A simple swipe across a screen is all it takes for a teacher at Holyhead Primary Academy to see how their class is faring on any given topic. A colour-coded graphic breaks it down: these are the ones who are on track; here are the children who need a bit more work.

A couple of clicks and they can zoom in on an individual pupil: this is what they are doing well at; this is where they need a bit of extra help. A further click, and the teacher can focus on the pupils with SEND in the class. Swipe back to see how attainment compares across the whole school.

“It shows you just how the children are doing and you know what to work on with them,” says Sir Mark Grundy, CEO of Shireland Collegiate Academy Trust, which runs two secondary schools and two primaries - including Holyhead - in the West Midlands. “It means we know how well all the children are doing all the time.”

Progress data represents just a fraction of the mass of information schools now collect on their pupils. Whether it’s manually inputted or automatically recorded, whether it’s a binary assessment or a biometric such as a fingerprint, from measuring attainment to monitoring attendance, managing behaviour to shortening lunch queues, few aspects of school life now come without data attached.

But while it undoubtedly helps in the smooth running of a school, data collection on this scale throws up a whole set of issues. How do schools look after it and keep it safe? Where is the line between utility and pupil privacy? What happens if it falls into the wrong hands? And whose data is it anyway?

Education has already been embroiled in a number of rows over data, and some believe it is only a matter of time before a big scandal hits. For schools, it is often a question of whether the risk outweighs the benefits, and how to best manage that risk.

Under Grundy’s leadership, Shireland has been at the forefront of the technology revolution in schools, an early adopter of many systems that are now widespread. He has no doubt of the benefits it can bring, not least of which is the capacity to cut workload and improve behaviour.

The assessment system used in Shireland’s four schools - due to become six in September with the addition of another primary and another secondary - registers pupil progress automatically, doing away with the need for teachers to input data for each child manually.

“It saves hours and hours and means teachers are not having to spend their time finding out who is doing well and what children are not doing well at,” says Grundy. “Ultimately, behaviour is better because lessons are more focused, more dynamic and better crafted.”

One of the systems used at Shireland is an artificial intelligence platform developed by Century Tech, which “learns” how each child learns, how much they know and even when they’re guessing, through collecting data every time the pupil uses it.

“The whole concept is about how we can use data to improve teaching,” says Priya Lakhani OBE, Century’s founder and chief executive. “There are some scare stories about how data can be misused but the right data in the right hands can be incredibly powerful.

“It can be differentiated at a completely personalised level, and this can free up a teacher’s time so they spend more time on targeted interventions.”

Anonymity myth

But for some, the existence of all this pupil data has potentially frightening implications. Jen Persson, director of defenddigitalme, a campaign to protect children’s data privacy and digital rights, says few parents are aware of the amount of information garnered by schools.

Simply anonymising the data is not enough to prevent children being identified, she says: if it is particular to an individual, then they can be identified.

“Anonymous means the data has been aggregated, it is not on an individual basis,” she says. “It doesn’t matter if you have stripped the names off - there is virtually no data in schools that is anonymous.”

Personal data - such as date of birth, gender and religion - is routinely collected, putting children at risk of identity theft in the future, she says, while data gathered through assessment and behaviour apps could be used to profile children.

“A lot of the data is opinion, not immutable facts, and it could build up a longitudinal profile,” she says. “Software that assesses people’s mood or monitors children’s use of language could be used to identify children at risk of mental health problems or extremism.”

Biometrics, such as fingerprint scanners used in canteens, libraries and entry systems, are a particular cause for concern, Persson says.

“Fingerprinting is a hugely important unique profile of a child and if you lose control of your biometrics, if you have given them away and you don’t know to whom, you cannot get them back,” she says.

She wants schools to exercise greater care when signing up for third-party apps, to check on issues such as where the data will be stored, as well as greater transparency around consent, making sure parents know how the data will be used.

Century Tech takes security and privacy concerns seriously, says Lakhani, and aims to mitigate some of the risks by storing data in several different places and destroying data when children stop using the platform.

“You have got to have very robust storage systems and it is really important that schools ask questions about where the data is kept,” she says.

Tony Cann argues that both schools and developers are more aware of security and privacy issues than in the past. As the founder of Promethean, which pioneered the use of interactive whiteboards, Cann was at the forefront of the edtech revolution. His new venture, Learning by Questions, is a tool combining automatic marking and analysis to provide instant feedback to teachers.

“Our systems don’t allow anybody to get hold of the data, and only the school can sell it,” he says. The data is held in the cloud for greater security and, unless the school signs an agreement otherwise, only the teacher in the classroom gets to see the names of the children taking part.

It is not so much the amount of pupil data as the way it is collected that has changed in recent years, according to Duncan Baldwin, deputy policy director at the Association of School and College Leaders (ASCL) and specialist on performance data.

But while this represents a potential risk, he argues that schools are generally very good at storing data and understanding how to keep it safe. Measures such as using encrypted laptops and taking memory sticks with pupil data out of school help keep it secure, while schools are more vigilant about access to data, he adds.

The risks also have to be set against the benefits, both in helping children learn and cutting workload, he says.

“Schools are not amassing huge amounts of data just because they can: they’re doing it because it is helpful towards a child’s learning,” he says.

“Fingerprints for registration or cashless meals are more secure and less of an administrative burden. It is perfectly possible for a parent or a pupil to refuse to supply their fingerprint, and I’m sure alternatives are there.”

Two years ago, the NHS was hit by a massive data breach, when it emerged that around 860,000 documents had gone missing, with some sent to a private contractor by mistake. Ross Anderson, professor of security engineering at the University of Cambridge, believes it is only a matter of time before a similar scandal engulfs education.

There are “gazillions” of companies pushing computerised learning apps, and schools are signing up often without knowing what they are getting into, he says.

“Many of these apps are extracting personal health information, such as recognising whether children have special needs or are autistic,” he adds. “Firstly, what is the robustness of these tests, and secondly what about the control of this information?”

Unless the school retains ownership of the data, it could be sold on, with the school having no idea who is using it and why. And although GDPR has made schools more aware of privacy issues, Anderson says there is still a long way to go.

“I suspect that if a rigorous GDPR audit was given to the average school in England and Wales, they would fail by a mile,” he says. “They often have no clue what is being hoovered up, by whom and to what use it is being put.”

Short of removing edtech altogether - a solution he notes is often taken up by the Silicon Valley entrepreneurs who educate their children in traditional schools without so much as a screen - schools need to be more savvy about what they are using.

“Lots of schools buy all sorts of crap because they don’t understand it,” Anderson says. “They think it is going to help but it doesn’t. If you are going to use it, you have to understand it. If you haven’t been on a chainsaw awareness course, don’t buy a chainsaw.”

Taking control

Privacy and security concerns mean a school needs a good reason to collect data. But providing and improving the quality of education does meet that test, according to Dominic Norrish, group director of technology at United Learning, a multi-academy trust running more than 70 primary and secondary schools around the country.

While many schools are very aware of the potential for misuse of data, Norrish acknowledges that others may not have considered the dangers well enough. The role of data controller, looking after a school’s data, is a relatively new one, and some schools lack both the capacity and the expertise, he says.

As an example, one of United Learning’s schools was dissuaded from buying a visitor registration system when a risk assessment found the provider’s password policy allowed a one-character password.

“This could have exposed the data to the internet,” he says. “You could log in from any computer, anywhere in the world, and see a full list of everyone who was in school.”

But short of returning to an era before technology, taking precautions provides the best guarantee that pupil data will be safe and used for the reason it was collected.

“The question a school always has to ask is: are we using the data in pursuing legitimate objectives, in providing the best education possible?” Norrish says. “It’s about a school trying to provide an excellent education in any way they can.”

Nick Morrison is a freelance education journalist

This article originally appeared in the 31 May 2019 issue under the headline “Too much information?”