20 November, 2018
It is a factor of modern life that more and more aspects of education are moving onto digital platforms. From school websites to mobile applications, cloud services to distance learning, more and more personal data is being processed online, and in the case of schools this would involve the personal data of children.
Given this, a major point schools should consider is whether they would have to apply age verification and consent systems procedures as laid out in Article 8 of the General Data Protection regulations (GDPR) and if so, what should they do about it.
The crux of Article 8 of the GDPR is that anyone directly offering an 'Information society Service' (ISS) to children is required to apply a system in order for them to confirm the users age and consent for their use.
The UK has set this age as 13 years old, so anyone younger than this requires parental/guardian consent for them to use the service and this consent needs to be verified (older children can given consent on their own). This is not universal across the EU, Germany has their age limit set at 16 years old for instance, so any school operating internationally will have to consider such variations.
The basic definition of an ISS is:
"any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services."
The Information Commissioners Office (ICO) takes this to mean 'most websites, apps, search engines and online market places' which therefore asks the question of whether the online services of schools fall under this definition.
An important distinction in Article 8 is that it only applies if the services are being offered directly to the child. If they are being offered through an intermediary, such as a school, then the ICO has stated this does not constitute being directly offered. For example, if a school offers a child the use of a third party application such as 'Mathletics' as part of the curriculum then Article 8 does not apply.
Elsewhere, a school may offer a website, forum or even a bespoke, commissioned app to directly to a child and therefore Article 8 would apply.
Note that the "remuneration" does not have to come from the user themselves (in this case the pupils), but can be funding from other streams such as advertising. It remains unclear whether various school funding streams constitute remuneration, though the ICO hold in their guidance that 'most online services are ISS'.
It is understandable that it will be difficult for schools to determine what online services are ISS and if so do they fall under Article 8. As GDPR is still in its infancy, schools are advised to seek legal advice in order to establish their Article 8 responsibilities for any online services they provide their students.
Before anything else, a school should conduct a Data protection Impact Assessment (DPIA) in order to determine the risks to the rights and freedom of the data subjects. This exercise may end up in the school realising that the ISS in question is not in fact directly aimed at children e.g. it is a parents forum and therefore only for adults and therefore Article 8 does not apply.
If you are running an ISS and need to confirm to Article 8, then, as stated before, you will need to provide a mechanism for both verifying that the user is 13 years old or above, and for anyone younger you will need to get parental/guardian consent in their stead.
The DPIA should help you decide what steps you need to take in order to verify both the age of the user and, if required, who holds parental responsibility. This could be done in a variety of ways, although each ISS should be considered by itself and block solutions should be avoided.
Whilst a confirmatory tick box may be the solution to one ISS which process very little children's data, another ISS may require a confirmatory e-mail from parents explicitly stating their consent and their parental/guardian role. The more personal data an ISS uses, and the higher the risks to the child then the more stringent the verification processes should be.
If you are using a third party to run your verification system then you will have to ensure, through a data processing agreement, that their services are compliant for Article 8 and covers the school for any breach on their part. You will also need to consider how you will 'verify their verifications' as a form of due diligence.
Article 8 does not apply to any ISS which is designed to offer preventative or counselling services. In such cases, parental consent is not required as it will be in the best interests of the child to accept the child's their own consent or to run the ISS with the legal basis of 'public task' or 'legitimate interests'. In any case, a DPIA should still be conducted in order to identify risks to the child and the legal basis you may rely on.
Note that if you are offering an ISS on a legal basis other than consent then you do not fall under Article 8 but this raises its own concerns. Both GDPR and the ICO hold that children are inherently more vulnerable when it comes to data processing are require a higher threshold of safe guards when it comes the legal basis for such processing. Whilst there may be statutory requirements or legitimate interests to run the ISS, these need to have a solid basis and be carefully documented in case of challenge further down the line.
The ambiguity surrounding Article 8 and ISS's in general will hopefully become clearer as more guidance comes out from the ICO and the education sector itself. In the meantime, consider the points raised above for each online service your schools and make sure you conduct in-depth DPIAs for each online service at the earliest opportunity and that you seek legal advice if you are in any doubt.