Age Appropriate Design Code / The Children’s Code and Schools

by | Apr 23, 2025 | Uncategorized

Age Appropriate Design Code / The Children's Code and Schools

ED TECH – The Children’s Code and Schools

It has been an interesting year or so, watching the Children’s Code (aka Age Appropriate Design Code or AADC) go through consultation, effectively missing out on what is needed for schools to be part of it, or how it could affect them. The released version that was laid in front of Parliament and adopted then had a year for companies and organisations to get to grips with and this finishes on September 21. 

 
There have been lots of conversations and work going on in the background, from the odd voice challenging the ICO around it, group sessions with DPOs to take on board how schools truly work, discussions with EdTech vendors (extremely grateful to many providers and especially to both NetSupport and 2Simple) and a fantastic report from the Digital Futures Commission (a collaboration supported by 5Rights). 
 
I would strongly recommend that you read the blog post and watch the report launch too (if you can). The report is a fantastic paper that helps to clearly show how EdTech and the use of data relates to schools, and is also supported by the commentary on it by the AADC team at ICO. 
 
There are three important things that need raising for schools and three for EdTech providers. 
 
Schools 
  1. Schools need to be clear where they are the sole data controller and where any other company or organisation may also be a controller.
  2. Schools need to understand that where they are the sole controller, the code does not apply to them and what they do, but GDPR still applies and the code has chunks of good practice to follow. 
  3. The importance of risk assessments cannot be stated enough. If you haven’t done them for the systems you are already running (including in-house stuff) then treat it as a gap analysis … but just get it done. 
 
EdTech Vendors
 
  1. Make sure you are clear and transparent about where you are a controller for your business stuff (sales, etc.) and where you are a processor on behalf of the school (i.e. the actual service you run)
  2. Be transparent in your documentation and agreements about what you do and who you work with. Make sure any other partner is only doing what you instruct and based on your agreement with the school.
  3. If you are also dealing directly with families for a consumer offering, make sure you are using the code for that part of the service, and make sure you know what doesn’t need to be in place for the school-delivered side. 
 
There is so much more I could add, and more guidance will come over time. The ten steps the report puts to the Government are clear, well-targeted and will make a significant difference for schools in England. We can also hope that it helps to set things out for NI, Scotland and Wales too. I’m just glad that the Digital Futures Commission are leading on this, as they are approachable and want to take in the wide range of experience and expertise that is available within schools, MATs and LAs. 
The targets are below: 
Focusing on EdTech for teaching, learning and assessment (“Learning EdTech”), the immediate steps for government include: 
  1. Develop ICO guidance on how the UK GDPR and the DPA 2018 apply to the education data processed by Learning EdTech companies in schools
  2. Review the procedures for accessing National School Data from the DfE and ensure strict adherence to the Five Safes framework as required by the Digital Economy Act 2017.
  3. Produce DfE guidance for EdTech companies, grounded in an independent evidence base and setting out the criteria of educational purposes that Learning EdTech should fulfil.
  4. Direct BESA’s LendED library to develop an alternative to product ratings, based on formal evidence rather than anecdotal opinions – this is vital since what works in one context may not work in another.
  5. Develop mandatory rules for schools’ procurement of Learning EdTech to ensure credible improvements in teaching and learning, and compliance with data protection regulation.
  6. Create joint oversight mechanisms giving both the DfE and the ICO formal roles in ensuring Learning EdTech’s compliance with the law.
  7. Direct the DfE’s Schools Commercial Team to develop specific rules for schools’ procurement of Learning EdTech services, including those offered ‘free of charge’, to ensure children’s rights are respected. 
  8. Create standard contractual clauses for use by learning EdTech companies in relation to data processing (ICO) and standard commercial clauses for pricing (DfE). 
  9. Develop standard contractual clauses for contracts between schools and Learning EdTech companies (ICO), detailing the kinds of data that can be processed from children under legitimate interests lawful basis. 
  10. Encourage compliance with the best international standards on data protection and child rights to increase the UK’s competitiveness in the global education marketplace. 
 
I would suggest schools share this report with their DPOs and Senior Business Managers, and I am happy to discuss this further with any EdTech providers out there or introduce you to people who can help.
You can reach Tony via his website here 
 
Tony Sheppard 
My Data Protection World 
Cyber Essentials

Cyber Essentials

Is it worth all the hassle and cost As outsourced DPOs for a number of schools, we have spent a great deal of time advising clients to gain Cyber Essential accreditation. We are well aware that it is not the highest level of IT security accreditation but it does...

New ICO Surveillance Guidance

New ICO Surveillance Guidance

New ICO guidance for Video Surveillance The ICO has published guidance on the processing of personal data by video surveillance systems, click here to go to the ICO website  The guidance outlines how data protection principles must be complied with when using certain...

Privacy Snakes and Ladders

Privacy Snakes and Ladders

Play this game to learn how to make smart privacy choices We would like to thank our friends at the “Office of the Privacy Commissioner of Canada for sharing these great games. How to play activity sheet You need a game piece for every player and a die. The person who...