Age Appropriate Design Code / The Children's Code and Schools
ED TECH – The Children’s Code and Schools
It has been an interesting year or so, watching the Children’s Code (aka Age Appropriate Design Code or AADC) go through consultation, effectively missing out on what is needed for schools to be part of it, or how it could affect them. The released version that was laid in front of Parliament and adopted then had a year for companies and organisations to get to grips with and this finishes on September 21.
There have been lots of conversations and work going on in the background, from the odd voice challenging the ICO around it, group sessions with DPOs to take on board how schools truly work, discussions with EdTech vendors (extremely grateful to many providers and especially to both NetSupport and 2Simple) and a fantastic report from the Digital Futures Commission (a collaboration supported by 5Rights).
I would strongly recommend that you read the blog post and watch the report launch too (if you can). The report is a fantastic paper that helps to clearly show how EdTech and the use of data relates to schools, and is also supported by the commentary on it by the AADC team at ICO.
There are three important things that need raising for schools and three for EdTech providers.
Schools
- Schools need to be clear where they are the sole data controller and where any other company or organisation may also be a controller.
- Schools need to understand that where they are the sole controller, the code does not apply to them and what they do, but GDPR still applies and the code has chunks of good practice to follow.
- The importance of risk assessments cannot be stated enough. If you haven’t done them for the systems you are already running (including in-house stuff) then treat it as a gap analysis … but just get it done.
EdTech Vendors
- Make sure you are clear and transparent about where you are a controller for your business stuff (sales, etc.) and where you are a processor on behalf of the school (i.e. the actual service you run)
- Be transparent in your documentation and agreements about what you do and who you work with. Make sure any other partner is only doing what you instruct and based on your agreement with the school.
- If you are also dealing directly with families for a consumer offering, make sure you are using the code for that part of the service, and make sure you know what doesn’t need to be in place for the school-delivered side.
There is so much more I could add, and more guidance will come over time. The ten steps the report puts to the Government are clear, well-targeted and will make a significant difference for schools in England. We can also hope that it helps to set things out for NI, Scotland and Wales too. I’m just glad that the Digital Futures Commission are leading on this, as they are approachable and want to take in the wide range of experience and expertise that is available within schools, MATs and LAs.
The targets are below:
Focusing on EdTech for teaching, learning and assessment (“Learning EdTech”), the immediate steps for government include:
- Develop ICO guidance on how the UK GDPR and the DPA 2018 apply to the education data processed by Learning EdTech companies in schools
- Review the procedures for accessing National School Data from the DfE and ensure strict adherence to the Five Safes framework as required by the Digital Economy Act 2017.
- Produce DfE guidance for EdTech companies, grounded in an independent evidence base and setting out the criteria of educational purposes that Learning EdTech should fulfil.
- Direct BESA’s LendED library to develop an alternative to product ratings, based on formal evidence rather than anecdotal opinions – this is vital since what works in one context may not work in another.
- Develop mandatory rules for schools’ procurement of Learning EdTech to ensure credible improvements in teaching and learning, and compliance with data protection regulation.
- Create joint oversight mechanisms giving both the DfE and the ICO formal roles in ensuring Learning EdTech’s compliance with the law.
- Direct the DfE’s Schools Commercial Team to develop specific rules for schools’ procurement of Learning EdTech services, including those offered ‘free of charge’, to ensure children’s rights are respected.
- Create standard contractual clauses for use by learning EdTech companies in relation to data processing (ICO) and standard commercial clauses for pricing (DfE).
- Develop standard contractual clauses for contracts between schools and Learning EdTech companies (ICO), detailing the kinds of data that can be processed from children under legitimate interests lawful basis.
- Encourage compliance with the best international standards on data protection and child rights to increase the UK’s competitiveness in the global education marketplace.
I would suggest schools share this report with their DPOs and Senior Business Managers, and I am happy to discuss this further with any EdTech providers out there or introduce you to people who can help.
You can reach Tony via his website here
Tony Sheppard
My Data Protection World
How to help your teen have GOOD mental health
Helping your teens with their mental health What is mental health? Unfortunately, mental health is still rarely talked about in a positive sense. Just as we ALL have physical health, we also ALL have mental health. Being mentally healthy means being able to feel and...
How to Help your Teen Through Exam Result Uncertainty
Helping your Teen through exam result uncertainty. It is less than easy for teens at the moment. All their lives they have been told that their exam results at GCSE and A-level will determine their future and now they are not sitting these exams at all but are relying...
Subject Access Requests- A Common Misconception.
Subject Access Request (SAR) Last week I spoke to a new client and asked if they had ever had any problems in responding to a Subject Access Request. (SAR) To my surprise they told me that they had never had one. I was very surprised by this as experience told me...