What a DPO in the education sector can learn from the latest children and privacy report

Share This Post

When the GDPR came into force it introduced specific controls relating to children:

  • If you rely on consent as the lawful basis for processing personal data when offering an online service aimed at children, then you also need parental consent for any child 12 or under (and that means you’ll need a mechanism for identifying the age of the child and that the person giving consent for under 13s do in fact have parental responsibility)
  • When processing their data for marketing purposes
  • You shouldn’t usually use automated decision making processes relating to children if this will have legal or similar affect on them
  • Privacy notices need to be written, when addressing children, in a way a child would understand

And of course a child has the same rights as an adult when it comes to data protection compliance in general.

As well as enforcing the GDPR and its application to children, the ICO are obliged to (via the Data Protection Act 2018) produce a code of practice on age appropriate design. The Code will set out the expected responsibility for those building online services likely to be accessed by children. At the time of writing this post, the consultation has closed and we’re awaiting the output, i.e. the Code.

The ICO also funded, via its grant scheme a research project by the London School of Economics (LSE): “Children’s data and privacy online: Growing up in a digital age“. This makes for an interesting read, mainly providing insight into what children think about data privacy. The highlights (although the report covers much more than these):

  • Children are often early adopters when it comes to new technologies, processing activities, etc. and often ahead of adults
  • Children care about their privacy and “engage in a wide range of strategies to keep their devices, online profiles and personal information safe from unwanted interference
  • For children, there can be a confusion between privacy in the context of e-safety and that with regards to data protection
  • Children focus on the data they know they give but don’t focus on how other data may be collected about them so they won’t necessarily understand that an organisation may process the data they provide in other ways, or collect other data about them (e.g. for profiling)
  • Children don’t always understand the data privacy terminology they’re confronted with when data is being asked for

The report also takes a look at some teacher perspectives. Whilst teachers tend to be like other adults in terms of not keeping up with what children are doing with technology there is certainty that schools are “GDPR compliant” although perhaps not so in terms of some of the systems they are using.

That last point is an interesting one. Teachers often use third-party systems to process pupil data for their day to day processes (e.g. SIMs, Arbor, iSAMS information management systems), but they’re also using other third-party systems that they perhaps don’t have a better understanding of how the systems are processing the pupil (and teacher) data. Of course most schools are mandated to have a DPO so they should be taking responsibility for how personal data is being processed by these third-party data processors.

We offer DPO and data compliance services to schools, multi-academy trusts, etc. and we think this report has very important messages for DPOs across the education sector:

  1. Don’t underestimate just how data privacy savvy children are – they probably have a better understanding than a lot of the adults around them
  2. Be prepared for more and more children to challenge how their data is being used – the report highlights that children “expect the internet to be mostly fair, and they expect parents, educators, regulators and companies to act responsibly and in children’s interests” and they want to make their own “decisions about their online participation and in protecting their privacy, but also see this as a shared responsibility of all the stakeholders involved
  3. Children want things explained in a way they’d understand, they want child friendly terms and conditions and want to understand more about how their data is being processed, having it explained in a way they’ll understand fully.
  4. Children expect the adults around them (i.e. teachers within school) to help them understand if they need help – the trouble is, those adults may not understand it themselves

For the DPO in the school, academy, trust, etc. this brings into question whether their role as DPO is much wider than worrying about internal compliance but also how they can help pupils understand how their data is used in the school and be prepared to explain this to teachers. So maybe there’s a role for the DPO to help teachers deal more with their pupil’s data expectations, to educate more and support more than dealing with daily data compliance tasks.

If you’re a DPO in a school, Academy or trust we’d be interested in hearing your thoughts on the report – it’s worth a read if even to give a perspective around how children perceive data privacy. And of course, if you’re looking for support for your establishment, get in touch to see how we can help you.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy