GDPR within the EdTech sector – key issues to consider

The rise in prominence of the EdTech sector in recent years is undeniable. In particular, the COVID-19 pandemic has contributed to this more recently, as most educational institutions have either adopted a fully virtual educational experience or a hybrid model with a mix of virtual and in-person learning.

EdTech inevitably uses personal data of its users which often include minors, and therefore is subject to stringent rules under data protection legislation. It is imperative that EdTech providers and those working within the sector ensure that their systems operations remain compliant with data protection legislation, and we have set out below some of the key issues to consider:

Parental consent

The UK’s data protection legislation contains stringent regulations in relation to processing personal data of minors which, in the UK, are considered to be children under the age of 13 for personal data/PII purposes.  For those individuals over 13, organisations would, for the most part, be able to treat them in the same way as adults from a data protection compliance/data processing perspective.

It is likely that EdTech services will be considered as “information society services” due to the services being provided online and directly to the minors (i.e. if they are under 13).  Therefore, Article 8 of the General Data Protection Regulation 2016/679 (GDPR) would apply, which provides that consent will be required from the holder of parental responsibility for a child under 13 in certain circumstances, as summarised below:

• Parental consent will not be required: if the original legal basis for processing the personal data does not require consent (i.e. if another legal basis can be relied on); and
• Parental consent will be required: if the original legal basis for processing the personal data does require consent. For example, if personal data is collected for purposes such as (1) selling the data to third parties, (2) carrying out targeted advertising or (3) any other purpose which would not reasonably be expected as being required for the provision of EdTech services to the minor, then consent would be required.

If consent from is the holder of parental responsibility is required, then the relevant conditions for obtaining consent should be complied with and implemented – e.g. a box must be ticked or other positive action must be required (rather than a pre-checked box), the request for consent must be presented clearly, in an intelligible and easily accessible form, using clear and plain language and the individual must have the right to withdraw his or her consent at any time. 

Minors under 13 and the Age Appropriate Design code

The ICO also provides further guidance in relation to children under 13, in particular:

• in relation to privacy policies, as children under 13 may be less aware of the risks of the processing, the policy should explain the risks involved and any safeguards that have been implemented.  Information must also be child-appropriate and, as far as possible, addressed directly to the relevant age group; and
• if personal data of children under 13 will be used for marketing purposes or for the purposes of profiling (i.e. automated processing for evaluation purposes) or automated decision making, then a “data protection impact assessment” must be completed to establish whether the processing will result in a high risk to the rights and freedoms of the child; and
• the ICO’s “Age Appropriate Design” code for online services must be taken into account, which provides guidance and practical recommendations for businesses re compliance and safeguarding of children’s personal data. The code was implemented on 2 September 2020 and provides a 12 month transitional period to implement the necessary changes. The code can be found here: https://ico.org.uk/media/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services-2-1.pdf

Security

Article 32 of the GDPR requires that organisations implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:

• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The recent ICO fines issued to Marriott International Inc (£18.4million) and British Airways (£20million) in relation to cyber-attacks, highlight the importance for businesses to take security of its systems very seriously.

Unfortunately, the EdTech sector is not exempt from being targeted by hackers, particularly as they become more tech-friendly. In September 2019, a report issued by the National Cyber Security Centre and London Grid for Learning revealed that 83% percent of schools polled in the UK had experienced a cybersecurity incident. Recent figures have also shown that cybercrime attacks in the UK appear to be at an all time high since the Covid-19 outbreak. Britain’s National Cyber Security Centre has also reported that more than a quarter of incidents it responded to over the past year were Covid-19-related.

Data processors

Depending on the role of the relevant EdTech organisation, they may be considered as a “data controller” (i.e. an organisation that determines the purpose for processing the personal data) or a “data processor” (i.e. an organisation that processes personal data on behalf of a data controller) for GDPR purposes.

Wherever a data controller-data processor relationship exists, Article 28 GDPR requires a contractual data processing agreement to be in place between the two entities, to ensure that the data processor handles the personal data appropriately and in accordance with data protection legislation requirements.

International transfers

If there is an international element, and data will be transferred out of the UK/EU to an organisation that has not been subject to an adequacy decision, the default position is that such transfer will be prohibited unless one of the GDPR’s derogations for transferring data is complied with.

This will apply if, for example, an EdTech organisation operates in the UK but its servers are operated by one of its group members in a “prohibited” territory such as the US.  Appropriate measures would have to be implemented in this scenario, such as the entering into of the EC’s standard contractual clauses by the parties.

It should be noted that in respect of personal data transfers from the EU to the UK after Brexit, it will be required for the UK to apply to the EU for adequacy status. If the UK is not approved, it will be considered as a “third country” for GDPR purposes and subject to strict transfer rules (currently, there are no restrictions in place in respect of transfers to and from the UK-EU).

Conclusion

It is vital for organisations in the EdTech industry to ensure that data protection compliance is firmly on their radar, particularly given that data processing within the EdTech industry is at an all-time high together with the increasing number of cyber security attacks (and given that the ICO has powers to fine organisations up to 4% of turnover of 20million Euro (whichever is higher) for non-compliance).  Organisations should therefore waste no time in taking action, if they have not already, and to allocate appropriate resources in order to ensure that its businesses are and continue to be fully compliant.