Moved by Baroness Garden of Frognal
67: After Clause 25, insert the following new Clause—“Code of practice by Information Commissioner’s Office on data sharing in relation to post-16 education(1) The Information Commissioner must prepare a code of practice for organisations which collect personal data for purposes connected to post-16 education, including the processing of applications for higher and further education courses.(2) The code must—(a) contain practical guidance in relation to the sharing of personal data in accordance with the requirements of data protection legislation;(b) contain such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data of students and potential students; and(c) have regard to children’s rights in the digital environment as set out in the United Nations Convention on the Rights of the Child General Comment No. 25.(3) Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code to reflect emerging technologies and changing needs of pupils, students and potential students.(4) In this section—“good practice in the sharing of personal data” means such practice in the sharing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation; and“the sharing of personal data” means the disclosure of personal data by transmission, dissemination or otherwise making it available.”Member’s explanatory statementThis amendment places a duty on the Information Commissioner to prepare a code of practice in relation to the sharing of personal data between students and others.
My Lords, my noble friend Lord Storey has dashed off for his train and handed me a sheaf of papers on his amendment on data protection. I am quite good at speed reading but I do not think I am quite as good as all that, given all this material. However, this is an important amendment because data protection is important for students and pupils. It should be protected but the DfE does not have a good record. There is an ICO inspection report from February 2020 that comes out with such things as:
“There is no formal proactive oversight of any function of information governance, including data protection, records management, risk management” and so on. The report says:
“The organisational structure of the DfE means the role of the Data Protection Officer (DPO) is not meeting all the requirements … There is no clear picture of what data is held by the DfE … The DfE are not providing sufficient privacy information” and so it goes on. It is a very damning report.
The good news is that the Minister wrote a letter to my noble friend and the noble Baroness, Lady Kidron, setting out all the steps that the Government intend to take, and my noble friend is very satisfied with their approach on this. Despite this very damning report about data protection at the DfE, which seems to be absolutely non-existent, there is some hope here. Whether the Minister will accept the amendment I do not know, but I beg to move.
My Lords, I thank the noble Baroness, Lady Garden, for stepping in marvellously and introducing the amendment so confidently. It certainly seems, especially given the situation with the investigation that she describes, a pretty straightforward and simple way to address the issue, placing a duty on the Information Commissioner to prepare a code of practice in relation to the sharing of personal data. If the Minister is not going to accept this, perhaps she could tell us how instead the department intends to address these problems.
I would like to ask a little question. There have been concerns for some time that both practice and indeed legislation in education are loose in relation to data. Clause 11 makes provision to allow data sharing by and with Ofqual, the OfS and Ofsted as well as prescribed persons, and the provisions relate to technical education functions. Could that include students’ personal data? If so, for what purposes? How widely could “prescribed persons” be interpreted?
Can the Minister clarify whether the scope of Clause 11 extends beyond England? Although the institutions to which the new powers apply are all currently based in England, the people and institutions from which they will obtain personal data under those powers could presumably be at any educational setting across the UK within the scope of the Bill. What consideration has been given to the prescribed persons to whom the institution may pass on the data being based outside England in accordance with their own data-sharing powers?
These days students need and expect consistent controls across their data for collection, for use, for distribution and for destruction when it is no longer required for the lawful purposes for which it was collected. I am aware that institutions have also called for better guidance. Concerns have also been raised that the Bill does not preclude commercial use. Could the Minister comment on that?
Data is a valuable asset and it needs appropriate safeguards and a public interest test, so I look forward to the Minister’s reply.
My Lords, Amendment 67 tabled by the noble Lord, Lord Storey, but skilfully presented by the noble Baroness, Lady Garden, seeks to place a duty on the Information Commissioner to prepare a code of practice in relation to the sharing of personal data by organisations that collect such data for post-16 educational purposes.
I thank both the noble Lord, Lord Storey, and the noble Baroness, Lady Kidron, for bringing this issue to my attention. The Government agree that this is an issue that needs addressing, and we share both noble Lords’ aims for increasing assurances around the processing and sharing of personal data for learners and students in post-16 settings.
The department’s response to this issue is to set up an education sector certification scheme, with the support of the ICO, that would allow the department to set standards in a wide range of areas. This would cover the data protection needs of the whole education sector, not just the 16 to 19 age group covered by the Bill. We feel that a certification scheme, rather than a code, gives us flexibility to deliver elements when they are ready. We will not have to wait until all elements are complete, which allows us to be flexible when responding to priority needs. In addition, as technology and the law change, we are able to update specific standards without having to update a full code, allowing us to remain flexible to future changes.
As the noble Baroness, Lady Garden, mentioned, I have written to both the noble Lord, Lord Storey, and the noble Baroness, Lady Kidron, detailing the department’s ambition and next steps in tackling this issue, which will include writing both to the ICO and to the ed-tech companies by the end of the year.
I am amused at the definition of “a little question” from the noble Baroness, Lady Sherlock; it was at least three little questions. If I may, I will write to her on the detailed points. Broadly, the thrust of her questions is that student data should be protected. The department continually keeps its processes and practices under review to ensure that we are taking all necessary steps to protect data, including updates to access controls, audit trails of data usage and reviewing risk as part of our data protection impact assessment. In relation specifically to this amendment, the proposed data certification scheme would formalise these controls across the sector. If I may, I will respond in writing to her other points.
I therefore hope that the noble Baroness, Lady Garden, on behalf of the noble Lord, Lord Storey, will consider withdrawing his amendment. I again place on record my thanks to him and the noble Baroness, Lady Kidron, for bringing this to my attention.