From Privacy International:
This weekend, the Department for Education sponsored an “appathon”, allowing attendees access to the National Pupil Database (which holds information like exam results, special education needs, truancy records and eligibility for free school meals on every child at every state school in the country) and inviting people to build “apps”.
The database contains over 400 variables and the records of around 600,000 children. With so many variables, it is a relatively simple task to identify individual children who in any way stand out from the crowd, e.g. those who’ve performed unusually well in rare subjects. The kind of information the database holds is extremely sensitive and children may have gone out of their way to conceal it from their classmates. Make no mistake – this is intensely personal stuff, not “open data”, and any suggestion otherwise betrays a fundamental misunderstanding of both categories. Accordingly, additional safeguards of process and content must be applied.
Read more on Privacy International.
A write-up of the event by Emma Mulqueeny suggests that there had been some level of anonymization of data (ah, but was it sufficient?):
This weekend’s hack was on the National Pupil Database, a dataset that does divide opinion but is important whichever side of the fence you choose to set your hat. It is important to every child, parent, teacher and futurologist. So we tried to bring a good representation of those groups to the room but by far the group most represented were the under 18s, the very pupils whose data this was. Agreed this is probably skewed by the fact that I asked YRSers to come along, but welcome to the future, in my opinion people expect to be able to access their data and to do what they want with it – no matter their capabilities.
It is sensitive, but we only worked on anonymised data – and the restrictions on its use were such that the trusted people in the room working on it were also there as protectors of the data. No one, believe me, no one wanted to be able to identify students through the data. And they tried, they tried just to see if they could – I can understand that.
Most notably the under 18s went straight for the: “Can I find me” hacks.
Privacy International was not able to get answers to their pre-event questions about security and privacy. Hopefully they’ll obtain answers under FOI.