Let’s talk about POD.
If you haven’t heard about it, it is a compulsory database of the personal information of children, including PPS numbers, ethnicity, race and language skills, to be held for decades and shared across State agencies.
Most of which requires zero permission from parents, who are finding out about it this month as schools send letters home.
You can read the finer details in my news report from the start of the week.
Now, this is a big deal.
The Department is convinced they’re not doing anything wrong here, and the Data Protection Commissioner agrees. The two groups sat down last year and hammered things out.
What they decided was:
… information held on POD was deemed by the Data Protection Commissioner as non-sensitive personal data and therefore does not require written permission from parents for transfer of the information to the Department.
Now, that’s with the exception of religion and ethnicity, which the DPC decided was ‘sensitive’ and requires parents’ permission.
But look how easy it is to check up on the religious and cultural background of almost any family you know the name of, from the department’s own training material:
It’s web-based accessible anywhere. In the esinet system, the access for each individual user is set by the local administrator — someone in the school. Does someone with a login to esinet want to check the background to a niece’s new friend? No problem.
(By the way, the Department of Education is paying €1.50 per student for the input process — so will the task be assigned to a volunteer for an extra payment? The union says it’s not a teacher’s job.)
I contacted the Data Protection Commissioner to ask for a copy of their decision — but it doesn’t exist. There was no formal decision, in the sense of the Commissioner issuing a judgement on a complaint — merely a consultation. A spokesperson told me:
There is no formal decision of the Commissioner in relation to this matter…
I can advise that this Office was consulted by the Department of Education and Skills in December 2013 … as a result of that engagement we were satisfied that the Department presented a legitimate and proportionate purpose for requesting to be provided with the data it is seeking, (including the PPSN for which the Department is a prescribed body under Social Welfare legislation).
We are also aware that the Department consulted with other relevant bodies in the education sector in relation to the matter and that it is providing clear information to schools and for parents which is available on its website.
And that’s correct- article 262 of the Social Welfare Consolidation Act 2005 provides for PPS numbers to be accessible by “specified bodies” in schedule five. Schools are one of them.
A sample from the department’s FAQ on parent’s choices.
The department has legitimate reasons for wanting a centralised database — it will eliminate duplicates, make the allocation of grants easier, catch students that never make it to secondary, and generally offer great convenience.
But we’re talking about a lot more than a roll book here. The Department will effectively be creating a database of personal information on every citizen of the state from an extremely early age.
And that’s dangerous.
Solicitor Simon McGarr is a real people’s champion on digital rights, and covered this topic on a couple of radio stations, most recently on Northern Sound.
One of things to note about the database of children is that it isn’t a plan for the future. They’ve been building it since Sept 2014.
— Simon McGarr (@Tupp_Ed) January 10, 2015
He’s an expert, and outlines a scenario in which notes on students taken over the school careers — and even mental health assessment history — sits on a database for decades, until a future minister decides it could be useful elsewhere.
It will hold a full, personalised picture of the children in all the primary schools of Ireland, and it intends to hold that data until they’re 30.
Under the Data Protection Act … a party can hold data for no longer than is necessary. This data is being held until primary school students are 30 years old. I just don’t see how that can be anything except considered excessive.
McGarr also deals with the Minister’s recent announcement that she may reconsider the 30-year retention — saying that’s not the entire issue.
A database, once created — it takes almost a revolution in order to erase it. You saw what had to happen in order for Irish Water finally agree not to use PPS numbers it had created …
Institutions hate to let go of data that they’ve collected.
McGarr also points out that some of the information being collected on ethnicity, culture, and language skills don’t enjoy the same strict legal protections that surround similar data in the census (which previous governments obviously felt it was important to protect).
One of the pieces of data on children deemed ‘non-sensitive’ - Existence of psychological/medical assessment reports pic.twitter.com/yUMZ5LEylZ
— Simon McGarr (@Tupp_Ed) January 10, 2015
(The remainder of McGarr’s interview contains some interesting information about the pilot scheme, which was not completed in nearly half of schools, and concerns raised by teachers. Listen here).
The other danger is that the Department fully intends to share the data it’s collected with other agencies — and there’s little information about what will or could be done with it.
Ordinarily, your PPS number is assigned at birth, but it’s rarely used until it’s needed for employment, social welfare benefits or other largely grown-up activities. Under this new scheme, schools will collect a whole range of very personal information from children, who cannot give consent themselves (and whose parents are not given a choice to consent or not).
This database, of every citizen under 30, will be shared with other state bodies — including the Central Statistics Office, the National Council for Special Education, the Child and Family Agency, Department of Public Expenditure and Reform, and Department of Social Protection; and it could potentially include other schedule five bodies like Revenue, the Health Service Executive, local authorities, and many others (but is not currently planned to).
What happens to information shared with those bodies when today’s children turn 30?
We don’t know — or at least it’s not clear to me.
Minister Jan O’Sullivan, by William Murphy -CC / Wikimedia Commons.
This is essentially an issue of trust — not only in the ethics of those deciding what to do with this information, but in their ability to safeguard it. Consider that in 2012 there was a significant security breach that allowed regular internet users to access students’ personal records.
Most parents have found out about this in the last few weeks, as letters started arriving in the door. They’re being told there is no opt-out — and much of the data collection is already done, since existing data the schools have is included in this database — even though it was provided by parents for a totally different purpose.
This entire issue has had almost no debate or public consideration. The Department decided it was a good idea, checked if it was legally permissible, and ran with it.
But when we’re effectively talking about monitoring children who lack the capacity or legal grounding to object, we have a responsibility to be much more careful.
The creation of a database of every citizen, year by year, is a scary thing — particularly when it’s tacked on to an existing web-based, accessible-everywhere site.
For a country who was up in arms about PPS numbers used by Irish Water, there’s been virtually no debate about this.
Perhaps we should change that.
This article was cross-posted to Medium earlier today.