NPD and privacy

24 Nov 2014

Section 7 of the Data Protection Act 1998 outlines the rights of an individual in regard to access to his or her personal data held by organisations. Unfortunately, few people are aware of this aspect of law.

One can make a subject access request to an organisation for personal information that the organisation holds. Exemptions can be made in the interest of the prevention and detection of crime, the apprehension and prosecution of offenders, and of matters of national security.

The National Pupil Database is a government dataset that contains information on all pupils in maintained schools and some more limited data on pupils in non-maintained schools. The private sector can apply for extracts of this dataset and the government would like to expand both the collection of data for this dataset and the access to it by third-party organisations. If this does not strike you as worrying you should evaluate what privacy means to you.

Organisations receive this data unanonymised [article] and are required to anonymise it if they produce any public works from it. The storage of this data is subject to the DPA 1998 but one only needs to look at the numerous huge data breaches of various large companies to see that their personal information is not safe in the hands of others.

I made a subject access request to the branch of the government that handles the NPD and gave them the relevant information so that they could comply with the subject access request. Interestingly this was only the school that I attended and my home address. Both pieces of information that a great number of people could know.

The man handling my case advised that given my age the volume of the material that they would be posting to me could be quite substantial and asked if there was anything specifically that I wanted to know. I dread to think the amount of information that is held on kids now given that the collection of this information was only just beginning when I was in school.