Latest updates - last updated 30 May 2023
30 May 2023 - We have updated the format of this page and made it clearer when an ed-tech service may be in scope of the Children's code.
Edtech products and services that process children’s personal information may be in scope of the Children’s code. This guidance document is intended for providers of edtech services.
In this document, where we refer to schools, we include educational and training institutions processing the information of people under the age of 18.
At a glance:
- The requirements of data protection law still apply, regardless of whether the code applies.
- While schools are not Information Society Services (ISS) and are not in scope of the Children’s code, edtech providers may be in scope of the code.
- Edtech providers are in scope of the code if you process personal information beyond the instructions of a school, and determine why and how personal information is processed.
- The processing role of an edtech provider is not determined by your designation as a processor or controller as set out in a contract, but whether you in fact exercise control over the means and purposes of processing children’s personal information.
- Where you act as a controller and process information for your own purposes beyond the instructions of a school, the “public task” lawful basis (set out in Article 6(1)(e) UK GDPR) is unlikely to be an appropriate lawful basis for edtech providers.
In brief:
- When does the code apply to edtech service providers?
- When does the code not apply to edtech service providers?
- General obligations on edtech providers
When does the code apply to edtech service providers?
The code applies to edtech services that are likely to be accessed by children on a direct-to-consumer basis. These are services which are directly available to users on open platforms, such as the web or via an app store.
In this scenario, the edtech service meets all the criteria that define a relevant ISS in scope of the code.
The code applies even where you provide the direct-to-consumer edtech service on a non-profit basis. This is because most similar services are normally provided on a for-profit basis in the direct-to-consumer edtech market. This means non-profit edtech services are still considered “normally provided for remuneration” (this is part of the definition of being a relevant ISS).
The code also applies to edtech services provided to children through a school, where the edtech provider influences the nature and purpose of the processing of children’s personal information. Though schools themselves do not constitute ISS, an edtech service used within a school environment may still meet the criteria for an ISS (and you may be required to comply with the code).
Examples of where this is likely to apply include when, as an edtech provider, you:
- determine or influence the purposes for which personal information will be processed (eg by setting parameters of how the information can and will be processed);
- process children’s personal information for research purposes, where the research is not the core service procured by the school;
- process children’s personal information for marketing and advertising; and
- process children’s personal information for your own commercial purposes, which includes product development.
The school and edtech provider must consider your respective roles and responsibilities. You must determine whether, as the edtech provider, you are acting as a joint controller, independent controller or a processor. Our guidance on controllers and processors can support you to do so.
Whether or not you act as a processor or controller depends on the extent to which you determine the purposes and means of any processing. This is regardless of how your processing role is described in the contract.
Example
An edtech provider may describe itself as a processor in a contract but, in fact, processes children’s personal information outside the school’s instructions (unless where required to do so under UK law). The provider will act as a controller in relation to that processing.
In this scenario, the Children’s code applies to the edtech service, as the service meets all three criteria of the ISS definition. As the edtech provider is processing personal information beyond the instructions of a school, it cannot rely on their service being considered an extension of the offline activities of a school. Even if the edtech service may in practice be helpful to the delivery of education to children.
This is because the provider processes personal information for its own purposes, which are distinct from the school’s functions and core services procured by the school. As a result, the edtech service or product (and the edtech provider’s processing activities) are not integral for the school to discharge its duties and perform its functions as set out in law.
When does the code not apply to edtech service providers?
The code does not apply to edtech providers where all the following criteria are met:
- the edtech service is not accessed on a direct-to-consumer basis;
- the edtech provider only processes children’s personal information to fulfil the school’s public tasks and educational functions (as determined by the school); and
- the edtech provider acts solely on the instruction of the school, and does not process children’s personal information in any other form beyond these instructions.
Educational functions
If all the above criteria are satisfied, the code will not apply to you, as the relevant edtech provider. Your edtech service is procured by the school to fulfil its educational functions, and you only process personal information to fulfil the school’s educational function.
You are acting solely on the instruction of the school and do not exercise a decisive influence over how or why the school processes personal information.
In this scenario, you are a digital extension of the school’s offline activities and the school exercises the decisive influence over the processing. Your edtech product or service is not merely helpful for the school, but forms an integral part of the school’s functions.
In these circumstances the service’s use of children’s personal information must be limited solely to the school’s educational purposes. If you process children’s personal information for any other purpose (eg product development), you may be in scope of the code. See the section “When does the code apply to edtech service providers?” above for more information.
Role of the provider
If all the above criteria apply, it is likely that you, as the edtech provider, will act as a data processor in practice. If you determine how and why personal information is processed, you may act as a controller, and may be in scope of the code. See the section “When does the code apply to edtech service providers?” above for more information.
General obligations on edtech providers
As an edtech provider, you must comply with your respective obligations and responsibilities under UK data protection and e-privacy legislation, whether the code applies to your service or not. Please see our detailed guidance, including our guide to data protection, for further information.
For example, if you act as a controller, you must identify an appropriate lawful basis under UK GDPR for its processing. For more information, please see our detailed guidance on each lawful basis. The “public task” lawful basis (set out in Article 6(1)(e) UK GDPR) is unlikely to be an appropriate lawful basis for you, as an edtech provider.