the EU Justice Commissioner and Vice President of the Commission, Viviane Reding issued a strong warning;

The independence of national data protection authorities is the very cornerstone of guaranteeing effective data protection rights for our citizens. Lack of independence means lack of effective supervision and oversight, and a lowering of the level of data protection. The Commission has intervened three times with infringement cases against Member States to stop such incursions on the independence of data protection watchdogs. I will not hesitate to intervene again if necessary.” )

Defund your child’s education if you object

In correspondence with individual parents, the Minister’s Office and the Department have taken another tack.

The Minister is threatening to defund the education of any child whose parents object to their data being hoovered up into this database. 

Personally, I think it’s a pretty low road for the person responsible for children’s education to try to hold them to ransom for the sake of an administrative hobby horse of her Department. Here’s the Minister’s Personal Private secretary, finishing off a letter to a parent who had raised serious and detailed concerns that the entire POD database plan was illegal under Data Protection law with the most basic of coercive threats.

1421821095.jpg

“If you do not consent to your child’s data being entered on POD then you should inform your school in writing that you do not wish to have your child’s information entered on POD, however from 2016/2017 this may have funding and teacher allocation implications for your school”

Similarly, when I wrote to complain, I got an even less varnished version of this threat to defund any child’s education whose parents objected to POD.

Offical's threat

 

Just take the data with or without consent

As if those threats weren’t objectionable enough, it turned out that the Department had come up with a fallback plan. In their FAQ to teachers, they told them that if any parent did dare to refuse to allow their children’s data to go into POD, the teachers were to ignore their data preferences and just upload it anyway.

Screw parents wishes we wanna

Retention period: Until the child is 30, and then some

Let’s go back to that retention period. It’s set out in Circular 0017/2014, which is closest thing we have to an administrative law underpinning this entire scheme. It says;

The Department will retain personal data in categories 1 and 2 for each pupil on POD for the longer of either the period up to the pupil’s 30th Birthday and subject to review thereafter or for a period of ten years since the student was last enrolled in a primary school.

As very few 20 year olds are to be found still enrolled in primary school, we can take it that the plan is to keep the data at least until the pupil is 30 and then it will be ‘subject to review thereafter’. In other words, there is no commitment to remove this data, ever.

This open-ended retention period, by the way, doesn’t meet the requirement by the Data Protection Acts for notifying the data subject how long the data will be held for or for what purpose (data subject here being parents and then, when they become adults, the pupils themselves). Certainly, any Government department whose Minister is willing to define the criteria for retention as ‘in order to ensure that we have full maximum data’ doesn’t seem like the kind of institution to wipe any data from its system voluntarily.

The Circular is also clear that all this data ‘will’, not ‘may’, be kept. This is an important point, because, under pressure from questions, the department has suggested that maybe they will think about keeping some of the data in an anonymised form after children leave school (and, more urgently, until journalists stop asking questions). But in fact, the Circular short-circuits all of that discussion.

Together, Category 1 and Category 2 data is all of the data the Department is collecting- names, PPS numbers, address, mother’s maiden name, religion, ethnicity, psychological assessments, special needs, the whole shebang- being kept until the citizen is, at the earliest, 30 years of age.

This is explicitly not anonymised or aggregated data.

Security of the data

This is going to get a little bit technical, so stick with me here. Firstly, let’s look at how schools are meant to get this spectacularly rich and sensitive dataset on the nation’s children to the Department of Education. They can fill the data in directly into the webform, which does connect with a secure HTTPS line. Unfortunately, the form won’t let them do many of the things you might expect to come up, like save an entry with only some of the required data filled in.

So, anticipating that the HTTPS option wouldn’t be too popular, the Department has come up with a plan for schools to fill in the data offline, into a Microsoft Office document, and then to encrypt that file using the same encryption system Edward Snowden used to communicate with journalists (GPG) and to then email them that encrypted file.

If you started to make a worried face in the second half of that sentence, that means you’ve probably already encountered trying to use GPG encryption. Here’s Arne Padmos, lecturer with the University of Rotterdam, giving his recent talk “Why is GPG ‘damn near unusable’?” to a group of computer security experts.

But not to worry, the Department told schools that they would produce ‘detailed instructions’ on how to use it. No training, mind, but a handy Word document they could refer to. You can read it all here. Some sample screenshots, to give you a feel for it;

Screenshots of the encryption instructions

 

As you can see, there is no way that this could go wrong.

Unfortunately, the Department’s focus on keeping this data encrypted in transit pays no attention to the fact that the original data file will remain unencrypted and sitting on the school computer.

Furthermore, the Department decided they would allow the POD data to be automatically copied out and synchronised with the school’s own database. So, no matter how secure the data is getting to the POD, it will then automatically, and by design, be copied out into another database that sits outside the Department’s control or audit.

This is so strange an idea, I’ll show you the bit in their documents where they chat away about it with no mention of security implications, just so you believe me.

Screenshot_2015-01-25_11_53_38So, just to keep count, the list of people with access to this data on children is now;

The Department of Education (for purposes which include statistics, but also funding of children’s education and other, non-specified uses), all the public bodies they intend to share this data with at the moment (the current non-exhaustive list is the Department of Enterprise and Employment, the Department of Social Protection, The CSO, The Child and Family Agency and, apparently, the Revenue Commissioners), everyone in any school with access to either the POD database or their own internal database and any contractors who provide the technical support for those databases.

I could go on and on, but this post is already too long to expect anyone to have reached the bottom here.

I could point out that holding a permanent record that doesn’t allow families and children to declare their ethnicity to be Black and Irish is insulting and backward. I could point out that having a free text Notes field where school staff can write anything they want about a pupil and have it stored, for reference, until that pupil is an adult active in society is a invitation for abuse. The threat of something going on a child’s Permanent Record has never been so real.

You can stop this

I think the main point is clear. This project is a mess. It must not go on as it is. But the Minister and her Department have made clear that they will not budge unless forced to do so.

So, please, contact your school and warn them about the Data Protection breaches that they could be held liable for if they comply with the Department’s demands. Then, please contact Minister Jan O’Sullivan by email Minister@education.gov.ie and tell her you want her to stop this project and why. Use any and all of the above points, or some of your own.

And finally, please contact the Office of the Data Protection Commissioner and let her know that you aren’t happy about the proposed creation of a slap-dash, ill considered, record of your child and you think she needs to act to stop it from happening.

Posted in General | Tagged , , | 6 Comments

Unanswered legal problems with the Government’s new database of children

Database Teddies

The Department of Education is building a database of Ireland’s children. It’s called the Primary Online Database and, currently, its intention is to collect a full profile of data on all the children in education and to store that data until they turn 30. Yes, 30.

They started last September 2014, taking data from schools directly, rather than asking parents in almost all cases. Now the department is sending home letters to parents about the database, baldly telling parents that they’re taking their child’s data.

___

UPDATE: See my follow-up post with lots of  the extra problems identified with the Minister’s POD plan
UPDATE 2: NEW! A simple web form to tell the Minister that this is a bad idea. Sign it and share it!
___

The Department is collecting data, including sensitive data such as medical information, whether the children have psychological assessments, religious and racial characteristics on children. This is something that requires careful planning to be done correctly. As the Irish Water debacle showed, an organisation can destroy public trust by careless information governance and ill-considered data demands. And any database that contains such critically sensitive data about all the citizens and residents of the state who are under 30 needs very significant and broadly based support.

This database, if leaked or misused, would compromise the identity security of every young person in the entire country. It would provide a treasure trove for blackmailers or identity thieves. It’s precisely because this sort of data is so red-hot radioactive that the Census data- the only collection comparable to this proposed datagrab- is given special legislative protections in the Statistics Act 1993.

Regrettably, it seems the Department of Education has not learned anything from the recent past. I contacted the department on the 6th January to set out some Data Protection concerns with the database. I followed this up with more than one telephone conversation. I received no written reply by the 20th January so I then made a formal complaint to the Data Protection Commissioner.

In that complaint I made the following points;

1/ Section 2(1)(c) of the Data Protection Acts (referred to hereunder as DPA) sets out the principle that data should be obtained for “one or more specified, explicit and legitimate purposes”. Children’s data was obtained from parents by their schools for specific, legitimate, internal school purposes. The Department is seeking to take that data from the school, under threat to its continued funding, and use it for different radically different purposes, none of which were specified at the time the school obtained the child’s data, or or necessary for those internal uses. This is not legitimate.

2/ In addition, the Department’s Letter to Parents states that it is the Department’s intention to store children’s data in the Primary Online Database until they reach the age of 30.

To me, this appears to be self-evidently an excessive retention period. Data may only be stored for as long as is required for the purpose for which it is collected. (per Section 2 (1)(c)(iv) DPA)

As all the purposes of this database are related to children’s primary school experiences, retention for decades after that experience ends will be a breach of the data protection acts, and contrary to Data Protection principles.

3/ I have very significant concerns about the data relating to children proposed by the Department to be obtained, processed, shared and retained until the age of 30. The material describing the contents of the POD database sets out data which is clearly sensitive personal data per the definition at Section 1 DPA.

In particular, the data fields;

Learning Support

Is the pupil in receipt of low incidence support through NCSE? (drop-down list)
Yes
No

Is pupil receiving support under the General Allocation Model? (drop-down list)
Yes
No

EAL (tick-box)
Specific Learning Disability (tick-box)
Learning Support (tick-box)
Mild/Borderline Mild GLD Resource Teaching
(tick-box)

Does the child have a psychological or medical assessment report which recommends provision of an additional teaching resource ? (drop-down
list)
Yes
No”

represent sensitive personal data as it relates to “the physical or mental health or condition or sexual life of the data subject,”.

However, the Department is proceeding on the assertion that all this data is ‘non-sensitive’ data and does not require parental consent for processing.

Furthermore, the database includes a free text “Notes” tab.

“Notes about a pupil may be entered into the ‘Notes’ tab. At present, notes entered here can be seen by Department of Education staff”

(per P 10 of the Instruction Manual on the POD. The existence of this data field is not notified to parents in any notice addressed to them. )

There is no way for this data to be obtained or retained in compliance with the DPA, as there is no description or limits on what notes may be added to each child’s entry into the database- whether sensitive, relevant, necessary or appropriate. Whether the data is routinely accessed by the Department is irrelevant as it is being retained by the Dept and is accessible to any departmental user with Administrator status.

Furthermore it is not unknown for children to change schools precisely to obtain a fresh start, and it is unsatisfactory that the unlimited and unmonitored notes by staff of one institution would be transferred to the new school, colouring that school’s opinion of the child before they had even started.

4/ The Department of Education’s use case statement which may be accessed on the Department of Social Protections own website does not include the proposed use of children’s PPSNs as described in the Department’s letter to parents regarding this database.

From the records available to me, the proposed use case the Department’s letter describes has not been notified to the Department of Social Welfare and, therefore, has not been agreed with the Minister, as required under S 262(4) and Sec 262(6) of the Social Welfare Consolidation Act 2005.

In the absence of such consent a child’s school would be in breach of the data protection acts were they to transfer his or her PPSN data to the Department as a new Data Controller.


5/ I note that by letter dated 15th January the Minister for Education’s private secretary wrote to parents who have complained about this database and told them that;

“If you do not consent to your child’s data being entered on POD then you should inform your school in writing that you do not wish to have your child’s information entered on POD, however from 2016/2017 this may have funding and teacher allocation implications for your school going forward”

This threat effectively negates any consent that might be given, as it is clearly represents a coercive effort to force consent in the face of the defunding of their child’s education. In addition, the threat to partially defund a school on the basis of purely automatic processing of data in a database it represents a breach of
Section 6B of the DPA,

“a decision which produces legal effects concerning a data subject or otherwise significantly affects a data subject may not be based solely on processing by automatic means of personal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him”

To read more about how this database is being implemented in a way to undermine trust and effectiveness, take a look at data protection expert Daragh O’Brien’s two posts on the subject, here and here. Those posts give context to this ill-conceived project, by showing how and why the State consistently fails to respect citizens’ data rights.

If you agree with my points, please do contact your child’s school and let them know that you don’t give consent to your child’s data being entered onto POD, and let the Minister for Education, Jan O’Sullivan TD know your concerns about her plan by email minister@education.gov.ie and/or make a complaint to the Data Protection Commissioner’s office (details here) if you have no satisfactory outcome from your contacts.

Photo: Database Teddies by Linda Hartley

Posted in General | Tagged , , | 7 Comments

Private phone messaging apps compared

Recently, for reasons, I had occasion to examine the current state of the market for encrypted messaging apps on phones.

Tested: Wickr, BBM, Threema, Confide, Cyber Dust, Cyphr, Telegram. Thoughts to follow:

(Notes:
-All of these apps start off wanting access to your contacts. You should always say no and invite the people you do want to communicate with manually.
-I have no way to check the cryptographic reliability of any of the below apps. So, one could be a pleasure to use and be using a joke of encryption. In addition, if your life depends on security, please don’t use a phone at all to pass messages. Buyer beware. )

Wickr: Hysterical intro copy. Stunningly ugly. Nuttily tricky to set up. Seems to work.

BBM: Amazingly, even more ugly design than Wickr. Appears to hate users, and does everything it can to stop them. On android: don’t install. Over-reach on permissions, including your call & text history, demands for your location etc. Blackberry, you are a zombie.

Threema: A bit fiddly to set up, quite like whatsapp once you’ve succeeded. Has a nice face to face verification thing too.

Confide: Text only, unlike the others. Only reveals one word at a time, so can’t be screen shot. If you want to send a private private text made of just text, seems like a good bet. Update: Neither I nor my Android co-tester actually received each other’s messages. Though very secure, this is not very useful.

Cyber dust: a much better interface than most of the others. You don’t get an archive or record of your conversations- they vanish from your screen after a few minutes. You can keep your own messages, if you like, by tapping on them, but you can’t keep the other people’s.

Cyphr: Easy set up, easy use. Uses a central server. Makes saving pictures you’ve received very easy, which could be a pro or a con depending on how you want to use it.

Telegram: similar to Threema in set up, slightly cleaner design. Seems to have the larger installed user base.

This is important, because the major barrier to adoption of encrypted apps or messaging is that both sides need to agree to use a particular, non-mainstream, programme to communicate.

This is why the suggestion that Whatsapp, with its tens of millions of users, may encrypt all its messages from end to end is so significant.

My criteria was that the app had to offer to encrypt text (and, ideally, any videos or pictures uploaded) and not store a hackable copy on servers (as Snapchat allowed happen to its users).

Let me know if I’ve missed an option

Posted in General | Tagged | Leave a comment