 Okay, welcome to our next next talk for this afternoon today We have Jen person who is the director of defend digital me and she'll be talking about fundamental rights and framing of our future in a talk called come and play collect them all Thanks very much Jen. Thank you. Hello So today if you saw The film the other night right Aaron Spartz about Aaron Spartz the Internet's own boy you might have seen this trailer and if you haven't I hope you enjoy it, right? So I subtitled this talk Fiction or future who controls our present frames the future and What I want to talk to you mainly about is as a coordinator of defend digital me. We're a campaign group that is Looking at the protection of children's digital rights, especially around data privacy with regards to the national pupil database So children's data in schools and I looked at a scenario that was a fictional future 2022 children are restricted as to who to get into University The country of birth and ethnicity data stops some from going to school at all and Perspective employers screen applicants lifetime web browsing history. Do you think this is a present a future that we want to see factor fiction 20 years ago Larry Ellison Was asked this question about how he saw the digital future of a global database at Oracle He said he thought it would exist and that we're going to track everything Now our campaign group looks specifically at children's data And we have become concerned about some of the data that is collected on a national base basis in schools and the changes that are proposed today that will start in the 2016 17 census That's the school census So from next September country of birth for example will be collected from every child in England Currently some ethnicity some nationality data is already collected that is going to be expanded to the rising twos and everybody up to age 19 So when parents and children give their data into schools, what do they think happens to it? Well, some have told us in our research that they expect Some statistics are gathered and sent to the Department for Education When they read the privacy notices in schools It says we share some of this data for the purposes of education with third parties No pupil or parent or school has yet told us that they understand what that means and How many third parties our pupil data is currently shared with? So fact or fiction. This is framing our future Who gave a comment about some corn flakes getting to the top? You might remember this one Good guess Boris Johnson 2013 addressing the Center for Policy Studies in London He was talking about IQ and children in education and how he felt children would be restricted From what they were able to learn not what was possible same year There was a discussion at the select committee for education and a renowned professor of genetics and genomics Suggested that within five years that was in 2013. You can do the maths Everyone would have their personal DNA sequence that a chip and from that that data would be used specifically in schools His idea in 2013 So these are current concepts in how personal data is used in health and Education and some ideas that some policy makers and academics have for the future So how do we want that future to look? How will we will you as technologists as developers as policy makers as people in civil society in government? you as parents as pupils as People in society. What do you want the future to look because if we do not help frame it? We will not see the future that we want to achieve And I want to suggest three things to you today That we need to frame our language differently That we need to frame our legislation differently and that we need to frame our technology differently Because how we frame our conversation about data and how we frame our legal boundaries today Will change how that information is used about in our future and it will shape our future If you saw the fantastic talk yesterday By dr. Jess Barker she talked about cyber security myths and monsters And she talked about the three principles of cyber security people policy and technology that make data safe and Those can get carried across not only in around the concepts of cyber security, but thinking in general about data and data protection a Lot of what we hear about today's future and data is about smart Smart cities smart technologies all based on sensors on picking up more information about you and me you may have read in the papers very recently about how our Oyster cards data would be used picked up from travel in London and stored and researched on unused You may have Heard about how health data was planned to be used in 2013 in the care data discussion How everyone's GP records were to be extracted linked together with all the hospital records and a central database and Reused for a wide variety of secondary purposes beyond our care There is lots of ideas about how data should be used and could be used in the future But I want to ask not only do we need to think about smart future. We need to think about a wise future intelligence has to be being about clever not just about cyber security and Applications of sensor data, so we need to be intelligent in all senses about how we want to frame our future Surveillance is a broad concept We need to think about how our data is used on a day-to-day basis In order to make sure that the data that is collected about us is used wisely and how do you want that to be? We need to protect public interest data research Most people would agree and the Epsos Moray poll in 2013 showed and Engagement work with academic bodies has shown most people Support the use of data that's gathered about us by the government in our public services whether it's in health or education or Tax or benefits or any other area of public service If it's used securely if we know how it's being used and if it is not used on a commercial basis But in the public interest it is trusted and it's trusted that it'll be used well. I Want to show you a case study of a way? I believe and our campaign group believes it is not being used well today and that undermines the future of our future public interest data use Let's start with a language. You've probably seen or heard most of these terms used about personal data in the last few years We hear a lot about data sharing In actual fact most of the time when we talk about data sharing It means you have given your data to a public service to be used in a direct way with you perhaps in a transaction with your tax return or in a medical treatment Or as we'll come back to giving your pupils data into schools. I don't know about you But when I do that, I think my data is going to be used for the purposes I give it to the body for so that Organization needs to manage my child's data in school because they need to know who they are where they're going what they've done When I go to the doctors I expect them to use the data I give them in confidence and securely to treat me that same data is being Increasingly used with the concept of data sharing that we should be Expecting that our data that we've given for one purpose is used for another and secondary purposes by other government bodies and in public interest research as I said that gets widespread support But who else is it being shared with I think we need to reclaim some of the language around privacy and The nothing to fear nothing to hide motto around surveillance Constantly we are told the more data. We have the more secure you'll be all the evidence shows differently And if you will go down to a little bit later How followed at all the investigatory powers bill the current legislation that's going through Parliament about how? Data will be used from our internet use. You'll know that the way you use the internet today Will be very different if nothing changes in current legislation by the next emf So in two years time if you come to emf camp and nothing has changed in the proposals for the legislation for the investigatory powers bill You will not be using the internet in the same way You might not see any change But the change will have happened because legislation is going to require everybody's internet use to be monitored and stored by the ISP the providers for a year at least and made available to government bodies So how do we look after data today? Well, we have legislation the data protection act You'll be familiar with to protect the identity of people from exploitation effectively But I think we need to again to reframe the language around data protection It's not the data itself that we just need to protect. That's perhaps the concept of cyber security How do you make sure the data is maintained its integrity its quality and its security in one place? But a lot of the laws around data protection are actually to protect people. They're not about protecting the information They're protecting you and me from how it would be potentially misused potential harm So we need to always consider when we're talking about personal data and data protection Think of the people behind the data and I'd like to reframe that discussion when we always talk about data protection Remember, we're also talking about people So some of our current legislation is shifting We don't know what will happen now with EU data Changing laws that are coming in the general data protection regulation would have given some significant changes I believe they still will it comes into effect in 2018 or rather it's already been enacted But we need to see the changes actually made Effective in the UK. So who knows what will happen with some of those changes But we do know what has happened with some of the data uses that we have already Seen in the past in the recent studies and I'll show you a case study where the boundaries of what? legislation we had to protect our data to protect us and our identities has moved and This is the core of our campaign We're campaigning to protect 20 million children's identifiable data in the National People Database and when I say children if you're under 35 that means you This data has been collected since 2000 It's wide-ranging fully identifiable Everything on personal data that's given into schools the full attainment record everything that is generated in schools and that is transferred Through perhaps the local authority or directly from the school depending on whether you're in a local authority or academies or other school setup That's varied and broad We're asking the Department for Education to stop handing out individual children's Identifiable personal data to third parties because at the moment it goes outside of the database. It's copied given to third parties and So we have chunks of data of children's identify by a data sitting in various places Around the UK at the moment we want them to change that practice to bring the data into a secure setting So whoever uses that data cannot walk away with the information itself But uses it in a secure way for research for the purposes. It's been intended and then can walk away with their Their research results, but not the data itself. Why? Because there's been 650 releases of this data to third parties since 2012 You yourself can look up the releases on the website that the Department for Education does publish and in May They started to print to this website this web link on the new revised Privacy notice that they give to schools which is supposed to go to every child to tell us Or parents what's happened and who uses their data Our research so far with on a small basis, but with 75 schools is has come back with even results like We don't give any data to the information to the national people database. We've never heard of it No, we only we only pass information to the schools that we're connected to in our area so there is a complete breakdown between a privacy notice that's being Distributed at national level to what is being actually understood on the ground and used and implemented That is an example of legal boundaries changing because in 2012 the Education Act was changed to modify Who could use data and for what purposes? The prescribed persons Act 2009 was updated to say these groups of people may now receive individual pupils data from the national people database and The the Education Act changed what they could use it for the purposes They could be given data for for the purposes of education and the well-being of children Now you could drive a bus through those purposes because most people that could apply could in some way meet that concept Now the department does have a process of application you have to apply and fill in a form and State the purposes for which that data will be released We started to ask them in detail about it last summer in July 2015 and at that time of the then 462 releases they had been they had never done a single audit of any recipient So the data had been copied sent to the recipient and sat with them and At that time the Department of Education didn't know did they ever delete it they were meant to have it on license for a year or two Perhaps how long have they kept it for what have they done with it since is it still secure now? Those questions had been asked because it hadn't been audited So we started asking some of the recipients include Fleet Street Press the Telegraph for example received five years worth That's approximately 10 million children's data for the period of 12 months We obtained this document through freedom of information It's a publicly available and what do they know they gave the assurance in the replication letter Because at first they'd asked not for tier 2 data, which is identifying and sensitive data They'd asked for tier 1 data, which is identifying and highly sensitive All tiers there are for our identifiable data. There is not Unidentified so anonymous data doesn't doesn't come into this. We're talking only about identifiable children's data and They gave cast iron assurances that none would be identified through the use of it. Well none would be identified outside the Telegraph our contention with this is that The data controlling the responsibility with the Department of Education Sits at the point of release from the Department of Education We would argue that the Department of Education may have outsourced the responsibility for what it considers research into some of the children's attainment data and perhaps the Telegraph is using this for Comparison tables and they publish articles about it and so therefore they're considered researchers I think you and I might disagree that they weren't the same quality or bona fide people that we expect to be Academic bona fide researchers in the public interest from say universities This data was handed out to the Telegraph and when we questioned it in 20 July 2015 It was confirmed they had never deleted it They had not yet the department had not yet received confirmation that it had ever been deleted So it was intended to have been there with 12 months and at the time it was about two years out of overdue and nobody knew Effectively what had happened to it? Now the department to argue that is you know securely monitored that they they have a robust Approvals process we think it needs to be much tighter and they need to be auditing They need to be really questioning. Are these recipients who the public expect their children's data are given to? Something else to look for the future is the education technology market is expanding at a rapid rate of knots There's a huge amount of classroom data collected today in apps and websites and parents and children are Invariably signed up for them in schools without permission being asked at home and I can even say from my own experience I know children get set up with with email accounts get signed on to apps and We can start to question there who is or owning their personal data What consent are children giving really and they're not in a position to be able to give that and understand the implications for Companies such as this one that parents in America have had a discussion about and I quote from They're very concerned that the types of data that are being used is Gaming children effectively getting them to change their behavior in the classroom and that's the intention of the app That is quantifiable that they can report on it But that actually changing children's behavior is not What technology should be used for in the classroom? and this is a group of parents who have have serious concerns about the direction of education data in the US and I know from from what we we see in you will to probably better than I do If you're in the education field at all that more is on the way here So how can we reframe the future? Well, I think one of the things we can do is really to understand if you're a policymaker a developer Any or anyone who has an interest in technology and children's data? Look at its application really try and understand how is your own or your children's data being used and If you are in a position to do so ask policymakers. What are they doing? Looking at the future landscape of legislation particularly around the EU We also need to consider the bigger picture of legislative changes in the UK that are potentially on the horizon The importance of the Human Rights Act is continually undermined I personally believe in the media and we have heard repeatedly that there is a proposal to replace the Human Rights Act with a bill of rights The Human Rights Act offers as protections in privacy along with all the other principles the fundamental rights that apply to everyone equally and We believe they should be protected We need to look also at what's called the digital economy bill if you're interested in policy I would recommend you look it up if you haven't already been familiar with it The wording around data sharing and data linkage and de-identified data and anonymous data is all used rather interchangeably public interest research and Statistics and improving how our national statistics are used has been conflated into this bill There are very separate distinct sections of this Legislation one big chunk of it is around using public services data in a very different way from today and releasing Everybody's administrative data data that you give in for uses by by services for your direct care by a wide range of public bodies if that concerns you look it up the digital economy bill coming in Will start to be debated in the autumn We need to protect Public interest research and the trust that the public has in good quality public interest research To allow it to be undermined by misuse or seemingly too broad use by others is a risk I don't think that there hasn't been properly adequately considered and we should be speaking up about The investigative powers bill if you're ready aware of again as I said if we see no changes in this legislation proposed By the next emf camp this data communications data What's known as metadata would be recorded about every use of the internet that you and I and our children have in the UK All of these individual items the website's visited the billing data the location username and password I'll Leave you to look at some of those if you're more interested in this aspect of how data is used in surveillance I recommend you look at liberty privacy international Org and if you're very short of time but interested a bit big brother watch has done a one-page effect sheet on the Investigative powers bill and I'd urge you to write to your MP ask them a question And if you're interested in doing that get involved I've left at each door There are postcards with some recommendations and information from ours on how you might do that and also on our website We have a guide if you've never written to your MP if you think it makes no difference I urge you to change your mind and do it take action because it does ask them a question They do need to come back to you with an answer Another change coming up 5th of September statutory safeguarding in schools requires web monitoring which involves key logging That means every child's internet use will be monitored in schools from September the 5th Something you're not aware of please look at our website for more information and again If that's something that concerns you ask your MP. Are you aware of this? It's not been debated in Parliament It's going through only under statutory guidance, which means schools are required to follow it unless they have a very good reason why not So are the boundaries in Technology I don't think so the fabulous weekend we've had here shows you the possibilities There is so much potential and possibility for technology to use data Well to use data in the right interests and for all of our benefit We want to see the public interest research continued and make the future better But when we do it we can reframe that you and I and our involvement with it can design the future differently If you're involved in app development think about privacy and a really clear Understandable accessible privacy policy that doesn't just look about protecting you and what happens if you use people's data But explains to them clearly how their data will be used and not on 15 pages of small print Think about your language come back to those words and think what do these data concepts really mean and think about what you'll do And that's what I'd like you to take away this campaign is our key campaign today About the National People Database we're concerned about his use we'd ask you to consider getting involved think About this country of birth collections coming up ask your schools if you haven't already heard about it Send us your privacy policies or the the collection letters that have been sent out to you send us examples Spread the word and your friends and family if you're on social media ask about it get the discussion going If it's web monitoring again, look on our website for more information, please consider getting involved Thank you Thank you very much. I think we've got time for a couple of questions if we got okay two questions first of all have you done any requests on subject access requests for any of the data see what kind of data is held for different years and secondly, what kind of Do you know if they've had any refusals for data? How many people are getting applying compared to how many people are getting the data? Two great questions, which I'll answer separately. So I can answer for my own experience subject access request has been refused three times the Information Commissioner's office has upheld and yet Suggested that to the Department for Education It would be good practice if they were to release to parents who make their own subject access request That is you can ask the Department or any public body who holds information about you to release the information a copy of the information about yourself So we I did this for my own children and it's been refused on the basis that it's given an exemption under the research uses section 33 if that is detailed for you, but We're we're discussing that with the moment at the moment with them and the second question is refusals one request that was refused was by from the Ministry of Defense where they put in request to target Certain levels of achieving children in certain schools to be able to target them for recruitment that was refused and Another that was refused was again targeting children for universities who wanted to go Effectively and market their universities to particular schools So it does look that there have been but in as of 2014 There had been nine refusals over the last two years. I had great talk. Thanks two brief questions firstly Whatever you think about DRM type technologies that there are technical means of restricting People's access to data once you release it to them So I'm wondering what your opinion is on whether any technical measures are in place to restrict people's usage of release data And if not why not and second question is more philosophical I Understand why you campaign on this thing. It's an important issue But do you feel in general that government surveillance or corporate surveillance is a bigger problem? Two good questions. I think I'll start with the last second first I think we have various issues in commercial use of data and Public data use which are different but are linked. We often see Data that is public data being piggybacked effectively by commercial companies getting access to it But we also We also see a lot of commercial companies who collect an awful lot of information about us that we don't see how it is used behind the scenes and To come I guess to a core issue that is joins them both is What do people understand what happens to the data once they give it to anybody? Is it commercial company? is a public organization and We are I think badly let down privacy policies that seemingly give consent But in fact don't show us how Third parties get data and then pass it on to others reuse it connect it with other privacy policies that become unintelligible I think there is a big scope for improving especially for children how privacy policies are communicated and I think it should be a really significant issue that should improve both commercial and Public data use and to come to the second Your understanding of DRM is I'm sure superior to mine the only technical Restrictions I know of I Haven't yet actually put in a freedom information request around the very specifics the license that Users have to sign and you saw an extract from and in the presentation will give them certain criteria that they need to follow once they receive the data and That includes how they can use it on their console or how they use it in there in their location a Big problem with that is is actually trusting that that is maintained And if you don't audit how do we know it's being with you know upheld so we can have all the Technological restrictions I guess in place that we want but as we've seen in some of the talks this week human error is generally the biggest problem we've got of data leakage and We can't always restrict that but it's something I we are working on with the Department of Education and hoping that they're going to change some of their technological Access using APIs and other things and how they can get into data and share it more safely and yet make it more secure Okay, well, thank you very much Jen and please join me in thanking her for a great talk