Dept of Education refuses FOI on POD as ‘not in the public interest’

2nd March 2015

Mr Simon McGarr

Re: FOI request 2015/45

I refer to the request which you made under the Freedom of Information Act 2014 for records held by this body:

‘I wish to make a request under the Freedom of Information Acts (as amended) for copies of any and all documents including but not limited to observations, letters, emails and/or submissions whether held in paper, electronic or any format relating to the Primary Online Database between the Department and Minister for Education and Skills and the Data Protection Commissioner and/or her Office.’

I, XXXX, Higher Executive Officer have now made a final decision to refuse your request on 27/02/2015.

The purpose of this letter is to explain that decision. This explanation has the following parts:

1. a condensed schedule of all of the records covered by your request;
2. an explanation of the relevant findings concerning the records to which access is denied, and
3. a statement of how you can appeal this decision should you wish to do so.

This letter addresses each of these three parts in turn.

1. Schedule of records

Outlined below are the documents that this body considers relevant to your request.
1. Emails between Department of Education and Skills and the Data Protection Commissioner’s Office regarding the Primary Online Database – 9 emails between 9/12/13 and 30/1/15
2. Notes and agendas of meetings between the Department of Education and Skills and the Data Protection Commissioner’s Office regarding the Primary Online Database – 3 (11/12/13 and 10/2/15)

2. Findings, particulars and reasons for decisions to deny access

The decision to deny access to records has been made under Section 29 of the FOI Act 2014, Deliberations of FOI bodies
29. (1) A head may refuse to grant an FOI request—
(a) if the record concerned contains matter relating to the deliberative processes of
an FOI body (including opinions, advice, recommendations, and the results of
consultations, considered by the body, the head of the body, or a member of the
body or of the staff of the body for the purpose of those processes), and
(b) the granting of the request would, in the opinion of the head, be contrary to the
public interest,

Under the provisions of Section 29(1) of the Freedom of Information Act 2014, I consider that the public interest would not be best served at this time on the basis that it would reveal details regarding the deliberative process on the current development of a revised circular on the Primary Online Database. The Department has yet to finalise its deliberations and such release could prejudice the Department’s ability to properly conclude those deliberations.

3. Rights of appeal

You may appeal this decision. In the event that you need to make such an appeal, you can do so by writing to the Freedom of Information Unit, Department of Education and Skills, Marlborough Street, Dublin 1. Your correspondence should include a fee of €30 for processing the appeal. (Payment should be made by way of personal cheque or postal money order to the accountant the Department of Education and Skills/Please note that from 19 September, 2014, the Department of Education and Skills will no longer accept cheque payments from business users in accordance with the Department of Finance Circular 01/2013. For further information regarding payment methods for business users, please email foi@education.gov.ie).

You should make your appeal within 4 weeks from the date of this notification, however, the making of a late appeal may be permitted in appropriate circumstances. A week is defined in the Act to mean 5 consecutive weekdays, excluding Saturdays and public holidays (Sunday are also excluded, as they are not weekdays). The appeal will involve a complete reconsideration of the matter by a more senior member of the staff of this Department.

Should you have any questions or concerns regarding the above, please contact me by telephone on xxxx.

Yours sincerely,

________________________

Xxxx
Statistics Section.

Posted in Education | Tagged

Tell the Minister for Education: NO to POD

Please join 404 other parents and families in writing to the Minister for Education to protect every school-aged child’s right to privacy and future identity security. Tell Minister O’Sullivan that the Department of Education’s plans for the new Primary Online Database (POD) should be scrapped.

Add your name, email address and any comments below and the following email will go off on your behalf to the Minister to make your voice heard.

  • Dear Minister O’Sullivan:

    I write to you regarding the Department of Education’s planned rollout of the new Primary Online Database (POD). I call on you to withdraw this system until the legitimate issues raised by parents and the wider public can be addressed:

    • It is unacceptable for your Department to gather sensitive, private data on every individual primary school child, including their racial profile, psychological assessments, special needs, religion, and PPS number, and store it until they are at least 30 years of age;
    • It is deeply worrying that school staff will be able to enter comments on any child into a system so poorly secured that the Department cannot guarantee who will be able to access them;
    • It is unrealistic to expect school staff to transfer this highly sensitive data to the Department of Education using a 17-step process so complex its been called ‘damn near unusable’;
    • When parents decline to have their children’s information unlawfully transferred to the POD database, it is outrageous to tell teachers to just go ahead and enter it anyway;
    • It is education extortion to threaten to remove funding and teacher allocations for children whose parents have made the decision not to enter their children’s details.

    The Department may not simply ignore citizen’s data protection rights and legal protections, even when those citizens are children. Please scrap this POD scheme in the best interests of every school child in Ireland.

  • Please add any other comments you would like to be included in your letter:
  • Yours Sincerely,

  • This field is for validation purposes and should be left unchanged.
Posted in Education | Tagged , ,

Minister for Education: We will forget nothing, learn nothing

About two weeks ago, as letters started to arrive home in children’s lunchboxes, parents started raising issues with the Department of Education’s project to take children’s data (racial, psychological assessment, special needs, religion, PPS number and so on) and store it until they were 30.

Here’s the post setting out the inital issues I had with the plan.

This is a long post, but it is about the future security of children’s identity. Please read it and then take a moment to do something to change this plan.

Please, contact your school and warn them about the Data Protection breaches that they could be held liable for if they comply with the Department’s demands. Then, please contact Minister Jan O’Sullivan by email Minister@education.gov.ie and tell her you want her to stop this project and why. Use any and all of the above points, or some of your own.

And finally, please contact the Office of the Data Protection Commissioner and let her know that you aren’t happy about the proposed creation of a slap-dash, ill considered, record of your child and you think she needs to act to stop it from happening.

Data Protection Commissioner: Not as happy as claimed

Unfortunately, the Minister has responded by denying there are any problems, saying she’d look at the retention period, then saying she’d looked at it and was sure again it was needed because the Department wanted to have ‘full maximum data’.

Minister O’Sullivan also managed to call into question independence of the new Data Protection Commissioner, by announcing “that office is satisfied with what we are doing” and “the 30th birthday is probably appropriate and it satisfies the Data Commissioner as well”.

On the face of it, the Commissioner’s regulatory role was being undermined by a Government Minister preempting the outcome of any complaint by asserting the opinion of the Commissioner before any complaint had even been ruled on.

It was reassuring to read today’s interview, therefore, with Helen Dixon, the new Data Protection Commissioner. Contrary to the Minister’s assertions earlier in the week, the Commissioner did not seem to be ‘fully satisfied’ with the Department’s plans. She said;

“it seems to be the case that there’s an inadequate explanation of why they need it and why they need to hold it for as long as they are holding it.”

(This might seem like a minor point, but in fact, in EU law, the independence of Data Protection Commissioners is considered a very Big Deal. So much so that the EU Commission has repeatedly sued member states whose Governments act to undermine that independence. After the most recent such case Commission -v- Hungary, the EU Justice Commissioner and Vice President of the Commission, Viviane Reding issued a strong warning;

The independence of national data protection authorities is the very cornerstone of guaranteeing effective data protection rights for our citizens. Lack of independence means lack of effective supervision and oversight, and a lowering of the level of data protection. The Commission has intervened three times with infringement cases against Member States to stop such incursions on the independence of data protection watchdogs. I will not hesitate to intervene again if necessary.” )

Defund your child’s education if you object

In correspondence with individual parents, the Minister’s Office and the Department have taken another tack.

The Minister is threatening to defund the education of any child whose parents object to their data being hoovered up into this database. 

Personally, I think it’s a pretty low road for the person responsible for children’s education to try to hold them to ransom for the sake of an administrative hobby horse of her Department. Here’s the Minister’s Personal Private secretary, finishing off a letter to a parent who had raised serious and detailed concerns that the entire POD database plan was illegal under Data Protection law with the most basic of coercive threats.

1421821095.jpg

“If you do not consent to your child’s data being entered on POD then you should inform your school in writing that you do not wish to have your child’s information entered on POD, however from 2016/2017 this may have funding and teacher allocation implications for your school”

Similarly, when I wrote to complain, I got an even less varnished version of this threat to defund any child’s education whose parents objected to POD.

Offical's threat

 

Just take the data with or without consent

As if those threats weren’t objectionable enough, it turned out that the Department had come up with a fallback plan. In their FAQ to teachers, they told them that if any parent did dare to refuse to allow their children’s data to go into POD, the teachers were to ignore their data preferences and just upload it anyway.

Screw parents wishes we wanna

Retention period: Until the child is 30, and then some

Let’s go back to that retention period. It’s set out in Circular 0017/2014, which is closest thing we have to an administrative law underpinning this entire scheme. It says;

The Department will retain personal data in categories 1 and 2 for each pupil on POD for the longer of either the period up to the pupil’s 30th Birthday and subject to review thereafter or for a period of ten years since the student was last enrolled in a primary school.

As very few 20 year olds are to be found still enrolled in primary school, we can take it that the plan is to keep the data at least until the pupil is 30 and then it will be ‘subject to review thereafter’. In other words, there is no commitment to remove this data, ever.

This open-ended retention period, by the way, doesn’t meet the requirement by the Data Protection Acts for notifying the data subject how long the data will be held for or for what purpose (data subject here being parents and then, when they become adults, the pupils themselves). Certainly, any Government department whose Minister is willing to define the criteria for retention as ‘in order to ensure that we have full maximum data’ doesn’t seem like the kind of institution to wipe any data from its system voluntarily.

The Circular is also clear that all this data ‘will’, not ‘may’, be kept. This is an important point, because, under pressure from questions, the department has suggested that maybe they will think about keeping some of the data in an anonymised form after children leave school (and, more urgently, until journalists stop asking questions). But in fact, the Circular short-circuits all of that discussion.

Together, Category 1 and Category 2 data is all of the data the Department is collecting- names, PPS numbers, address, mother’s maiden name, religion, ethnicity, psychological assessments, special needs, the whole shebang- being kept until the citizen is, at the earliest, 30 years of age.

This is explicitly not anonymised or aggregated data.

Security of the data

This is going to get a little bit technical, so stick with me here. Firstly, let’s look at how schools are meant to get this spectacularly rich and sensitive dataset on the nation’s children to the Department of Education. They can fill the data in directly into the webform, which does connect with a secure HTTPS line. Unfortunately, the form won’t let them do many of the things you might expect to come up, like save an entry with only some of the required data filled in.

So, anticipating that the HTTPS option wouldn’t be too popular, the Department has come up with a plan for schools to fill in the data offline, into a Microsoft Office document, and then to encrypt that file using the same encryption system Edward Snowden used to communicate with journalists (GPG) and to then email them that encrypted file.

If you started to make a worried face in the second half of that sentence, that means you’ve probably already encountered trying to use GPG encryption. Here’s Arne Padmos, lecturer with the University of Rotterdam, giving his recent talk “Why is GPG ‘damn near unusable’?” to a group of computer security experts.

But not to worry, the Department told schools that they would produce ‘detailed instructions’ on how to use it. No training, mind, but a handy Word document they could refer to. You can read it all here. Some sample screenshots, to give you a feel for it;

Screenshots of the encryption instructions

 

As you can see, there is no way that this could go wrong.

Unfortunately, the Department’s focus on keeping this data encrypted in transit pays no attention to the fact that the original data file will remain unencrypted and sitting on the school computer.

Furthermore, the Department decided they would allow the POD data to be automatically copied out and synchronised with the school’s own database. So, no matter how secure the data is getting to the POD, it will then automatically, and by design, be copied out into another database that sits outside the Department’s control or audit.

This is so strange an idea, I’ll show you the bit in their documents where they chat away about it with no mention of security implications, just so you believe me.

Screenshot_2015-01-25_11_53_38So, just to keep count, the list of people with access to this data on children is now;

The Department of Education (for purposes which include statistics, but also funding of children’s education and other, non-specified uses), all the public bodies they intend to share this data with at the moment (the current non-exhaustive list is the Department of Enterprise and Employment, the Department of Social Protection, The CSO, The Child and Family Agency and, apparently, the Revenue Commissioners), everyone in any school with access to either the POD database or their own internal database and any contractors who provide the technical support for those databases.

I could go on and on, but this post is already too long to expect anyone to have reached the bottom here.

I could point out that holding a permanent record that doesn’t allow families and children to declare their ethnicity to be Black and Irish is insulting and backward. I could point out that having a free text Notes field where school staff can write anything they want about a pupil and have it stored, for reference, until that pupil is an adult active in society is a invitation for abuse. The threat of something going on a child’s Permanent Record has never been so real.

You can stop this

I think the main point is clear. This project is a mess. It must not go on as it is. But the Minister and her Department have made clear that they will not budge unless forced to do so.

So, please, contact your school and warn them about the Data Protection breaches that they could be held liable for if they comply with the Department’s demands. Then, please contact Minister Jan O’Sullivan by email Minister@education.gov.ie and tell her you want her to stop this project and why. Use any and all of the above points, or some of your own.

And finally, please contact the Office of the Data Protection Commissioner and let her know that you aren’t happy about the proposed creation of a slap-dash, ill considered, record of your child and you think she needs to act to stop it from happening.

Posted in General | Tagged , ,

Unanswered legal problems with the Government’s new database of children

The Department of Education is building a database of Ireland’s children. It’s called the Primary Online Database and, currently, its intention is to collect a full profile of data on all the children in education and to store that data until they turn 30. Yes, 30. They started last September 2014, taking data from schools directly, rather than asking parents in almost all cases. Now the department is sending home letters to parents about the database, baldly telling parents that …

Continue Reading »

Posted in General | Tagged , ,

Private phone messaging apps compared

Recently, for reasons, I had occasion to examine the current state of the market for encrypted messaging apps on phones. Tested: Wickr, BBM, Threema, Confide, Cyber Dust, Cyphr, Telegram. Thoughts to follow: (Notes: -All of these apps start off wanting access to your contacts. You should always say no and invite the people you do want to communicate with manually. -I have no way to check the cryptographic reliability of any of the below apps. So, one could be a …

Continue Reading »

Posted in General | Tagged

Thoughts on Ireland’s new Surveillance Order

Some tiny Saturday thoughts on today’s Page 1 scoop by Karlin Lillington re the state’s creation of a new statutory framework for secret Ministerial surveillance orders and, quite seriously, for FISA-style secret court hearings. 1) The Minister has activated a law that has been overtaken by events. 2) The Department of Justice has claimed the SI was signed to comply with EU treaty obligations. 3) But since 2008, when the law was drafted, EU law has been transformed in its …

Continue Reading »

Posted in General | Tagged

Have Uber delete their records of you using Data Protection law

Send Uber a message that requires them, under Data Protection law to delete your data, when you delete their app.

Continue Reading »

Posted in General | Tagged ,

Water and Power

Self-organised, decentralised political movements were once the stuff of science fiction and political theory. Now, the phones in people’s pockets give everyone the chance to voice, bear witness, organise and persuade.

Continue Reading »

Posted in General |

Apple Watch, HealthKit & the meaning of normal

The coming smartwatch data flood is going to pose a challenge for doctors to assess.

Continue Reading »

Posted in General | Tagged , ,

The BAI, Mooney and the struggle to control the Internet

A few weeks ago the Broadcasting Authority of Ireland issued a decision in response to a complaint by Mr. Dónal O’Sullivan-Latchford on behalf of the Family and Media Association. He had complained about an episode of the Mooney Show on RTE Radio One which had featured a discussion with a gay man about his life and relationships, together with a member of GLEN who explained the current legal choices for gay people in relationships. The complainant claims that same-sex marriage …

Continue Reading »

Posted in General | Tagged , , , , ,