The ICO has recently updated its guidance on when the ICO’s Children’s Code (the Code) applies to service providers. The Code applies to information society services (meaning any service usually paid for, at a distance, by electronic means and at the request of the service recipient) which are likely to be accessed by children. The Code also applies to non-profit Edtech services as these are also caught by the definition.

In this factsheet, we briefly outline when the Code applies to Edtech providers and other key data protection considerations for schools and Edtech service providers.

When does the Code apply and what does it say?

In the context of Edtech services, the Code applies to services that are likely to be accessed by children on a direct-to-consumer basis or are provided to children through a school, where the Edtech provider influences the nature and the purpose of the processing of children’s personal information.

The ICO guidance states that the Code is likely to apply where the Edtech provider:

  • determines or influences the purposes for which personal information is processed
  • processes children’s personal information for research purposes (where the research is not the core service provided to the school)
  • processes children’s personal information for marketing and advertising
  • processes children’s personal information for the provider’s own commercial purposes, such as product development

Where an Edtech provider is in scope of the Code, it is required to undertake a data protection impact assessment to assess and mitigate the risks to children. The Code sets out 15 standards for age-appropriate design including the best interests of the child, transparency, detrimental use of data, data sharing, parental controls and more.

A summary of the 15 Code standards can be found on the ICO page here.

In addition, the ICO guidance provides greater clarity on when the Code does not apply to an Edtech provider. This is where:

  • The Edtech service procured by the School fulfils the School’s public tasks and educational functions (being an integral function of the School rather than a helpful product)
  • The data is processed solely on the instruction of the School and the Edtech provider does not process the data beyond these instructions (such as for product development)
  • The Edtech service is not accessed on a direct-to-consumer basis

If all these criteria apply, the ICO considers that the Edtech provider is likely to act as a processor in practice. However, the parties should undertake a full assessment, as outlined below, before arriving at a conclusion.

Other key data protection considerations

In addition to the application of the Code, other key data protection considerations for the provision of Edtech products and services to schools are:

Clear roles

It is very important that the Edtech provider and the school are clear about their respective roles under data protection law (whether they are controllers, processors or joint controllers). This was another key change to the ICO guidance – previously the guidance stated that Edtech providers would be likely to be processors. The designation as controller or processor is key because data protection obligations flow depending on how an organisation is categorised. For example, providing privacy notices and collecting consent (where applicable) is an obligation imposed on controllers, not processors. The ICO Guidance on these roles is helpful for assessing whether an Edtech provider is a controller or a processor. This analysis should be documented in case the categorisation of controller or processor is queried in the future.

Lawful basis

Where the Edtech provider is a controller, it must identify an appropriate lawful basis (or reason under the law) to process the data. The most relevant lawful bases in the context of the provision of Edtech products and services to schools are:

  • Legitimate Interests – this is the most flexible lawful basis, and allows organisations to process personal data where necessary for the organisation’s legitimate interests provided that those interests are not overridden by the rights and freedoms of individuals. Relying on this lawful basis therefore requires a balancing exercise, also known as a ‘legitimate interests assessment’.
  • Consent – if consent is relied upon as the lawful basis, an organisation can process personal data where it has the consent of the relevant individual(s) to do so. Depending on the age of the children concerned, consent is collected from the parent or from the child directly.
  • Public Task – In some cases, organisations may be able to rely on the lawful basis that processing of personal data is necessary for the performance of a public task in the public interest. The ICO guidance states that public task is unlikely to be an appropriate ground for Edtech providers to rely upon.

Edtech use of data

Whether the Edtech provider is a controller or a processor, the contract between the parties should reflect what is happening to the data on the ground. The respective obligations of the parties should be set out clearly.

The ICO emphasises that children have the same rights as adults in respect of their personal data. Handling children’s personal data requires careful attention. Providing products and services in scope of the Code requires planning so that the protection of children’s data is embedded into the design.

Bates Wells can help you to navigate these rules and take steps to review your compliance in relation to the provision and receipt of Edtech services so that you can be comfortable and confident in your data protection compliance. Please contact Eleonor Duhs for information.