by Ayça Atabey, Louise Hooper, Sonia Livingstone and Kruakae Pothong
We warmly welcome recently updated guidance from the Information Commissioner’s Office (ICO) on how the Age Appropriate Design Code (AADC) applies to educational technology (EdTech). Key improvements include:
- Clarifying that EdTech providers’ roles as ‘data processor’ or ‘data controller’ are established based on the evidence of control over the means and purposes of processing children’s data rather than the providers’ own designation in the contract.
- Clarifying when EdTech providers can fall under the scope of the AADC as information society services (ISS) even though it is provided through the schools.
- Removal of the terms creating confusion (such as ‘off-the-shelf’ products).
- Underscoring that data protection law requirements still apply, regardless of whether the AADC applies.
- Highlighting EdTech providers must identify an appropriate lawful basis under UK GDPR for its processing and specifying when public task lawful basis is unlikely to be appropriate.
The Digital Futures Commission has been in correspondence with the ICO throughout its work on the governance of education data. This includes sharing our research evidence and concerns, calling on the ICO to bring clarity on the interpretation of the law in children’s best interests as to when the AADC applies to EdTech. Below we explain how the above improvements relate to the changes our research and letters called for.
We had identified pressing challenges in applying AADC to EdTech, highlighting EdTech companies’ significant latitude in interpreting the law while schools are burdened with difficult if not impossible responsibilities for the data processing by hugely-powerful and often-unaccountable companies. For example, one of the significant challenges we identified was that EdTech companies position themselves in their contracts with schools as data processors, identifying schools as data controllers, when in reality the actual processing of data by design was beyond schools comprehension or control. EdTech companies also often offer optional features over and above those required for their core educational purposes blurring the boundary between data processing for the purpose of school’s specified learning activities and for other purposes.
ICO’s new guidance brings clarification to this by explaining that the ‘processor’ or ‘controller’ role of an EdTech provider isn’t determined by its own designation as stated in the contract but by whether the EdTech provider, in fact, exercises control over the means and purposes of processing children’s data. We believe it would still be helpful to give specific examples concerning education in ICO’s general guidance on data controllers and processors.
We also argued that the AADC should be more widely applied to EdTech than is currently the case, and made proposals to ICO for developing their framework on children’s best interests. We particularly called for attention to resolve the confusion over whether the AADC applies to EdTech used in schools, and whether an ISS likely to be accessed by children via the school as an intermediary should fall within or outside the AADC’s scope.
We identified that the wordings used by the ICO in its previous guidance such as “off-the-shelf”, “pre-defined” created confusion. We argued that there was no clear definition of these terms, and this created confusion. We are glad to see that the new guidance on EdTech removed the previous statements creating confusion.
We also highlighted that the ICO’s initial reference to EU case law created confusion and was unclear. We are glad to see that the new guidance removed the reference to that case law and instead focused on clarification, with examples, when EdTech provider is an ISS that falls under the scope of the AADC.
In our reports and blog posts, we consistently emphasised the importance of EdTech companies fulfilling their responsibilities to comply with the law. Specifically, we underscored the crucial role that data protection principles, such as fairness and data minimisation, play in protecting children from commercial exploitation and upholding their rights. We specifically argued in our letter and research that regardless of whether AADC applies, EdTech providers must comply with the UK GDPR. We are pleased to see that the ICO has explicitly highlighted this point among the key aspects featured in the ‘at a glance’ section of its new guidance.
Moreover, we argued that choosing a lawful basis should not be seen as a checklist. In our reports, we specifically expressed our concerns mainly on EdTech providers’ use of lawful bases of legitimate interest, contract, and public task. In our letter to ICO, we specifically called for clarification on ‘public task’ and we are glad to see that the new guidance highlights that the ‘public task’ lawful basis is unlikely to apply to EdTech providers’ data processing beyond the instructions of schools. As such, EdTech providers must identify other appropriate lawful basis under UK GDPR.
We are pleased to see that the ICO has considered our concerns and updated the guidance on the AADC and EdTech, now clarifying the ongoing debates and questions regarding the scope and applicability of the AADC. This is a significant step towards clarity in protecting children’s right to data protection and privacy and prioritising their best interests in today’s data-driven education system. While we celebrate the progress made, we recognise that challenges persist. Some ongoing concerns include the use of biometrics, emerging AI practices and the lack of standards on what constitutes a public task of education. We also remain concerned about the still inadequate purpose limitation on the use of data about children obtained in education.
At the end of its work, the Digital Futures Commission published a Blueprint for education data that calls for a child rights-respecting approach, to be achieved through the introduction of 10 EdTech certification criteria.
The Blueprint calls on the ICO also to develop an education-specific checklist to identify the controller in practice and reinforcing the Department for Education’s application of the Five Safes Framework with a robust audit system to ensure that the DfE’s data sharing of children’s education records adheres to data protection laws and the Five Safes Framework.
The Blueprint also calls on the DfE to develop, with the support of the ICO and/or Crown Commercial Service, standard contractual clauses for schools to insert into their contracts with EdTech providers. Finally the Blueprint calls on the DfE, in consultation with relevant expert advice, to introduce an evidence-based certification scheme to cover the use of EdTech in schools based on the 10 criteria, and encourage EdTech certification uptake among other actions listed in our recommendations.