Joan Burton signs the third law trying to make the POD scheme legal

Joan Burton, Ministerial Seal

The misbegotten Primary Online Database project is on its third piece of legislation designed to try to make it legal.

On the 21st July, The Minister for Social Protection Joan Burton signed a Ministerial Order seeking to try to provide a legislative basis for the transfer of children’s data from schools to the Department of Education.

You can take a look at SI 317 of 2015 here.

I’ll be writing more about this in a while. However, as Digital Rights Ireland’s Director TJ McIntyre pointed out on twitter, a Statutory Instrument can only be signed by a Minister in pursuit of the purpose allowed for in its originating legislation. (Otherwise, Ministers would be able to just pass laws without reference to the Oireachtas).

In this case, SI 317/2015 is a creature of Section 266 of the Social Welfare Consolidation Act 2005.

Statutory Instuments under Section 266 can only permit the transfer of data “where that Minister requires the information for the purpose of enabling him or her to provide education”.

This Statutory Instument doesn’t even claim to meet this “requirement” test. Instead, it weakly says that the Minister for Education should have the right to demand data such as a child’s mother’s maiden name, whether they’re boarding at a school, details of their special needs etc.

At the end of the Statutory Instrument, the justification for this huge data grab doesn’t even try to relate the SI to a requirement in order to provide education (the only legal basis for an SI signed under Section 266).

Instead it says
“The purpose of these Regulations is to extend the types of information that can be shared in order to further assist the Minister for Education and Skills to adequately monitor the progress of students through the education system.”

We’re rather a long way from “necessity”.

Department of Education refuses FOI regarding database of children because it would reveal their position

 

1439746511_full.jpeg

Rather missing the point of an FOI Act, the Department of Education has refused to release documents relating to the Primary Online Database- which the Data Protection Commissioner’s Office has confirmed is operating without proper legal basis.

Tellingly, they argue that to release the documents would reveal the Department’s true position on POD- which, if you think about it, tells us more about their acceptance of citizens’ rights to know about their government’s decisions than any amount of FOI Manuals.

text below

****

Dear Mr McGarr

I refer to the appeal which you made under the Freedom of Information Acts 2014 and the Department’s acknowledgement letter dated 27th July 2015.

I, XXXX Statistician, am a more senior member of the staff of this body than the person making the first decision and I have decided on 14th August 2015 to affirm the original decision on your request. This decision on review is an entirely new and separate decision on your request, and is explained as such below.

Your original request, sought access to the records listed below, in arriving at this decision I have had regard to the original request the records which were located as part of that request and the appeal letter which you submitted in this regard.

I enclose for your attention a schedule of these records, this schedule summarizes to you my findings.

I have kept the numbering scheme as provided to you in the original schedule of records.

Record No. 1: Emails and attachments withheld.

Having reviewed these documents I deem records have been refused under Section 30 of the FOI Act 2014, Functions and Negotiations of FOI Bodies

30. (1) A head may refuse to grant an FOI request if access to the record concerned could, in the opinion of the head, reasonably be expected to—

(c) disclose positions taken, or to be taken, or plans, procedures, criteria or instructions used or followed, or to be used or followed, for the purpose of any negotiations carried on or being, or to be, carried on by or on behalf of the Government or an FOI body.

As release of the documents in question would disclose positions taken by the Department during negotiations in relation to POD, I consider that the public interest is best served by refusing to grant this part of the request. Also note that in relation to your point

“In addition, it was never the case that the records from 2013, involving a Circular promulgated in January 2014 were part of any deliberative process for a circular which was not even contemplated until parental complaints were made about the POD project in 2015.”

that the documents in question relate to the period February to April 2015.

Record No. 2: Notes of Meeting.

 

Having reviewed this document I deem the record has been refused under Section 30 of the FOI Act 2014, Functions and Negotiations of FOI Bodies

30. (1) A head may refuse to grant an FOI request if access to the record concerned could, in the opinion of the head, reasonably be expected to—

(c) disclose positions taken, or to be taken, or plans, procedures, criteria or instructions used or followed, or to be used or followed, for the purpose of any negotiations carried on or being, or to be, carried on by or on behalf of the Government or an FOI body.

As release of the document in question would disclose positions taken by the Department during negotiations in relation to POD, I consider that the public interest is best served by refusing to grant this part of the request. Also note that in relation to your point

“In addition, it was never the case that the records from 2013, involving a Circular promulgated in January 2014 were part of any deliberative process for a circular which was not even contemplated until parental complaints were made about the POD project in 2015.”

that this document relates to February 2015.

Record Number 3: Room document

Having reviewed this document I deem the record has been refused under Section 30 of the FOI Act 2014, Functions and Negotiations of FOI Bodies

30. (1) A head may refuse to grant an FOI request if access to the record concerned could, in the opinion of the head, reasonably be expected to—
(c) disclose positions taken, or to be taken, or plans, procedures, criteria or instructions used or followed, or to be used or followed, for the purpose of any negotiations carried on or being, or to be, carried on by or on behalf of the Government or an FOI body.

As release of the document in question would disclose positions taken by the Department during negotiations in relation to POD, I consider that the public interest is best served by refusing to grant this part of the request.

Record Number 4: Letter from DPC to DES

Having reviewed this document I deem the record has been refused under Section 31 of the FOI Act 2014, Functions and Negotiations of FOI Bodies

31. (1) A head shall refuse to grant an FOI request if the record concerned—

(a) would be exempt from production in proceedings in a court on the ground of legal professional privilege

As the release of this record would disclose the substance of communications from external legal advisers to the office of the Data Protection Commissioner, of which the Department of Education and Skills was informed of in-confidence, access to this record must be denied.

I enclose for your attention a schedule of these records, this schedule summarizes to you my findings.

Having regard to the aforementioned I have decided to affirm the decision made by the original decision maker in relation to your request and I have enclosed again for your attention a copy of the relevant sections of the Act which this decision relies on.

You may appeal this decision by writing to the Information Commissioner at 18 Lower Leeson Street, Dublin 2. There is a fee of €50 for such appeals, other than appeals against a decision to impose a fee. If you wish to appeal, you must usually do so not later than 6 months from the date of this notification. Should you write to the Information Commissioner making an appeal, please refer to this letter.

If an appeal is made by you and accepted, the Information Commissioner will fully investigate and consider the matter and issue a fresh decision.

Yours sincerely,
etc

Data Protection Commissioner finds POD was, and still is, unlawful

The Data Protection Commissioner’s Office today confirmed that, having investigated the Primary Online Database, they found that parental concerns raised were valid and that, even following changes to the scheme in April, the POD would require further legislation to be lawful. 

Unless that legislation is introduced, schools transferring the requested pupils data to the Departmemt of Education will not have the nessecary lawful basis to do so.

The Primary Online Database is the Department of Education and Skills’ project to create a centralised database on all the country’s children.

It was originally grounded on a Departmental Circular of Jan 2014.

Following parental questioning of the legality of the scheme, the Minister for Education strongly defended it, saying 

“I have gone back and asked for the reasons why it’s up to the 30th birthday and I am told it is in order to ensure that we have full maximum data that we need.”

“I did say I would examine it but it looks to me that up to the 30th birthday is probably appropriate and it satisfies the Data Commissioner as well which is obviously very important,” she added.

Despite these assertions, the retention period for children’s data was reduced until they turned 19 and other changes made piecemeal before the whole Circular was scrapped and replaced with a second scheme based on a new Circular- which is still not lawful. 

You can see rather nice visual history to this retreat here.

A senior official in the Data Protection Commissioner’s office today confirmed that the legislation the Department of Education had relied upon to justify the legality of transferring data from schools to the Department did not cover most of the data requested.

a number of POD fields are not listed in Regulation 189 and, as such, they do not constitute “prescribed” information for the purposes of Section 266 of the 2005 Act.
 The data fields concerned are as follows: Mother’s Maiden Name; Enrolment Date; Enrolment Source; Leaving Date; Leaving Destination; Integrated Indicator; Indicator for Receipt of Learning Support; Pupil Type and Special Class Type. We consider that an amending statutory instrument should have been signed before these data fields were included in POD. 

The full text of the email from the senior official in the Data Protection Commissioner’s office is below.
***

 Dear Mr McGarr

I refer to your previous correspondence to this Office concerning the Primary Online Database (POD).

As you know, we opened an investigation in relation to the POD in accordance with Section 10(1)(a) of the Data Protection Acts, 1988 & 2003.
The investigation involved extensive contact with the relevant officials in the Department of Education and Skills including written communications, conference calls and meetings. The Department cooperated fully with our investigation. I am now writing to advise you of the outcome of that investigation.

The aim of our investigation has been to establish whether the POD and its implementation is in compliance with the Data Protection Acts, 1988 & 2003. In that regard, we identified a number of deficiencies which have been the focus of directions on our part to the Department of Education and Skills over the last number of months. Some of the areas where we identified issues corresponded with issues referred to in complaints received from you and from other parents.

Retention Period and Fair Processing Notice

The retention age for pupil data in the POD was set at 30 years of age. Following the intervention of this Office in which we drew the Department’s attention to the valid concerns raised by you and other parents, the retention period has now been revised downwards to the pupil’s 19th birthday. In a further corrective action, the Department of Education revised its original “Fair Processing Notice” and it published its revised notice in April 2015 – which gives more detailed information to explain how the personal data of pupils on the POD will be processed. The revised “Fair Processing Notice” also indicates that some changes have been made by the Department to the original list of data fields referred to in the previous notice.
PPSN

The collection and sharing of PPSN data was raised as a matter of concern by you and some other parents. This Office is satisfied that, in principle, the collection and sharing of PPSN data between schools and the Department of Education and Skills for the purposes of the POD, and the subsequent use of PPSN numbers by the Minister for Education in the discharge of his/her statutory functions can lawfully be undertaken. Under Section 262(4) of the Social Welfare Consolidation Act, 2005 (“the 2005 Act”) a specified body may require access to an individual’s PPSN in any case where (a) the individual in question is entering into a “transaction” with the specified body; and (b) the specified body requires the individual’s PPSN number for the purposes of that transaction. The Minister for Education is a “specified body” for the purposes of Section 262(4). Transaction in this context is defined to included “a supply of a service relating to a public function of a specified body which relates to a natural person.” The provision of primary education to children resident in the State, delivered through a network of recognised schools necessarily involves the supply of a service by the Minister to natural persons relating to a public function of the Minister.

 It is also the case that all children have a right to free primary education under Article 42.4 of the Constitution. That right is also the subject of primary legislation. In particular, the Education Act, 1998 expressly provides that it shall be a function of the Minister for Education that he/she shall ensure that there is made available to each person resident in the State a level and quality of education appropriate to meeting the needs and abilities of that person.

Moreover, we are satisfied that Section 262(6)(b) of the 2005 Act authorises the Minister for Education and Skills to use pupils’ PPSN numbers in performing his/her public functions as those functions relate to pupils.
The Minister’s functions also include the following:

  • to plan and coordinate the provision of education in recognised schools and centres for education.
  • to provide funding to each recognised school and centre for education
  • and to provide support services to recognised schools and centres for education
  •  to monitor and assess the quality, economy, efficiency and effectiveness of the education system provided in the State by recognised schools and centres for education.

Legal Basis for Sharing of Data

With regard to the sharing of broader categories of personal data, it is worth noting that the 2005 Act authorises a “specified body” to share “prescribed” information with the Minister for Education and Skills. This is achieved by Section 266 of the 2005 Act and a list of “specified bodies” is contained in Schedule 5 of the Act. This list includes any recognised school or centre for education within the meaning of Section 2 of the Education Act, 1998. It follows that any primary school that is a “recognised school” for the purposes of Section 2 of the Education Act, 1998 is constituted as a “specified body” for the purpose of Section 266 of the Social Welfare Consolidation Act, 2005 and may share “prescribed” information with the Minister for Education. The nature and extent of the “prescribed” information that may be passed by a specified body to the Minister under Section 266 of the 2005 Act is defined in the Social Welfare (Consolidated Claims, Payments and Control) Regulations, 2007 (SI 142/2007). Specifically therein Regulation 189 prescribes a whole range of data fields such as name, address, date of birth, PPSN, roll number, class group and year, special needs, etc. All of the prescribed information listed in Regulation 189 is relevant to the operation of the POD – i.e. POD requires each primary school to enter data into the database by reference to all of the data fields identified in Regulation 189. We are satisfied, in principle, that those data fields that are required for the purposes of POD and are listed in Regulation 189 can lawfully be shared by schools with the Department of Education and Skills.

However, a number of POD fields are not listed in Regulation 189 and, as such, they do not constitute “prescribed” information for the purposes of
Section 266 of the 2005 Act. The data fields concerned are as follows: Mother’s Maiden Name; Enrolment Date; Enrolment Source; Leaving Date; Leaving Destination; Integrated Indicator; Indicator for Receipt of Learning Support; Pupil Type and Special Class Type. We consider that an amending statutory instrument should have been signed before these data fields were included in POD. Having identified this deficiency in the legitimising of the processing, we directed the Department of Education and Skills to have an amending statutory instrument introduced.

The statutory instrument concerned is one which falls under the remit of the Minister for Social Protection. Having conveyed our direction on this particular issue to the Department of Education and Skills, it has informed us that it has raised the matter with the Department of Social Protection and that they have jointly agreed to work towards introducing an amending statutory instrument as soon as possible. We will, of course, continue to monitor progress on this matter and we will take whatever actions we deem necessary if this matter is not progressed to finality within a reasonable timeframe.

Register of Users of PPSN

You also raised concerns that the Register of Users of PPSN numbers published on the website of the Department of Social Protection does not include the use of PPSN data for the purposes of POD. Corrective action has also been taken on that matter. The entry for the Department of Education and Skills on that Register now shows at No. 5 that the Department uses the PPSN number as a unique identifier for all pupils entered on the POD.
Conclusion

In conclusion, then, a number of deficiencies in the implementation of this project were identified. I am satisfied that on foot of directions from this Office, the Department of Education and Skills has taken or is in the process of taking corrective action in relation to these deficiencies.
Yours sincerely 

XXXX XXXX

Senior Investigations Officer
17/06/2015
[This email is not a legal notice or a decision of the Data Protection

Commissioner to which Section 26 of the Data Protection Acts, 1988 & 2003

applies].

ENCLOSURES:

————————————————————————————————————————————————————

An Coimisinéir Cosanta Sonraí

Teach na Canálach

Bóthar an Stáisiúin

Cúil an tSúdaire

Co. Laoise

Office of the Data Protection Commissioner

Dept of Education refuses FOI on POD as ‘not in the public interest’

Screw parents wishes we wanna

2nd March 2015 Mr Simon McGarr Re: FOI request 2015/45 I refer to the request which you made under the Freedom of Information Act 2014 for records held by this body: ‘I wish to make a request under the Freedom of Information Acts (as amended) for copies of any and all documents including but not limited to observations, letters, emails and/or submissions whether held in paper, electronic or ..

Read More »

Tell the Minister for Education: NO to POD

mcgarr-POD2

Please join [countentries formid=1] other parents and families in writing to the Minister for Education to protect every school-aged child's right to privacy and future identity security. Tell Minister O’Sullivan that the Department of Education's plans for the new Primary Online Database (POD) should be scrapped.

Read More »

Minister for Education: We will forget nothing, learn nothing

Department of Education logo

About two weeks ago, as letters started to arrive home in children's lunchboxes, parents started raising issues with the Department of Education's project to take children's data (racial, psychological assessment, special needs, religion, PPS number and so on) and store it until they were 30. Here's the post setting out the inital issues I had with the plan.

Read More »

1 2 3 72