Over the past 18 months, the growth of the education technology sector has accelerated dramatically. In the UK alone, analysts estimate the edtech market surged by 72% in 2020, and in January was worth almost £3.5bn.

Good news if you’re running a company in this field. But here’s why privacy needs to be top of your priority list if you’re riding the crest of the edtech wave. 

1. Protecting children’s privacy is governed by law 

Children may be less aware of the risks and their rights when it comes to the processing of personal data, so GDPR (and UK GDPR) and the ICO’s Children’s Code provide specific protection for them. There is a lot in the rules to absorb and implement for organisations whose services may be accessible by children, so such businesses may need extra help to comply. Measures include a requirement that information given to a child must be in clear language that they understand, privacy settings must be set to high privacy protection by default and prominent, easily accessible tools should be provided to help children exercise their data protection rights and report any concerns. Child friendly design should be incorporated, and a Data Protection Impact Assessment should always be carried out before launching any service which will fall under the scope of the Children’s Code. Plus any personal data of a child should only be shared with a third party when there is a compelling reason to do so. 

2. The dangers of cyberattacks

There’s been a steady rise in cyber attacks on schools, colleges and universities over the past year. Despite the GDPR applying to schools, they’re seen as easy targets to exploit, with generally quite lax security procedures, and low cybersecurity awareness among staff and leadership teams. When the pandemic hit, for example, there were a number of reports of ‘Zoom-bombing’, with uninvited guests able to drop into virtual lessons. School leaders are increasingly aware of the need to ensure the businesses and platforms they work with take this issue seriously, even if they don’t consider themselves technically minded. Under the GDPR, schools have to appoint a Data Protection Officer who will monitor the school’s data protection policy, provide training and conduct audits. High-profile data breach incidents, such as the $1m fine the London-based publisher Pearson will have to pay for misleading its investors about the theft of millions of students’ records, has also heightened awareness. And in Kent, two schools were forced to close recently after hackers broke into their servers, stole data and encrypted pupil information. 

3. Creating digital footprints 

As well as the issue of data breaches, adults are starting to wake up to the fact that children have digital footprints long before they mean to. The average parent shares almost 1,500 images of their child online before their fifth birthday, and more than 80% of children have an online presence before they turn two. Barclays bank believes the phenomenon known as “sharenting” could contribute to two thirds of identity fraud by 2030. And according to associate professor Leah Plunkett, who has written a book on the subject, it’s not just parents who are contributing to this “digital dossier” – it’s teachers and edtech businesses too. Businesses working in this space should ensure the data they collect is necessary, it’s only kept for a predetermined period of time and is only ever used for the reason given when it was collected. 

4. Teaching children to protect their rights

The shift to digital in education has happened faster than many anticipated. Many school leaders are excited about the potential, but any transformation has to happen with a degree of common sense. In Scotland, for example, nine schools in North Ayrshire recently introduced facial recognition software to verify children’s identities when paying for school meals. The ICO urged a “less intrusive” approach, saying “organisations need to carefully consider the necessity and proportionality of collecting biometric data”. Privacy campaigners argue we should be teaching children to protect such highly sensitive, personal data, rather than give it away so easily. Privacy is a human right, and one that isn’t easy to reinstate once it’s gone. GDPR audits for schools should be thorough and up to date, and children should be taught the importance of GDPR in class. 

5. It’s about trust

Schools have embraced technology during the pandemic like never before, and many will continue doing so in the future. Two-thirds of British teachers say they’ve become more confident using edtech since March 2020 and 75% believe online remote or blended learning will continue to play a role in education post lockdown. There are benefits around inclusivity, personalising education pathways, and providing extra support to those students who need it. But more than any other sector, technology companies that engage with education institutions need to create and nurture a feeling of trust. That’s built through awareness and transparency, so schools are aware of what happens to the data collected; by proactively safeguarding the rights of users – in this case, children; and by championing privacy by design. 

Are you building a culture of continuous privacy compliance?

Schools and edtech companies alike can take our free GDPR compliance health check and receive an objective, personalised GDPR audit report that outlines what your organisation is doing well and where there’s room for improvement. It takes just 10 minutes, is easy to understand and requires no preparation.