Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. Class Dojo International Data Sharing
blue globe of the world with a network around it. Data protection education across the centre
Best Practice Updates

Class Dojo International Data Sharing

Users of Class Dojo will recently have noticed that a requirement to provide consent for international data transfers was included to the login screen.

This is problematic for a number of reasons, least of all as data processor, Class Dojo cannot define the lawful basis for processing data, including for international transfers (Class Dojo is based in the USA). It's a complicated area, not least because consent is a valid international data transfer mechanism where Class Dojo has a direct relationship with the data subject - it isn't always contracted via the school.

However, we asked Class Dojo why they aren't using the ICO's preferred data transfer tool (we wrote a little about the issues of data transfers in our Brexit blog) which are standard contractual clauses (SCC). In response they sent us two documents:

1. ClassDojo's Student Data Privacy Addendum (DPA)
2. ClassDojo's International DPA with SCCs included

Along with these comments:

ClassDojo's Student Data DPA was developed in consultation with leading experts on student data privacy, GDPR, and FERPA and COPPA in the US. It is modelled after the National Student Data Privacy Model Contract through our membership with the Student Data Privacy Consortium (SDPC) and is being used across the EU and UK. It is incorporated by reference into our Terms of Service and Privacy Policy.
 
Additionally, if a school specifically requests, ClassDojo will enter into Standard Contractual Clauses in compliance with the European Commission (EC) and European Data Protection Board (EDPB) guidance.
 
However, as you are probably aware, on November 12, 2020, the EC issued a draft version of a new set of Standard Contractual Clauses (New SCCs). The New SCCs have been updated to reflect the high standard for data protection set forth in the GDPR and to take into account the requirements resulting from the Schrems II ruling invalidating the Privacy Shield. While the EC has released these New SCCs, the New SCCs were still subject to a comment period until December 10, 2020, and are not expected to be finalized until early 2021 at the earliest. Given this recent development and the fact that we also utilize consent, please let us know if you still want to proceed with reviewing the older version of the Standard Contractual Clauses (I have attached them here) or if would prefer to wait until these new SCCs are finalized by the EC in early 2021. If you proceed with the current Standard Contractual Clauses, please note that we will need to update our agreement with you once the New SCCs become finalized as is required by the guidance issued from the EC.

DPE recommends that where a school has bought into Class Dojo then they should complete and sign these documents and return as per the documents, to Class Dojo making sure you retain a copy. They are slanted to the US-based COPPA but cover the requirements for the (UK) GDPR.

We also will follow up with them in relation to the new SCCs in 2021 as at this time, it isn't clear what impact Brexit will have on their approval - though it does seem that the ICO is mirroring the European standards at this point in time.

Important notes:

1. The referred Schedule of Data is found in the Student DPA (it is referenced in the International DPA with SCCs).

2. Appendix 1 of the International DPA with SCCs has the following stipulation:

Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
Data exporter shall not submit special categories of data to the SCC Services.

A reminder that special categories of data include:

  • personal data revealing racial or ethnic origin
  • personal data revealing political opinions
  • personal data revealing religious or philosophical beliefs
  • personal data revealing trade union membership
  • genetic data
  • biometric data (where used for identification purposes)
  • data concerning health
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation.

Therefore if you use Class Dojo for communication of any of these categories of data, then these are not covered by the SCCs and therefore safeguards do no apply. 

DPE recommends that Class Dojo is not used for the communication of any such categories of data, and that more secure methods are used.

pdf ClassDojo Student Data Privacy Addendum August 2020 (Int DPA Provisions) (570 KB)

pdf ClassDojo Int DPA with SCCs (EU & UK) (802 KB)

3. We remain in communication with Class Dojo - particularly about how school users will still be required to provide consent for the transfer at login - this is in many circumstances an unnecessary collection of consent, if not illegal as it can't be freely given when the use of the tool has been mandated as a task in the public interest by the data controller

 

©2024 Data Protection Education Ltd.

Search

  • News