The Department for Education is holding named records detailing the sexual orientations and religious beliefs of more than 3 million students and graduates, thousands of whom were not told that their sensitive data had been shared.
Data obtained through a freedom of information request by BuzzFeed News reveals that the DfE holds sexual orientation data on almost 3.2 million people, and religious belief data on 3.7 million people. The records go back to 2012/13 and include both current students and those who have finished university.
Seven universities have elected to change their policies after our reporting exposed how they were failing to make clear to students that this information, along with other personal data, would be passed on to other public authorities. An eighth, the University of Wales Trinity Saint David, had not responded at the time of publication.
Online privacy campaigners have described the retention and sharing of such personal data as "the stuff of nightmares" and have expressed their disappointment that the Information Commissioner's Office — the independent regulator set up to uphold information rights — will not investigate.
The information sits within the National Pupil Database, which — with data sets on 21 million individuals — is one of the richest data resources about education in the world.
It lists the personal characteristics of every state-educated child in England since 2002, including one's name, date of birth, ethnicity, home address, attainment from nursery to higher education (ages 2–19), special educational needs, and interactions with the state such as indicators for free school meals, families in the forces, and children in care.
The data were submitted by students to their universities on a voluntary basis on enrollment and passed on by their institution to the Higher Education Statistics Agency.
In a separate freedom of information response to privacy campaign group defenddigitalme, the HESA confirmed it collects named data on sexual orientation and religion or belief from students in England, Scotland, Wales, and Northern Ireland. The group said the collection of Northern Ireland students' religions and sexual orientations was particularly contentious.
HESA passes on the data to public bodies including the DfE, the Office for Students, and the funding bodies in Scotland and Wales. While the DfE does not share the sensitive named data onwards, other bodies have their own lists of third parties with which they can share the data.
The OfS, for example, can share the data with HMRC, the Student Loans Company, and Pearson Education — a private company.
It is understood that while the law would allow it to do so, it has not yet shared any students' named religious belief or sexual orientation data with these organisations. A source close to the OfS said it would only do so when there was a clear student interest and after it had conducted a privacy impact assessment.
The government claims the information is held to "better target (and evaluate) policy interventions to help meet the Department [for Education]’s strategic objectives and ensure all children are kept safe from harm and receive the best possible education".
“We take data protection extremely seriously and we keep all personal information safe — in line with legal requirements," a DfE spokesperson told BuzzFeed News.
“The information collected by HESA and shared with the department is done so we can meet our public sector obligations to carry out equalities impact assessment. These particular data items, which students don’t have to provide, are not shared by us outside of the department.”
The HESA makes clear that it collects "special categories of data" (such as sexual orientation) on a named basis from universities. But the fact that the data is included in the National Pupil Database was only made public in May, when a government risk assessment was released.
The new freedom of information data reveals for the first time the massive amount of highly sensitive personal information that these government bodies hold.
The HESA requires universities to inform students that their personal data will be submitted and recommends that they include a link in their privacy notices to the HESA Student Collection Notices, which explain which organisations receive data, at what level of detail, what they use it for, and the legal basis for processing it.
BuzzFeed News contacted eight universities that failed to adhere to these requirements and guidelines.
The Essex, Northampton, and Wolverhampton universities, for example, told students in their privacy notices that they share "anonymised data" with the HESA.
A spokesperson for the University of Northampton said that the information was available elsewhere on its website, and that students were directed to it, but the university nonetheless corrected its privacy notice.
The University of Wolverhampton updated its privacy notices on the same day that it was contacted by BuzzFeed News. However, the HESA's requirements for universities to inform students about data sharing have been in place since 1998, rendering the notice available to students before the update incorrect.
Similarly, the University of Leeds' and the University of Worcester's privacy notices said that "some information, usually in a pseudonymised form" is passed to HESA.
The University of Leeds updated its privacy notice after it was contacted by BuzzFeed News, removing the phrase and clarifying that personal data is submitted to HESA, while a spokesperson for the University of Worcester said that it will update its notice before the start of the new academic year.
The Royal Northern College of Music failed to mention that students' named data was shared with the HESA, while the University of Law and the University of Wales Trinity Saint David did not include a link to the HESA's collection notices, despite the HESA's guidance.
RNCM also updated its policy after being contacted by BuzzFeed News, while the University of Law said that the link had been removed in error, and reinstated it after we approached it for a response. The University of Wales Trinity Saint David had not responded at the time of publication.
“These universities must now investigate how this happened, inform all those affected, and take immediate remedial steps.”
The Information Commissioner's Office told BuzzFeed News it would not carry out an investigation in response to calls to do so from privacy campaigners, but said that any organisations processing personal data must be transparent with people about how it will be used.
“This can involve setting out clearly and openly what you plan to do with their personal details, for example in a privacy notice," a spokesperson said.
“In certain circumstances, such as if you are processing sensitive personal data about religious beliefs or sexual orientation, a data protection impact assessment should be carried out to demonstrate that the processing complies with the law."
Privacy campaigners expressed their disappointment with their decision.
"We understand the ICO is already quite stretched with investigations of data practices by commercial organisations, but we remain concerned about the potential abuse of personal data within government," Javier Ruiz Diaz, policy director at the Open Rights Group, told BuzzFeed News.
The group's executive director, Jim Killock, said it is "simply unclear and unfair to be collecting and sharing information like this".
“People should opt in when data is shared. It shouldn’t be passed from one organisation to another in this way, unless that is made clear and agreed upfront," he said.
The government's stance is that the data sharing is not problematic so long as each organisation that holds the data states which third-party bodies it is shared with, and why. That is why universities are advised to state that data will be shared with the HESA in their student privacy notices (which the majority do), and why the HESA lists in its Student Collection Notices the bodies with which it, in turn, can share the data, such as the DfE.
However, a student who opts to share their sexual orientation or religion with their university has to click through several links from their university's privacy notice (assuming that they read it) to establish that it is ultimately shared on a named basis with the DfE.
Defenddigitalme said that many students are unlikely to realise how their data is shared, and that sensitive records of sexual orientation and religious belief should be kept only as statistics, not in named lists. They are calling for an end to the distribution of identifying data, and for independent oversight of education data management.
Jen Persson, the group's director, described revelations the government holds named records of sexual orientation and religion as "the stuff of nightmares", claiming that the UK had become "a Database State with risks to human rights through misuse of our personal data, as great as any in the world, or at any time in history".
"Students should ask these data be removed at national level, and be collected only as statistics at their Universities. Sharing data about named individuals shouldn’t be happening at all," she continued.
Commenting on universities' privacy policies, she said that students were being "misled".
British civil liberties and privacy campaign group Big Brother Watch called it an "absolutely shocking violation of students' privacy".
"Thousands of students have given this data in good faith, thinking it will be used anonymously for equality monitoring, not shipped off to the state," a spokesperson said.
"The question is, why does the state want such sensitive, identifiable records of students' sexual orientation and religion? This smacks of a Big Brother database state."
Edin Omanovic of Privacy International, a London-based charity that works on technology and rights, said that universities failing to tell students about the sharing of their personal data is "highly concerning".
"These universities must now investigate how this happened, inform all those affected, and take immediate remedial steps," he said.
“Sharing data about named individuals shouldn’t be happening at all.”
A 2015 survey from the Universities and Colleges Admissions Service found that 90% of students want to be asked for their consent before their personal data is provided outside of the university's admissions service.
The government's own risk assessment of the National Pupil Database, released in May, found that there was a risk that "the scope of use of personal information is not restricted due to insufficient governance controls".
"Personal information may be used for a purpose the individual is unaware of," it read. "Local authorities, schools and others are unaware of this additional use and are vulnerable as a result."
The assessment also identified a risk that personal information could be held for longer than is necessary.
"Personal information will not be deleted in line with retention schedules and policies, in potential breach of data protection legislation," it read. "The data subject will be unaware that we are still processing their personal information."
“This is an absolutely shocking violation of students’ privacy.”
The potential problems of the state holding named sensitive data was raised by Baroness Garden of Frognal in the House of Lords last month, during a session on changes to the draft Higher Education and Research Act.
"This information has been provided by students as part of equality monitoring, but surely such a named database of religion or sexual orientation should not sit anywhere at state level?" she asked
In response, the government said that the information on students' sexual orientation and religion is "required so that the [Department for Education] and its ministers can meet public sector equality obligations when exercising their functions, including when introducing new policies".
The HESA confirmed to BuzzFeed News that universities are obliged to share the HESA collection notices with their students.
"The information we collect includes equality and diversity information about students so that the funding and regulatory bodies, and HE providers themselves, can meet their public sector duty to ensure equality of opportunity and prevent discrimination," a spokesperson said.
"This equality data is collected at the level of individual students so that researchers can produce statistics on diversity within different subjects, courses, and levels of achievement, and ensure that those statistics are meaningful in the context of students’ other characteristics."