2f5de000
Jan 2, 2026

The National Pupil Database

Part 3 - English Schools Have Become Surveillance Institutions

Three times per year, in January, May and October, every school in England must submit detailed data on every pupil to the Department for Education through the School Census. This data feeds into the National Pupil Database (NPD), creating what the DfE itself describes as "one of the richest education datasets in the world".

The scope of data collection is extraordinary. For each child, schools provide:

  • Full name, date of birth, gender
  • Unique Pupil Number (UPN) - a permanent identifier that follows them through their entire educational career
  • Home address and post code
  • Ethnicity
  • First language
  • Country of birth (collected from 2016 - 2018, then discontinued following controversy)
  • Nationality (collected from 2016 - 2018, then discontinued)
  • Attendance records
  • Exclusion and behavioural incidents
  • Special Educational Needs (SEN) status and type of needs
  • Test scores at all Key Stages (SATs, GCSE, A-Level)
  • Subjects studied
  • Teacher assessments
  • Alternative provision attendance
  • Free School Meals (FSM) eligibility - a proxy for poverty
  • Pupil Premium eligibility
  • Service children indicator
  • Looked After Children status

This creates a cradle-to-career dossier on every child in state education in England. The data is collected from age 2 (Early years settings) through to age 18 and beyond, as the NPD is now linked to Higher Education Statistics Agency data covering university attendance.

Scale and Permanence

As of 2018, the NPD contained over 21 million individual named pupil records. The database holds historical data going back to 2002 for the school census, with some key stage test results available from 1995/96.

It is permanent. Once stored, the data in the National Pupil Database are never deleted. Everyone who has been in state education since 2002 (anyone aged 42 or under today), has a permanent NPD record.

It is Identifying. Despite DfE claims of "anonymisation," the data shared from the NPD includes, names, dates of birth, postcodes, and other identifying information. The department classifies its data releases as "Tier 1"(most sensitive and identifying) or "Tier 2" (identifying but less sensitive)

Parents cannot opt out. Unlike marketing consent, NPD data collection is mandatory under the Education Act. Refusing to provide data means your child cannot attend state school. The DfE uses GDPR's "substantial public interest" legal basis to justify collection without consent.

The Data Sharing Scandal

In November 2012, then-Education Secretary Micheal Gove announced plans to open up the National Pupil Database for commercial reuse. He changed the law through the Education (Individual Pupil Information) (Prescribed Persons) Regulations to allow the DfE to distribute identifying-pupil level extracts "for a wider range of purposes than currently possible" to "maximise the value of this rich data set."

Critically,, this change applied not only to future pupils but retrospectively to everyone already in the database, millions of children and young people whose data had been collected under different assumptions about how it would be used.

Between March 2012 and June 2020, over 1,000 data sharing requests were approved, distributing identifying and sensitive pupil-level data to:

  • Commercial companies (over one-third of approved requests for identifying data)
  • Think tanks and charities
  • Journalists and media organisations
  • Academic researchers
  • "One-man shows" and individuals

The Telegraph newspaper was granted identifying and sensitive data in 2013 for all pupils in KS2, KS3, and KS5 cohorts for the years 2008-2012, millions of children's records given to Fleet Street "to pick interesting cases/groups of students."

The data released was not anonymous or aggregated, It included:

  • Names, dates of Births, and post codes. Sufficient to identify specific children, particularly in small schools or rural areas.
  • Special Educational Needs data. Detailing disabilities, learning difficulties, autism, and sensitive conditions
  • Free School Meal Indicators.
  • Behavioural and exclusion data. permanent records of disciplinary issues.
  • Social care involvement. indicating children at risk, in care, or subject to child protection plans.

In one documented case, the Prince's Trust was provided with names, dates of birth, and postcodes of young people, along with FSM status, SEN details, absences, exclusions, behaviours, and attainment data, matched with a "control group" of similar individuals.

The Home Office Scandal (2015-2018)

Perhaps the most alarming data sharing involved immigration enforcement. In July 2015, the DfE and Home Office Border Removals Team signed a Memorandum of Understanding to share pupil data, including names, dates of birth, home addresses, and school addresses - for up to 1,500 children per month from the last five-years of records.

This data sharing began in secret. When the DfE introduced legislation in September 2016 requiring schools to collect nationality and country of birth, Ministers denied it would be shared with the Home Office for immigration purposes. School Minister Nick Gibb MP explicitly stated in a Parliamentary answer that the data would not be shared with other government departments.

This was false. In December 2016, after a Freedom of Information battle by campaign groups, the DfE was forced to admit to Schools Week that it had been sharing data with the Home Office since July 2015 and had always intended to share the new nationality data.

Between July 2015 and September 2016, the Home Office made requests relating to 2,462 individuals, and the DfE returned 520 records. Parents were not informed. Schools were not told their pupil data was being used for immigration enforcement. Children from migrant families feared going to school.

The Against Borders for Children coalition launched a successful boycott campaign. Thousands of parents refused to provide nationality and country of birth data. In June 2018, the collection was finally stopped. In September 2020, the DfE deleted the nationality and country of birth data it had collected - but only after years of campaigning and legal pressure.

The Gambling Companies Breach (2018 - 2020)

In another serious failure, the DfE enabled gambling companies to access learner records through the Learner Records Service (LRS). The Department had outsourced management of the LRS to a company called Trustopia, which failed to conduct proper due diligence on who was accessing the database.

When the breach was exposed by national newspapers in 2020, the ICO launched a formal investigation that escalated into a compulsory audit. In November 2022, the ICO issued a reprimand to the DfE for "the prolonged misuse of personal information of up to 28 million children"

UK information Commissioner John Edwards stated:

"No-one needs persuading that a database of pupils' learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them."

The ICO noted this breach would have warranted a £10 million fine in this specific case under normal circumstances.

In October 2020, the ICO published findings from its compulsory audit of the DfE. The audit identified 139 recommendations for improvement, with over 60% classified as urgent or high priority.

The ICO found:
The DfE was failing to comply with GDPR because many parents and pupils were "either entirely unaware of the school census and the inclusion of that information in NPD, or are not aware of the nuances within the data collection, such as which data is compulsory and which is optional."

There was a "lack of transparency by the DfE" - parents and children were not informed their data could be shared with the Home Office, police, or hundreds of third-party organisations.

Data protection was not being prioritised, severely impacting the Department's ability to comply with UK data protection laws.

The DfE could not provide transparency about the volume of data shared because "the Department does not maintain records of the number of children included in historic data extracts."

In response to the audit findings and ongoing legal pressure from Digital Defend Me and other advocacy groups, the DfE temporarily halted data sharing in May 2018 and implemented a new "Five Safes" approval framework. However, data sharing resumed in 2019, and the fundamental structure remains unchanged.

Current Concerns

Data is still shared with "approved researchers" (the definition of "research" remains broad.) Between March 2012 and June 2020, approximately 40% of identifying data requests came from academic researchers, but 60% came from commercial companies, think tanks, and charities. About 35% of all approved requests for identifying data were from commercial entities.

Third parties may not have adequate security. Once data leaves the DfE, the Department has limited control over how recipients store, use, or secure it. The Trustophia and gambling companies breach demonstrated this clearly.

As data science improves, supposedly "anonymous" or "pseudonymous" data becomes easier to re-identify by matching with other datasets. Postcode-level data combined with demographic information can identify individuals, particularly in small schools or rural areas.

Only 21 data sharing requests were rejected between March 2012 and June 2020 out of over 1,000 applications. One rejection was the Ministry of Defence's request "by mistake" to use pupil data for recruitment marketing. The threshold for approval appears remarkably low.

Despite ICO findings, the transparency is woefully inadequate, most parents remain unaware their children have permanent NPD records or that this data has been shared hundreds of times with external organisations.

Over 15 million people whose data was collected before the 2012 law change (when the database was used only for statistical purposes) have had their records distributed to commercial companies and other third parties under the new regime. They were never asked for consent or even informed this would happen.

The Nation Pupil Database exemplifies surveillance creep: a system created for legitimate administrative purposes - funding allocation, performance monitoring, policy development - that expanded far beyond its original scope to become a commercial resource exploited by private companies, journalists seeking stories, and government agencies pursuing non-educational objectives.

Children have no say in the creation of their NPD records. Parents can not opt out. The data is permanent. And once it's shared with third parties, there's no way to un-share it.

Sources:

CybersecurityData breachUK schools