The children’s internet code – what does it mean for schools?

20 September 2021

The Age Appropriate Design Code was brought in by the Information Commissioner’s Office (ICO), the UK’s data protection authority, last September. The ICO gave organisations 12 months to comply. On 1 September 2021, the code (commonly known as the ‘children’s internet code’) came into force.

While schools don’t need to take any action, it’s important to be aware of the new code. Online services now need to follow 15 standards to protect children’s data. The code applies to any “information society services” that are likely to be accessed by children.

What’s an information society service?

Information society services (ISS) are any services that are “provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”.

In essence this means any services that children sign up to online. Remuneration refers to either paying to sign up, or revenue that’s generated through in-app purchases or advertising. ISS includes:

  • Apps
  • Games
  • Connected toys and devices
  • News and educational services
  • Social media
  • Content streaming services
  • Anything that offers goods and services

It does not include preventative or counselling services.

Although the children’s internet code itself is not primary legislation, the ICO will use it to assess whether an ISS is complying with the requirements of UK GDPR.

What does this mean for schools?

The children’s internet code applies to apps and services that children choose sign up to online themselves. It doesn’t include apps and services schools provide to pupils to aid with learning. But this doesn’t mean schools should ignore the code.

While the code doesn’t apply directly to the services provided by schools, they can still support children and parents to make good decisions. This is the best way to ensure schools meet their obligations when it comes to using ISS.

Schools could do this by:

  • Covering ISS in e-safety lessons, including using the ICO’s school resources for teaching children about privacy online
  • Providing information to parents
  • Covering safety on ISS in an ‘acceptable use policy’ for students
  • Including links on the school’s website to the ICO’s children’s internet code web pages

Potential penalties for non-compliance are the same as under GDPR. Support is provided first, but the ICO has the power to investigate where an organisation does not comply with the code.

Organisations would be expected to provide evidence that they designed any online services with the code in mind. Otherwise they could face fines of up to £17.5m or 4% of global turnover (whichever is higher).

Need support in making sure your school complies with UK GDPR?

Our specialist team acts as data protection officer for over 500 schools and academies.

Get in touch