PogoWasRight.org

Menu
  • About
  • Privacy
Menu

UK: The National Pupil Database is not open data

Posted on July 12, 2012July 2, 2025 by Dissent

From Privacy International:

This weekend, the Department for Education sponsored an “appathon”, allowing attendees access to the National Pupil Database (which holds information like exam results, special education needs, truancy records and eligibility for free school meals on every child at every state school in the country) and inviting people to build “apps”.

The database contains over 400 variables and the records of around 600,000 children. With so many variables, it is a relatively simple task to identify individual children who in any way stand out from the crowd, e.g. those who’ve performed unusually well in rare subjects. The kind of information the database holds is extremely sensitive and children may have gone out of their way to conceal it from their classmates. Make no mistake – this is intensely personal stuff, not “open data”, and any suggestion otherwise betrays a fundamental misunderstanding of both categories. Accordingly, additional safeguards of process and content must be applied.

Read more on Privacy International.

A write-up of the event by Emma Mulqueeny suggests that there had been some level of anonymization of data (ah, but was it sufficient?):

This weekend’s hack was on the National Pupil Database, a dataset that does divide opinion but is important whichever side of the fence you choose to set your hat. It is important to every child, parent, teacher and futurologist. So we tried to bring a good representation of those groups to the room but by far the group most represented were the under 18s, the very pupils whose data this was. Agreed this is probably skewed by the fact that I asked YRSers to come along, but welcome to the future, in my opinion people expect to be able to access their data and to do what they want with it – no matter their capabilities.

It is sensitive, but we only worked on anonymised data – and the restrictions on its use were such that the trusted people in the room working on it were also there as protectors of the data. No one, believe me, no one wanted to be able to identify students through the data. And they tried, they tried just to see if they could – I can understand that.

Most notably the under 18s went straight for the: “Can I find me” hacks.

Privacy International was not able to get answers to their pre-event questions about security and privacy. Hopefully they’ll obtain answers under FOI.

No related posts.

Category: Non-U.S.Youth & Schools

Post navigation

← Germany: Daughter sues mum over Facebook humiliation
Google Privacy Report to be Released In September →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • California Attorney General Announces $1.55M CCPA Settlement with Healthline.com
  • Canada’s Bill C-2 Opens the Floodgates to U.S. Surveillance
  • Wiretap Suits Pit Old Privacy Laws Against New AI Technology
  • Action against tiny Scottish charity sparks huge ICO row
  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders

RSS Recent Posts on DataBreaches.net

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy