The rise in prominence of the EdTech sector in recent years is undeniable. In particular, the COVID-19 pandemic has contributed to this more recently, as most educational institutions have either adopted a fully virtual educational experience or a hybrid model with a mix of virtual and in-person learning.
EdTech inevitably uses personal data of its users which often include minors, and therefore is subject to stringent rules under data protection legislation. It is imperative that EdTech providers and those working within the sector ensure that their systems operations remain compliant with data protection legislation, and we have set out below some of the key issues to consider:
The UK’s data protection legislation contains stringent regulations in relation to processing personal data of minors which, in the UK, are considered to be children under the age of 13 for personal data/PII purposes. For those individuals over 13, organisations would, for the most part, be able to treat them in the same way as adults from a data protection compliance/data processing perspective.
It is likely that EdTech services will be considered as “information society services” due to the services being provided online and directly to the minors (i.e. if they are under 13). Therefore, Article 8 of the General Data Protection Regulation 2016/679 (GDPR) would apply, which provides that consent will be required from the holder of parental responsibility for a child under 13 in certain circumstances, as summarised below:
If consent from is the holder of parental responsibility is required, then the relevant conditions for obtaining consent should be complied with and implemented – e.g. a box must be ticked or other positive action must be required (rather than a pre-checked box), the request for consent must be presented clearly, in an intelligible and easily accessible form, using clear and plain language and the individual must have the right to withdraw his or her consent at any time.
Minors under 13 and the Age Appropriate Design code
The ICO also provides further guidance in relation to children under 13, in particular:
Article 32 of the GDPR requires that organisations implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:
The recent ICO fines issued to Marriott International Inc (£18.4million) and British Airways (£20million) in relation to cyber-attacks, highlight the importance for businesses to take security of its systems very seriously.
Unfortunately, the EdTech sector is not exempt from being targeted by hackers, particularly as they become more tech-friendly. In September 2019, a report issued by the National Cyber Security Centre and London Grid for Learning revealed that 83% percent of schools polled in the UK had experienced a cybersecurity incident. Recent figures have also shown that cybercrime attacks in the UK appear to be at an all time high since the Covid-19 outbreak. Britain’s National Cyber Security Centre has also reported that more than a quarter of incidents it responded to over the past year were Covid-19-related.
Depending on the role of the relevant EdTech organisation, they may be considered as a “data controller” (i.e. an organisation that determines the purpose for processing the personal data) or a “data processor” (i.e. an organisation that processes personal data on behalf of a data controller) for GDPR purposes.
Wherever a data controller-data processor relationship exists, Article 28 GDPR requires a contractual data processing agreement to be in place between the two entities, to ensure that the data processor handles the personal data appropriately and in accordance with data protection legislation requirements.
If there is an international element, and data will be transferred out of the UK/EU to an organisation that has not been subject to an adequacy decision, the default position is that such transfer will be prohibited unless one of the GDPR’s derogations for transferring data is complied with.
This will apply if, for example, an EdTech organisation operates in the UK but its servers are operated by one of its group members in a “prohibited” territory such as the US. Appropriate measures would have to be implemented in this scenario, such as the entering into of the EC’s standard contractual clauses by the parties.
It should be noted that in respect of personal data transfers from the EU to the UK after Brexit, it will be required for the UK to apply to the EU for adequacy status. If the UK is not approved, it will be considered as a “third country” for GDPR purposes and subject to strict transfer rules (currently, there are no restrictions in place in respect of transfers to and from the UK-EU).
It is vital for organisations in the EdTech industry to ensure that data protection compliance is firmly on their radar, particularly given that data processing within the EdTech industry is at an all-time high together with the increasing number of cyber security attacks (and given that the ICO has powers to fine organisations up to 4% of turnover of 20million Euro (whichever is higher) for non-compliance). Organisations should therefore waste no time in taking action, if they have not already, and to allocate appropriate resources in order to ensure that its businesses are and continue to be fully compliant.