The BigBrotherAward 2006 in the category “Government Authorities” goes to the Conference of State Ministers for Education (Kultusministerkonferenz der Länder, KMK) for their entire ignorance (or in red-tape parlance: “a certain lack of observance”) of data protection requirements in the attempt to introduce life-long, nationally unified student IDs.
One could state as an excuse that “Law” is not usually taught as a school subject, so the Ladies and Gentlemen in the Conference may not necessarily have any knowledge of German law, having gone through the German educational system.
But shouldn’t one at least be able to show a basic knowledge of democratic principles if one wants to steer legislative processes? And shouldn’t this knowledge have been conveyed in “social studies” classes, so that one could have grasped and understood the meaning and requirements of data protection, informational self-determination and personality rights? This demand does not seem to have been fulfilled in the members of the KMK. Another German PISA disaster in the subject of data protection and democracy education!
But let’s start at the beginning:
Since the year 2000 the KMK is attempting to design the collection of data in school statistics in a nationally unified way, to pool them centrally, and gather them in relation to individuals (and that means related to pupils and teachers).
They justify this by pointing — on the whole perhaps understandably — to the necessity of reliable statistical data in order to make informed choices in educational policies. Not just since PISA and the newest OECD study is it obvious that “there’s something rotten” in our educational system, and fundamental changes are bitterly needed. But whether the supposedly deficient statistics are first and foremost responsible for this, and whether — as in traditional arguments of number-addicted controllers — it is personalised data, of all things, that might bring the much sought-after changes, seems to be somewhat questionable.
In May 2003, the 174th minister’s convention of the KMK decided, under the heading “core data items for school-statistical individual data in the federal states”, on a “soon to be initiated changeover in the school statistics towards individual data.” This means a requirement to the states that they build up a unified data collection system for public and private pre-schools, schools and institutions of further and adult education.
From the cradle to the grave — or at least to the first job or the release into unemployment, students from general or vocational schools, from health schools and, in the future, even from pre-schools and adult education institutions should receive a unique reference number, which relates to their life-long educational profile.
This requires that the software for school administration used in the individual states cover at least the core items defined by the KMK, and they need to be technically able to communicate these data to the central database. Core items include sex and date of birth as well as specifications about first language, nationality, religious affiliation, schools and tuition received there, remedial teaching (i.e. significant deficits in certain areas of learning), and whether one has any “migration background”. Incidentally, a lot of person-related data will be collected also about the teachers. As it seems, the KMK does not notice the requirement for involving teachers’ representatives in such decisions at all.
Who will be interested in the national education database, once it is installed? Didn’t we just learn through the TollCollect case that however heartfelt the promises made today about a strict legal limitation of intended usage may be, and however intricate the data protection concept, this does not prevent an arbitrary rededication once a particular political pressure is developed? So, is it really so unlikely that not only police and security authorities might be interested in such a beautiful collection, but also employers, banks and insurance companies? You want a loan from your bank? Having passed school only by the skin of your teeth? Then it might just be that that your bank doubts whether your job is sufficiently secure and you will be able to pay it off. You had the pleasure of taking part in a remedial programme for “emotional and social skills development”? Sorry, fat chance of getting an apprenticeship in banking.
Do we have to fear in the future that at the age of 30 we will not get a loan, life insurance or job in Bremen, all because we had to repeat the odd year at school between age 12 to 18 in Munich? — You think this is an exaggeration? You think that the KMK will quite certainly, and securely, have excluded such desires?
The really bad thing about it all is that the KMK hasn’t even reached the stage yet of thinking coherently and comprehensibly about the aims wished for, nor to formulate them. There is no documentation of concrete purposes and questions which the data should answer. A shortcoming in a project that has been pursued for six years now, which in any private enterprise would have justly earned the people responsible a severe reprimand from the supervisory authorities. In the same vein there is no satisfying definition of which institution is to run the centralised database, nor where, nor what the particular duties for that institution should be.
But in pursuit of the good old traditions of the hunter-gatherers one is eagerly working on definitions and demands of what data are to be collected. There is ample description of master data, definition of export interfaces, software re-programming, browbeating of schools, general exertion of pressure. But there is little thought devoted to personality rights of the students and the teachers affected, and just as little consideration is given to the determination of technical and organisational protection measures. “Who may do what, when, and with what?” does not seem to be a question to even once have crossed the minds of the ladies and gentlemen from the KMK. Concepts of access, authorisation, roles? Not found. Protection of communication and transfer channels? Not found. Minimum requirements for authorisation protocols in the school’s software? Not found. Concepts for anonymisation? Not found.
Has the KMK even realised that its project interferes considerably with the personality rights of the people affected? I fear that the answer to this is also: Not found.
The working group on “data acquisition strategy”, anyway, which is to “prioritise recommendations for action under professional and pragmatic aspects”, obviously understands data protection only as a possible cause of “restrictions”. With this it perpetuates the stance of the statistics commission: Their understanding of data protection in a report in 2005 about the state of implementation of the KMK’s project was restricted to reporting data protection concerns voiced by some federal states. They obviously regarded the facts that the state of Saxony (Sachsen) has now stopped the collection of individual data altogether and the state of Schleswig-Holstein demands to include data protection considerations only as annoying acts of grumbling.
So it seems that it is high time the KMK turn the operation “back on its feet again”, as the Schleswig-Holstein data protection commissioner demands, and heed the basic standards of project and data protection management.
Congratulations, Conference of State Ministers for Education! Director’s office! Now!