The Children’s Code
The first update from the ICO is that the transition year for the introduction of The Children’s Code (also known as The Age Appropriate Design Code) has passed, with the code having come into effect on September 2nd.
For those unfamiliar with The Children’s Code, it imposes restrictions on how online services that are accessed by children under 18 (despite whether children are their target audience or not) are allowed to use their personal data.
The ICO has identified social media platforms, along with video and gaming platforms as posing the biggest risk, as children’s data is being used for sending children content and specialised personal features. This includes friend requests and messages, as well as ‘nudges’ aimed at keeping the user online for as long as possible.
The ICO have stated that they will require the services falling under the scope of the code to prove that they place children’s rights and safety as a primary concern, and how their services are made to be in line with the code. The next area that the ICO will tackle is ensuring services require age verification, and they will expect to formally set out their position on age assurance in the autumn, so look out for an update from us after there have been further developments on this.
If you would like to read the ICO’s full statement on the introduction of The Children’s Code, you can read it on their website by clicking here.
Alternatively, you can also read more about The Children’s Code here:
How the Children’s code applies to Schools, and your responsibilities when procuring Edtech solutions
To be covered by the new children’s code, organisations must meet several criteria and therefore be defined as an Information Society Service (ISS). Schools do not however meet the definition of an ISS, so the children’s code does not apply to schools.
Despite this however, the ICO still encourages schools to aspire to meet the 15 standards that the code sets out, as the code’s primary goals to ensure children’s data is being handled with best interests still closely aligns with schools’ educational mission.
In addition to this, whilst the code itself may not apply to schools, there are still policies under UK GDPR that must be complied with when procuring edtech services. It is important when contracting with edtech providers that you establish accurately whether they are data controllers or processors, and the level of which they are able to influence how children’s data is being used.
This is because in addition to who the new children’s code applies to as outlined in the above section, it also applies to edtech organisations that are providing a service to children through a school, where the organisation “influences the nature and purpose of children’s data processing.”
For this reason, the ICO suggests that schools and edtech providers consider their roles and establish whether the edtech provider is acting as joint controller or independent controller. For information on controllers and processors can be found here:
Feel free to ask us any questions regarding The Children’s Code by sending us an email, and we also encourage you to read the ICO’s full guidance and FAQs for education technologies and schools here:
https://ico.org.uk/for-organisations/childrens-code-hub/additional-resources/faqs-for-education-technologies-edtech-and-schools/