The Department for Education is holding named records detailing the sexual orientations and religious beliefs of more than 3 million students and graduates, thousands of whom were not told that their sensitive data had been shared.

Data obtained through a freedom of information request by BuzzFeed News reveals that the DfE holds sexual orientation data on almost 3.2 million people, and religious belief data on 3.7 million people. The records go back to 2012/13 and include both current students and those who have finished university.



Seven universities have elected to change their policies after our reporting exposed how they were failing to make clear to students that this information, along with other personal data, would be passed on to other public authorities. An eighth, the University of Wales Trinity Saint David, had not responded at the time of publication.

Online privacy campaigners have described the retention and sharing of such personal data as "the stuff of nightmares" and have expressed their disappointment that the Information Commissioner's Office — the independent regulator set up to uphold information rights — will not investigate.



The information sits within the National Pupil Database, which — with data sets on 21 million individuals — is one of the richest data resources about education in the world.



It lists the personal characteristics of every state-educated child in England since 2002, including one's name, date of birth, ethnicity, home address, attainment from nursery to higher education (ages 2–19), special educational needs, and interactions with the state such as indicators for free school meals, families in the forces, and children in care.

The data were submitted by students to their universities on a voluntary basis on enrollment and passed on by their institution to the Higher Education Statistics Agency.

In a separate freedom of information response to privacy campaign group defenddigitalme, the HESA confirmed it collects named data on sexual orientation and religion or belief from students in England, Scotland, Wales, and Northern Ireland. The group said the collection of Northern Ireland students' religions and sexual orientations was particularly contentious.

HESA passes on the data to public bodies including the DfE, the Office for Students, and the funding bodies in Scotland and Wales. While the DfE does not share the sensitive named data onwards, other bodies have their own lists of third parties with which they can share the data.

The OfS, for example, can share the data with HMRC, the Student Loans Company, and Pearson Education — a private company.

It is understood that while the law would allow it to do so, it has not yet shared any students' named religious belief or sexual orientation data with these organisations. A source close to the OfS said it would only do so when there was a clear student interest and after it had conducted a privacy impact assessment.

The government claims the information is held to "better target (and evaluate) policy interventions to help meet the Department [for Education]’s strategic objectives and ensure all children are kept safe from harm and receive the best possible education".



“We take data protection extremely seriously and we keep all personal information safe — in line with legal requirements," a DfE spokesperson told BuzzFeed News.

“The information collected by HESA and shared with the department is done so we can meet our public sector obligations to carry out equalities impact assessment. These particular data items, which students don’t have to provide, are not shared by us outside of the department.”

The HESA makes clear that it collects "special categories of data" (such as sexual orientation) on a named basis from universities. But the fact that the data is included in the National Pupil Database was only made public in May, when a government risk assessment was released.



The new freedom of information data reveals for the first time the massive amount of highly sensitive personal information that these government bodies hold.

The HESA requires universities to inform students that their personal data will be submitted and recommends that they include a link in their privacy notices to the HESA Student Collection Notices, which explain which organisations receive data, at what level of detail, what they use it for, and the legal basis for processing it.



BuzzFeed News contacted eight universities that failed to adhere to these requirements and guidelines.