After we published our recent post on the possible GDPR issues arising from what appears to be automated processing leading to this week's A-Level result outcomes, Partner Adam Rose drew attention to the fact that, many years ago, as an articled clerk (now known as a trainee solicitor), he had been involved in the appeal brought by CCN (the previous name of what is now Experian), against a decision of the Data Protection Registrar (now, the Information Commissioner) under the 1984 Data Protection Act (now, GDPR and the Data Protection Act 2018), in the Data Protection Tribunal (now, the First Tier Tribunal). Adam says that by 'been involved', he definitely helped carry files into the court room, and took some notes.
The case was about this: it turned out that in giving someone a credit rating, CCN would look at the credit ratings of others living at the same address, and would also look at the address itself. So, if someone lived with someone else who was a bankrupt, the former got a poor credit score; and if the previous resident had a poor credit-rating, so too would the current resident.
The Tribunal found that whilst the Enforcement Order of the Data Protection Registrar was too wide, nonetheless, "from 1 January 1993, personal data relating to the financial status of individuals must cease to be processed by reference to the current or previous address or addresses of the subject of the search whereby there is extracted in addition to information about the subject of the search any information about any other individual who has been recorded as residing at any time at the same or similar current or previous address or addresses as the subject of the search." That was subject to certain close family/dependents exemptions, but, it is certainly arguable that, at least since 1 January 1993, the principle of 'fairness of processing' should generally mean that third party data could no longer be used to make decisions about me.
How does this relate to A-Level results?
One of the key factors in determining an A-Level student's results this summer (and this seems to be particularly so in poorer parts of the country, with, sadly, historically poorer performing schools), seems to be a look-back at the student's school's past three years of results. In other words, because other students who had attended that same school had obtained poor results, this year's students' data was processed by reference to the data of previous students from the school of the data subject, whereby there was extracted in addition to information about the data subject, information about other individuals who had been recorded as attending the same school as the data subject.
That's simply not allowed. And there is a good argument for saying that it hasn't been for over 28 years.
One would assume that Ofqual's Data Protection Impact Assessment will have a whole section addressing this, and we have made a Freedom of Information Act request to see it.