John Hampden Grammar School: infringements of GDPR data processing principles

The request was refused by John Hampden Grammar School, High Wycombe.

Dear John Hampden Grammar School,

Since 2016 I have made repeated requests for factual information which fully meets the definition of “dataset” given in s.11(5) of the Freedom of Information Act:
In this Act “dataset” means information comprising a collection of information held in electronic form where all or most of the information in the collection—
(a)has been obtained or recorded for the purpose of providing a public authority with information in connection with the provision of a service by the authority or the carrying out of any other function of the authority,
(b)is factual information which—
(i)is not the product of analysis or interpretation other than calculation, and
(ii)is not an official statistic …

My purpose for requesting these datasets was aimed at understanding how personal data are collected and processed to produce the “standardised” scores used by John Hampden Grammar School to determine which children to admit. These requests were initially directed towards the test provider CEM. Since 2018 I have asked TBGS for this information. Both have refused. In recent court proceedings, counsel for TBGS clarified that TBGS is a private company set up to manage the secondary transfer test on behalf of John Hampden Grammar School and 12 other schools and questioned whether TBGS is subject to laws relating to transparency. John Hampden Grammar School is a state funded Academy school, responsible for determining its own admissions. Whilst CEM and TBGS may argue that they are not accountable John Hampden Grammar School is fully accountable to the public for actions they take on its behalf.

Article 4 of the General Data Protection Regulation (GDPR) contains the following definitions:
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’) …
(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data …

John Hampden Grammar School are the data controller, responsible for determining how this personal data is profiled.

Article 5 of GDPR contains the following Principles:
(1)(a) Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
(2) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

This process is not transparent. After four and a half years of being refused the datasets needed to understand the profiling carried out on behalf of John Hampden Grammar School, I would like to request the following information.

1. Details of where you publish your publication scheme, which it is the duty of every public authority to publish. If not obvious, the date this was last revised.

2. Details of all the personal data which passes between John Hampden Grammar School, TBGS, the council, GLA and any other party in connection with 11+ tests. This may include but not be limited to; name, unique pupil number, date of birth, school, answer sheet, raw scores, standardised scores and number of attempted questions etc. (This request is not for the data itself but details of what personal data is shared between each of the parties involved.)

3. Details of how these data are processed. This must explain exactly how an individual raw score in each of the tests is combined with the child’s age to produce a standardised score. If this information is based on the data itself, for example the mean and standard deviation values of the raw test marks for a given cohort, this explanation must include the calculated values over the last three years (tests taken in 2018, 2019, 2020). As the data controller John Hampden Grammar School should be fully familiar with exactly how this personal information is being processed without the need to consult with your data processor.

4. How the “qualifying score” of 121 is determined by your data processor? Is this an objective measure consistent with past years or is it set at a level designed to qualify a given number or proportion of those who sit the test. If it is set to select a quota, what criteria are used to determine the pass mark?

5. A copy of the minutes of the full meeting of TBGS directors held on 27 September 2019. If no minutes were taken at that meeting, please explain why John Hampden Grammar School allow important decisions to be taken on its behalf with no official record being taken.

The law is clear. Accountability for compliance with GDPR sits with John Hampden Grammar School. This accountability is not something which can be absolved by outsourcing the processing to a series of private companies. GDPR was implemented into UK domestic law via the 2018 Data Protection Act which received royal assent in May 2018. John Hampden Grammar School are long overdue in complying with this law.

Although I have chosen to contact John Hampden Grammar School via a website designed to handle Freedom of Information, my request for information relates to the systemic contraventions of basic data processing principles for which John Hampden Grammar School are responsible. As such, unless I receive substantive responses to the above requests by 5pm on Friday 9 April, I shall refer this matter to the Information Commissioner who has the power to impose fines of up to €20 million for infringements which go against the very principles of GDPR, specifically those included in Article 5. I reserve the right to also treat this as a Freedom of Information request and refer any response I receive to the Information Commissioner under s.50 of the Freedom of Information Act in due course.

Yours faithfully,

James Coombs

John Hampden Grammar School Office, John Hampden Grammar School, High Wycombe

Dear Mr Coombs
Thank you for your Freedom of Information request dated 27th March 2021 in
which you requested the following:
'Since 2016 I have made repeated requests for factual information which
fully meets the definition of “dataset” given in s.11(5) of the Freedom of
Information Act:
In this Act “dataset” means information comprising a collection of
information held in electronic form where all or most of the information
in the collection—
(a)has been obtained or recorded for the purpose of providing a public
authority with information in connection with the provision of a service
by the authority or the carrying out of any other function of the
authority,
(b)is factual information which—
(i)is not the product of analysis or interpretation other than
calculation, and
(ii)is not an official statistic …

My purpose for requesting these datasets was aimed at understanding how
personal data are collected and processed to produce the “standardised”
scores used by John Hampden Grammar School to determine which children to
admit. These requests were initially directed towards the test provider
CEM. Since 2018 I have asked TBGS for this information. Both have refused.
In recent court proceedings, counsel for TBGS clarified that TBGS is a
private company set up to manage the secondary transfer test on behalf of
John Hampden Grammar School and 12 other schools and questioned whether
TBGS is subject to laws relating to transparency. John Hampden Grammar
School is a state funded Academy school, responsible for determining its
own admissions. Whilst CEM and TBGS may argue that they are not
accountable John Hampden Grammar School is fully accountable to the public
for actions they take on its behalf.

Article 4 of the General Data Protection Regulation (GDPR) contains the
following definitions:
(1) ‘personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’) …
(4) ‘profiling’ means any form of automated processing of personal data
consisting of the use of personal data to evaluate certain personal
aspects relating to a natural person, in particular to analyse or predict
aspects concerning that natural person’s performance at work, economic
situation, health, personal preferences, interests, reliability,
behaviour, location or movements
(7) ‘controller’ means the natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines the
purposes and means of the processing of personal data …

John Hampden Grammar School are the data controller, responsible for
determining how this personal data is profiled.
Article 5 of GDPR contains the following Principles:
(1)(a) Personal data shall be processed lawfully, fairly and in a
transparent manner in relation to the data subject (‘lawfulness, fairness
and transparency’).
(2) The controller shall be responsible for, and be able to demonstrate
compliance with, paragraph 1 (‘accountability’).

This process is not transparent. After four and a half years of being
refused the datasets needed to understand the profiling carried out on
behalf of John Hampden Grammar School, I would like to request the
following information.

1. Details of where you publish your publication scheme, which it is the
duty of every public authority to publish. If not obvious, the date this
was last revised.

2. Details of all the personal data which passes between John Hampden
Grammar School, TBGS, the council, GLA and any other party in connection
with 11+ tests. This may include but not be limited to; name, unique pupil
number, date of birth, school, answer sheet, raw scores, standardised
scores and number of attempted questions etc. (This request is not for the
data itself but details of what personal data is shared between each of
the parties involved.)

3. Details of how these data are processed. This must explain exactly how
an individual raw score in each of the tests is combined with the child’s
age to produce a standardised score. If this information is based on the
data itself, for example the mean and standard deviation values of the raw
test marks for a given cohort, this explanation must include the
calculated values over the last three years (tests taken in 2018, 2019,
2020). As the data controller John Hampden Grammar School should be fully
familiar with exactly how this personal information is being processed
without the need to consult with your data processor.

4. How the “qualifying score” of 121 is determined by your data processor?
Is this an objective measure consistent with past years or is it set at a
level designed to qualify a given number or proportion of those who sit
the test. If it is set to select a quota, what criteria are used to
determine the pass mark?

5. A copy of the minutes of the full meeting of TBGS directors held on 27
September 2019. If no minutes were taken at that meeting, please explain
why John Hampden Grammar School allow important decisions to be taken on
its behalf with no official record being taken.

The law is clear. Accountability for compliance with GDPR sits with John
Hampden Grammar School. This accountability is not something which can be
absolved by outsourcing the processing to a series of private companies.
GDPR was implemented into UK domestic law via the 2018 Data Protection Act
which received royal assent in May 2018. John Hampden Grammar School are
long overdue in complying with this law.

Although I have chosen to contact John Hampden Grammar School via a
website designed to handle Freedom of Information, my request for
information relates to the systemic contraventions of basic data
processing principles for which John Hampden Grammar School are
responsible. As such, unless I receive substantive responses to the above
requests by 5pm on Friday 9 April, I shall refer this matter to the
Information Commissioner who has the power to impose fines of up to €20
million for infringements which go against the very principles of GDPR,
specifically those included in Article 5. I reserve the right to also
treat this as a Freedom of Information request and refer any response I
receive to the Information Commissioner under s.50 of the Freedom of
Information Act in due course.
In line with the UK Freedom of Information Act 2000, we will respond as
soon as possible but no later than Tuesday 11th May 2021, taking into
account the closure of the school for the Easter holidays and the bank
holiday on Monday 3rd May 2021.
Yours faithfully
John Hampden Grammar School

John Hampden Grammar School
Marlow Hill
High Wycombe
Buckinghamshire
HP11 1SZ

Tel: 01494 529589
Fax: 01494 447714
Web: [1]www.jhgs.bucks.sch.uk

[2]Stay Home

The contents of this electronic message (including attachments) are
strictly private and confidential and are intended for use by the
addressee only. If you have received this email in error please delete it
together with any attachments or return it to [3][John Hampden Grammar School, High Wycombe request email].

The views expressed in this message are personal and not necessarily those
of John Hampden Grammar School. Please be aware that emails sent to or
received from the school may be intercepted and read by the school.
Complaints about messages should be sent to [4][email address].

P Please consider the environment before printing this email

References

Visible links
1. https://gbr01.safelinks.protection.outlo...
3. mailto:[John Hampden Grammar School, High Wycombe request email]
4. mailto:[email address]

Dear John Hampden Grammar School Office,

Thanks for confirming receipt of my request for information.

I am concerned that the school have been acting illegally since 2018 by failing to ensure that the processing of personal data carried out on its behalf is not (lawful, fair and) transparent. Unless I receive an explanation of how these data are profiled by Friday 9 April I will be referring this to the Information Commissioner who has the power to impose fines of up to €20 million

I reserve the right to *also* refer any response I receive to the Information Commissioner under s.50 of the Freedom of Information Act in due course.

Please do not conflate those two separate issues.

Best wishes
James Coombs

John Hampden Grammar School Office, John Hampden Grammar School, High Wycombe

1 Attachment

Dear Mr Coombs
Please find attached the School's response to your recent Freedom of
Information request.
Yours sincerely
John Hampden Grammar School

John Hampden Grammar School
Marlow Hill
High Wycombe
Buckinghamshire
HP11 1SZ

Tel: 01494 529589
Fax: 01494 447714
Web: [1]www.jhgs.bucks.sch.uk

The contents of this electronic message (including attachments) are
strictly private and confidential and are intended for use by the
addressee only. If you have received this email in error please delete it
together with any attachments or return it to [2][John Hampden Grammar School, High Wycombe request email].

The views expressed in this message are personal and not necessarily those
of John Hampden Grammar School. Please be aware that emails sent to or
received from the school may be intercepted and read by the school.
Complaints about messages should be sent to [3][email address].

P Please consider the environment before printing this email

References

Visible links
1. https://gbr01.safelinks.protection.outlo...
2. mailto:[John Hampden Grammar School, High Wycombe request email]
3. mailto:[email address]