Newsflash - New Documents and The Children’s Code
New Documents Added
We have added the below new documents to the Documents section on jedu.co.uk.
- Cyber Security Policy (under Documents/School Policies): We have created a template for schools to set guidance for staff on how to minimise cyber-security risk. Before implementing this policy, you must ensure you review and update it as necessary with your IT team.
- Redaction Guidance (under Documents/Other Documents): some top tips and guidance on when it is necessary to redact documents, and how best to do this, as part of a data request.
We have also updated the below policies and privacy notices, mainly to change references within them from GDPR to UK GDPR. Our privacy notices now begin with a paragraph explaining UK GDPR as a result of Brexit. Our Data Protection Policy includes a paragraph on international transfers, which is now updated to mean transfers outside of the UK.
- Data Protection Policy (including Welsh version under Welsh Documents)
- Data Breach Policy
- Biometrics Policy
- Data Retention Policy
- Electronic Information and Communications Policy
- Information Security Policy
- Subject Access Request Policy
- Privacy Notice for Staff (including Welsh version under Welsh Documents and Coronavirus version under Coronavirus Documents)
- Privacy Notice for Pupils and Parents (including Welsh version under Welsh Documents and Coronavirus version under Coronavirus Documents)
- Privacy Notice for Visitors and Contractors (including Welsh version under Welsh Documents and Coronavirus version under Coronavirus Documents)
- Privacy Notice for Job Applicants (including Welsh version under Welsh Documents and Coronavirus version under Coronavirus Documents)
- Privacy Notice for Governors (including Welsh version under Welsh Documents and Coronavirus version under Coronavirus Documents)
Children's Code
We have received a number of enquiries about the Children’s Code (or Age Appropriate Design Code). Below, we explain what the code is, how it is likely to affect schools and what steps you can take to follow the code.
What is the code?
The code is a set of standards and principles that certain organisations must follow when using children’s data.
There are 15 standards, some of which you would expect many organisations to follow anyway, including:
- Age-appropriate applications
- Transparency with users, ensuring that communications are tailored for children to understand
- Requirement to carry out a data protection impact assessment (DPIA)
- High privacy settings by default
- Switching geolocation settings off by default (unless their use is necessary)
- Providing information about any parental controls in place
Who does it apply to?
The code applies to all “information society services” who supply online services which target children.
Information society services means, “Any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” For example, apps, games and websites including social media platforms but it could potentially affect any services provided online where the provider engages with children directly. The service also needs to process personal data of the child for the code to apply (so if child data is anonymised, the code does not apply).
There are also exceptions to the above which includes: -
- Services provided by public authorities, specifically services not provided on a commercial basis as it isn’t for remuneration – so if your school provides online learning and streaming for students this wouldn’t be covered by the code; and
- Websites which provide information about a real-world business or service i.e. it’s ok to have a website promoting your services as long as you aren’t actively allowing children to make purchases through your website. A booking service (such as for parents’ evening) also does not fall under the code.
On the basis of the above, it is unlikely that a school will be directly affected by the code.
How will the code affect my school?
Whilst it may not apply to your school directly, it is likely you will use organisations who do provide the above services. In this situation, it would be good practice to take steps to clarify that the provider is complying with the code.
For new providers, you can carry out this review as part of a DPIA. For current providers, you can simply contact them asking for documentation to confirm how they comply with the Children’s Code.
We can help you with these communications and/or review their documentation for you to determine compliance with the code.
When should I contact those providers?
The code does not require compliance until 2nd September 2021 and, even then, we would anticipate there will be a period of transition. It is useful to contact providers in advance of 2nd September; if providers confirm they are working towards meeting the standards in the code, this would be sufficient. You would not need to mark them as “not compliant” if they fail to provide you with the details before 2nd September.
What if an organisation says they do not need to follow the code?
This needs to be determined on a case-by-case basis but the definition of providers affected by the code is open to interpretation. We have also seen some organisations stipulate that they will seek to confirm they are out of scope of the code. It is unlikely the ICO will give a clearer definition on organisations that are affected - but they have stated that the onus is on the organisation to prove the code does not apply to them.
What are the implications if those organisations don’t follow the code?
For those that are required to follow it, the code is statutory. If they fail to follow it, this failure can be taken into account either in court proceedings or by the ICO when dealing with any data protection concerns they handle. This could mean the ICO could factor in any failure to follow the code in any enforcement action (such as enforcement notices, audits or fines).
The ICO won’t just monitor complaints coming in but are intending to pro-actively audit that the code is working (and have pencilled in reviewing the effectiveness of the code in 2022).
We are here to help!
Please do not hesitate to contact us if you have any questions: georgina.decosta@judicium.com or on 07399185443.
Related content
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 2nd October, with our Data Protection Consultant Sam Hall.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 10th July, with our Data Protection Consultant Lane Baker.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 5th June, with our Data Protection Consultant Bethany Parker.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 8th May, with our Data Protection Consultant Jessica Gant.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 20th of March with Data Services Consultant Patrick Ballantine.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 14th of February with Data Services Consultant Sam Hall.
Sofa Sessions | Data Protection