Data protection: how we share pupil and workforce data

How and when we share the pupil, child and workforce data we collect.

Data we collect

The Department for Education has legal powers to collect the pupil, child and workforce data that schools, local authorities and awarding bodies hold.

For more information on the legislation which allows this, see:

This data forms a significant part of our evidence base. We use it:

We hold pupil-level data in the National Pupil Database (NPD).

Schools and local authorities must provide privacy notices to staff, parents and pupils to explain how their personal data will be collected and used.

How we share data

The law allows us to share pupils’ personal data with certain third parties, including:

  • schools
  • local authorities
  • researchers
  • organisations who make products connected with promoting the education or wellbeing of children in England
  • other government departments and agencies

Other regulations allow us to share workforce data with a number of third parties.

Anyone who wants to use Department for Education data must comply with:

How we meet privacy and data protection standards in data sharing

We use the Office for National Statistics (ONS) “Five Safes” data protection framework to make sure that the data, people, projects, settings and outputs are safe.

Safe people

We only share our data with people we trust to use it safely and responsibly.

To receive data directly from DfE, you have to:

  • provide a copy of a ‘basic disclosure’ certificate that is no more than 2 years old
  • sign an individual declaration form to confirm that you abide by DfE data sharing agreements
  • complete recognised data protection and information security training

We are working with the ONS to provide access to DfE data using ONS physical and virtual datalabs, known as the Secure Research Service (SRS). To access DfE data through these datalabs, you have to:

Safe projects

DfE has a senior board, the Data Sharing Approval Panel (DSAP), which makes sure all external requests for personal data are:

  • legal
  • ethical
  • proportionate
  • secure

The board includes senior internal and external data and legal experts who meet regularly to consider cases and approve or reject requests for DfE.

Formerly the Data Management Advisory Panel (DMAP), DSAP covers requests for all DfE’s data, rather than just national pupil database data. The board will also make sure they are consistent with ONS Secure Research Service standards.

Contact for the panel’s terms of reference.

Safe settings

From September 2018 we will provide access to DfE data for research purposes through the ONS Secure Research Service physical and virtual datalabs. This is a safer way to access data compared with the transfer of data files to individual organisations.

It’s not always suitable to get data through the Secure Research Service. If you’re receiving data directly from DfE, we make sure that data is only provided to your organisation and held in a safe settings by checking:

  • your organisation’s IT and building security
  • you don’t keep the data for longer than allowed

Safe outputs

When applying to receive our data, you have to make it clear how you intend to use the data and follow the relevant agreement and schedule for the data share.

When working through the SRS, if you want to use the results from your analysis outside of service these will be checked by ONS. They will make sure the outputs protect data confidentiality and can’t be used to identify any specific individuals or organisations.

Safe data

We now classify all of data leaving DfE against 2 scales, rather than using ‘tiers’:

  • how sensitive the data item is
  • the level of risk that an individual could be identified

This makes it easier for us to be transparent about what kind of data we share with third parties, and our decision making. These new classifications will describe the data in DfE external data shares from November 2018.

Who has requested data from us

You can view:

  • data sharing requests approved through the former DMAP, covering pupil level data (data sharing requests approved by the DSAP will be published from November 2018)
  • national pupil database (NPD) third-party requests - these are NPD data shares which are either approved or pending a decision (this gives a wider view of all requests received into the NPD request process)
  • external organisation data shares - our overview of ongoing personal level data sharing delivered via memorandums of understanding, data sharing agreements and service level agreements, including an update on police, Home Office and Family Court Order use of limited parts of our data when they have clear evidence of a criminal activity
Published 26 March 2014
Last updated 25 September 2018 + show all updates
  1. Added a link to 'How to access Department for Education (DfE) data extracts' and a note advising to contact for copies of DSAP's terms of reference.
  2. Updated references to the new Data Protection Act and how we are complying with the 'Five Safes' of data protection.
  3. Added links to national pupil database third-party requests and external organisation data shares documents.
  4. Added a link to the privacy notice explaining how we share and handle NPD data that we use for the 'Longitudinal education outcomes study'.
  5. First published.