Age Appropriate Design Code / The Children’s Code and Schools

by | Apr 23, 2025 | Uncategorized

Age Appropriate Design Code / The Children's Code and Schools

ED TECH – The Children’s Code and Schools

It has been an interesting year or so, watching the Children’s Code (aka Age Appropriate Design Code or AADC) go through consultation, effectively missing out on what is needed for schools to be part of it, or how it could affect them. The released version that was laid in front of Parliament and adopted then had a year for companies and organisations to get to grips with and this finishes on September 21. 

 
There have been lots of conversations and work going on in the background, from the odd voice challenging the ICO around it, group sessions with DPOs to take on board how schools truly work, discussions with EdTech vendors (extremely grateful to many providers and especially to both NetSupport and 2Simple) and a fantastic report from the Digital Futures Commission (a collaboration supported by 5Rights). 
 
I would strongly recommend that you read the blog post and watch the report launch too (if you can). The report is a fantastic paper that helps to clearly show how EdTech and the use of data relates to schools, and is also supported by the commentary on it by the AADC team at ICO. 
 
There are three important things that need raising for schools and three for EdTech providers. 
 
Schools 
  1. Schools need to be clear where they are the sole data controller and where any other company or organisation may also be a controller.
  2. Schools need to understand that where they are the sole controller, the code does not apply to them and what they do, but GDPR still applies and the code has chunks of good practice to follow. 
  3. The importance of risk assessments cannot be stated enough. If you haven’t done them for the systems you are already running (including in-house stuff) then treat it as a gap analysis … but just get it done. 
 
EdTech Vendors
 
  1. Make sure you are clear and transparent about where you are a controller for your business stuff (sales, etc.) and where you are a processor on behalf of the school (i.e. the actual service you run)
  2. Be transparent in your documentation and agreements about what you do and who you work with. Make sure any other partner is only doing what you instruct and based on your agreement with the school.
  3. If you are also dealing directly with families for a consumer offering, make sure you are using the code for that part of the service, and make sure you know what doesn’t need to be in place for the school-delivered side. 
 
There is so much more I could add, and more guidance will come over time. The ten steps the report puts to the Government are clear, well-targeted and will make a significant difference for schools in England. We can also hope that it helps to set things out for NI, Scotland and Wales too. I’m just glad that the Digital Futures Commission are leading on this, as they are approachable and want to take in the wide range of experience and expertise that is available within schools, MATs and LAs. 
The targets are below: 
Focusing on EdTech for teaching, learning and assessment (“Learning EdTech”), the immediate steps for government include: 
  1. Develop ICO guidance on how the UK GDPR and the DPA 2018 apply to the education data processed by Learning EdTech companies in schools
  2. Review the procedures for accessing National School Data from the DfE and ensure strict adherence to the Five Safes framework as required by the Digital Economy Act 2017.
  3. Produce DfE guidance for EdTech companies, grounded in an independent evidence base and setting out the criteria of educational purposes that Learning EdTech should fulfil.
  4. Direct BESA’s LendED library to develop an alternative to product ratings, based on formal evidence rather than anecdotal opinions – this is vital since what works in one context may not work in another.
  5. Develop mandatory rules for schools’ procurement of Learning EdTech to ensure credible improvements in teaching and learning, and compliance with data protection regulation.
  6. Create joint oversight mechanisms giving both the DfE and the ICO formal roles in ensuring Learning EdTech’s compliance with the law.
  7. Direct the DfE’s Schools Commercial Team to develop specific rules for schools’ procurement of Learning EdTech services, including those offered ‘free of charge’, to ensure children’s rights are respected. 
  8. Create standard contractual clauses for use by learning EdTech companies in relation to data processing (ICO) and standard commercial clauses for pricing (DfE). 
  9. Develop standard contractual clauses for contracts between schools and Learning EdTech companies (ICO), detailing the kinds of data that can be processed from children under legitimate interests lawful basis. 
  10. Encourage compliance with the best international standards on data protection and child rights to increase the UK’s competitiveness in the global education marketplace. 
 
I would suggest schools share this report with their DPOs and Senior Business Managers, and I am happy to discuss this further with any EdTech providers out there or introduce you to people who can help.
You can reach Tony via his website here 
 
Tony Sheppard 
My Data Protection World 
Electronic vs. Paper copies

Electronic vs. Paper copies

Should you keep both electronic and paper records of some important data? In light of the ever increasing number of cyber attacks on the education sector, and the advice given by the NCSC,  we at DPO For Education continue to advise our clients to keep both electronic...

Appointing a Data Protection Officer

Appointing a Data Protection Officer

A simple guide to understand the role of a DPO in schools and who is and who is not suitable for the role. Whatever the size and setting of your school, the GDPR (General Data Protection Regulation) places high expectations on you to protect the personal data in your...

GDPR DOs & DONT’S Infographic

GDPR DOs & DONT’S Infographic

Training and Awareness is a way to inform your staff that data protection is everyone’s responsibility and that small steps to protect data can make a big difference. Print this poster to display in the staff room and offices. Poster: GDPR - Data Protection Dos and...