Have you ever wondered what GDPR Compliance means for EdTech Vendors or for Schools?
I wrote this piece a while ago as a way of pulling together some of the guidance and ideas I have previously shared on X (formerly known as Twitter) and never got round to publishing it. I can’t think why but I have been working on some simpler guidance for EdTech vendors to help them understand their roles when working with and on behalf of schools.
Late last year I sent out a series of tweets referencing what schools and EdTech vendors need to do around The Children’s Code. Following on from the session at BETT this year from 5Rights and a separate session from ICO and Prof Dr Gers Graus, I thought it would be good to bring these back and add a bit more context.
In the 4 years it has been interesting when talking/working with both EdTech Vendors& schools. So many have said that they want clear messages about what they can/can’t do. The Children’s Code seemed to be the solution, but some of us could see possible confusion & issues. 1/n – Seriously, it took a lot of effort for ICO, Digital Futures Commission and others to recognise that there was a big gap in The Children’s Code around schools. It should not have been such hard work, especially when comments were raised about consideration for schools at Bill stage, and then during the consultation phases for the Age Appropriate Design Code (now The Children’s Code). There have also been questions asked about the engagement (or lack) between DfE and ICO, DfE and DCMS, and ICO and DCSM about schools and data protection. Thankfully, there are many that recognise the issue now, but too many still struggle with the context due to their lack of understanding about how schools and EdTech work together, and it is not hard to see why there is a lack of understanding. It is not made transparent and can be hidden behind barriers.
The Code has many good things in it that should be looked for as clear guidance that is already in the UK GDPR, whether the focus on the best interests of the child, making things age appropriate, transparency and profiling… 2/n – There is not a check list about what bits do in don’t apply in a school situation as it varies, but there are lots of good ideas in there.
or whether it is about doing the right things around data minimisation, detrimental use of data or data sharing. 3/n – The emphasis on knowing what you are doing with data, only using the data you truly need, doing things in the best interest of the child and not giving the data to others might seem like common sense, but they need repeating.
& with challenge and rigour around EdTech coming from organisations like the Digital Futures Commission (digitalfuturescommission.org.uk) it is clear to see that clear advice is still needed. 4/n – And more is still needed, several months on, especially when that challenge has missed aspects of the context.
And so it was with relief to see that the ICO team have provided more advice on what the Code means for schools. 5/n – More is still needed though but …
The FAQs ( ico.org.uk/for-organisati…) set out that the Code would not apply to schools as ISS, but they should not forget that UK GDPR does, and that the code still has lots of good stuff in it. 6/n – I’ve tended to say that it boils down to being nice to people, putting the children first and not the company!
The FAQs are also clear on where to get information about the relationship between data controller and data processor, the deciding factor on this. 7/n – And this is the context / bone of contention. More on that in a bit.
The FAQs are also clear about when the Code would apply, and it is not surprising that it is where the EdTech vendor is influencing the nature and purpose of children’s data processing. 8/n – We do need to be careful about letting people make presumptions about this though, and this is where more effort is needed to review what is happening. Taking a negative position (“Those companies will *always* want to monetise data”) is unhelpful, as is a blindingly positive one (“but no company would ever want to harm a child, surely?”)
Good examples include for their own commercial purposes, for product development/research (where research is not part of the service) and where the vendor has off-the-shelf, pre-defined edtech products. So, it comes down to school choice and configurations. 9/n – School choice is key here. They need to not only be the decision maker but *want* to be the decision maker.
None of this is unexpected for many people, but it might surprise others, including various EdTech vendors. This is why the challenges from groups like 5Rights and DefendDigitalMe are needed, to highlight where schools have not had that choice as data controller. 10/n – And this is not just for EdTech vendors, but also reseachers, charities, NGOs, and Govt bodies.
But the important thing to remember is that schools have a range of responsibilities for the care of their children, as well as their staff. If they are not the Data Controller, they should be asking themselves why. 11/n – I cannot emphasis this enough. This should stem all the way from the highest level of Governance at the school/trust. This is not just about data protection legislation, but schools and trusts knowing their responsibilities across the board.
Schools, don’t forget that off-the-shelf does not mean you don’t have control and cannot make changes to configurations. 12/n – The number of times I hear “but I never knew it could do that!” is scary. We often argue about the tail wagging the dog with technology, but we don’t ask often enough about how that is changed. It is not about making it an IT decision either, but part of the EdTech strategy.
Make sure you know what to do to ensure that you are making the decisions about how the systems are used. You may buy a minibus, but you are the ones that decides where to drive it! 13/n – The more information that can be shared within a Data Processing Agreement, any guides on products features and best practices, examples from case studies, will all be helpful when it comes to your DPIA and that all important record of the Purpose for using any products.
Vendors, you know your product best. You can give clear advice about how to apply the data protection by design and by default principles to it. It is then in the hands of the school as to what they do. 14/n – Again, that DPA, the guides, the case studies, the online training, the regular support and product updates. This is what makes the difference for schools.
Vendors, we know that you need to continuously develop and improve your products. We know you need data for that. We know that sometimes you tag it on as research. Please make sure that if you claim research it has a report at the end that all schools can see. 15/n – This is going to be contentious. Some will say that any use of school data to develop the product further is in the interest of the vendor, not the data subject. It is actually for the benefit of the school. If you are adding or improving features the school already pays for, then there is no additional benefit to the supplier within that relationship. If they are developing something new, then that is a different story. Whatever you do, make sure you communicate the how and why with schools, and also be prepared for them to say no!
Make sure that you get permission from each data subject/guardians to anonymise their personal data, or if it is a joint project with the school, make sure that all involved are consulted and clearly informed and consider the right to object. 16/n – If you are doing research properly then the data subjects and their family need to know, and this is where you hold your head high, be transparent and show what a difference it can make.
Schools, vendors will need data to improve products. If you want products to continue to improve, functionality extended & same price you pay right now, then look if it is part of the service you are paying for, and how the vendors are protecting the data – anonymising it? 17/n – We can get into a long discussion about anonymisation and who gives the authority for it. This comes back to transparency, looking at who it benefits, the methodology and ultimately who is responsible for the data being protected.
There is nothing wrong with getting involved in well-run research either, you just need to make sure it is for the right reasons and definitely not so a vendor have charge you for yet another product! 18/n – See above.
Vendors, don’t try to justify using school data to develop new functions as part of the service and then charge extra for the new service! 19/n – Ohyes, we know it happens and this is where we start talking about whether children’s data (and staff data) is being monetised. We should note that this is not selling the data to others though.
Schools, vendors are businesses and will use contact information as part of delivery of a contract to you. 20/n – There are rules around contacting the school as a business, running contracts and so on. This is different to them processing data to give you a service or tool. It is important that the vendor is clear on th difference, but you have to know that there is a difference.
This is not them taking children’s data but them running their business with them as a data controller and you as a customer. In any agreement you get with them, there should be a clear separation between the 2 areas. 21/n – See above
Vendors, please don’t mix up where you are running your business with schools as customers and where your service is operating as a data processor on behalf of the school. There are clear differences. 22/n – I cannot stress this hard enough. It is hard enough for experienced DPOs and lawyers to unpick some of the things in contracts and privacy policies. You have to make it clear there is a difference. Don’t include the stuff for running your business in the DPA. Reference it, by all means, but make sure there is a clear separation.
Also keep an eye on when you are ‘extending’ the functions so that you deal directly with children/their families or to staff. If you want to do that, it is separate to what you want to do for the school. Don’t poach data. If that is in place already, turn it off! 23/n – Parental and learner engagement is fantastic for driving progress with children. Many times those families want to do more and take on additional features or services you have. In these circumstances, when there is a direct relationship, then the vendor will be the controller for that section. Be clear where the line is. Also be clear how you get families hooked in. For this section, you will also be considered an Internet Society Service and The Children’s Code will apply.
Schools, if a vendor has extra functionality but it means they then have an open line to your children, then you are effectively giving that vendor an open market and free promotions. You don’t have sports day sponsored by McDonalds, with a mobile McD van in the playground. 24/n – It has happened in the past, where schools and vendors have thought it is a good idea. There might be benefits for the school but these would be outside of the core functions of the school, and so would not come under Public Task. Get that Legitimate Interest Assessment done then. If you are using a vendor as a commercial partner, that is different to running a service as part of the school’s core functions.
And finally, to everyone, this is not about red tape, this is not about stopping companies from earning money, this is not about something or other ‘trumping’ data protection. 25/n
This is all about the need to be responsible and look carefully about how children’s data is being use in EdTech. Be responsible. 26/end
Please, please, please don’t make presumptions about what can be done with data, think about the end user, make things easy between the vendor and the school, and most importantly … do not do your homework without wearing headphones!