Following an investigation into the governance of the personal learning data of children being collected and processed in UK state schools, the Digital Futures Commission (DFC) was “dismayed” to discover the extent to which such data is being used for commercial purposes.
The DFC’s Governance of data for children’s learning in UK state schools report, launched today (1 July) in an official event over Zoom, reveals significant regulatory and implementation gaps in the sector’s current data governance framework, including legal and practical difficulties faced by schools, regulators, edtech businesses and families alike.
The DFC is part of the 5Rights Foundation, a UK charity dedicated to building the digital world children deserve. “This means that we work wherever technology intersects with children and childhood, which increasingly is almost every aspect of their lives,” said Beeban Kidron, chair of the 5Rights Foundation, in an introduction to the report at today’s launch.
Presented by Professor Sonia Livingstone OBE, leader of the DFC research team and professor of social psychology at the London School of Economics (LSE); and Emma Day, author of the report, the virtual event introduced the recent findings and offered a platform for the panel – including Bill Thompson, principal research engineer for BBC Research and Design, and Jacob Ohrvik-Stott, acting head of domestic regulatory strategy at the Information Commissioner’s Office (ICO) – to consider the increasing role and impact of edtech in the lives of children and young people, as well as outline possible steps to better regulation.
The DFC hopes the detailed exploration of pupil data usage in state school settings will help the sector work towards a “rights-respecting framework” for education, data governance and practice. In a year spent with a Year 9 class to gain an in-depth understanding of students’ digital lives, Livingstone said she “observed with some amazement, the sheer number of data points entered by teachers into the school Information Management System every single lesson”.
In light of this, said Livingstone at today’s event, there has been exponential growth in data processing from children in education settings, not just in the UK but worldwide. “And this has been greatly accelerated during the pandemic,” she said. “Much of this data is knowingly given by children and teachers, [and] whether or not they have a choice, even more of that data is not knowingly given.”
“Much of this data is knowingly given by children and teachers, [and] whether or not they have a choice, even more of that data is not knowingly given” – Professor Sonia Livingstone, DFC
The primary intention of the DFC’s report is to understand how this data can be harnessed to benefit children and the learning process itself, but in doing so the Commission unravelled the sector’s mounting concerns surrounding the potential for data misuse, exploitation, surveillance and bias, as well as concerns around the “unknown future consequences for children’s learning and assessment, and their rights now and into the future”, in the words of Professor Livingstone.
However, according to the DFC, the beneficial use of data within the state school sector is not possible without first laying out a “trusted and effective governance regime”.
“We hope our report draws attention to the problems with the current data governance framework, and that it results in urgent improvements” – Professor Sonia Livingstone, DFC
In an exclusive comment on the findings, Livingstone told ET: “Having set out to map possibilities for sharing children’s education data for projects in the public interest, the Digital Futures Commission was dismayed to discover instead how much data is collected from children during their learning and used for commercial purposes in ways that give children, parents and schools little or no control. We hope our report draws attention to the problems with the current data governance framework, and that it results in urgent improvements.”
As the panel’s ICO representative, Ohrvik-Stott said of the report at today’s event: “There’s never been a more important time to ask the questions that the Commission is asking.” He also said he found the report “reassuring”, since it reached similar conclusions to previous research carried out by the ICO itself.
“…I hope it has some reassurance to you all that the issues that are raised don’t come as a surprise to us” –Jacob Ohrvik-Stott, ICO
“Not in the challenges discussed, obviously” he explained, “but in that it validates the picture that we’ve been building up in our work on edtech…and I hope it has some reassurance to you all that the issues that are raised don’t come as a surprise to us.”
When asked whether there is a case for stopping the use of edtech, or at least certain aspects of edtech, until appropriate regulations are in place, Ohrvik-Stott responded: “My answer is that I would push back on the framing that there are no protections in place. Code or no code, we have UK GDPR…the role of the code is just to articulate what those principles mean in practice…I’d always stress that people need to follow the UK GDPR principles regardless.
“In our engagement anecdotally,” he added, “we don’t get the impression necessarily that people want edtech services to be stopped in the round. They get that in some places they do genuinely do really good things for digital inclusion, [and] the pedagogical effectiveness of a lot of the services is really significant. So we wouldn’t want to throw the baby out with the bathwater where we do need to get better.”
To address what the Commission calls “regulatory and implementation gaps”, as well as enable data-sharing that’s in the public interest, the report proposes a staged approach to developing and implementing “rights-respecting data governance and oversight of the learning edtech sector”. For this, the DFC lays out 10 recommendations, which are:
- The current governance framework is complicated, and the experts interviewed by the DFC found it confusing. As such, there is a need for simplified ICO guidance that explains how the UK GDPR and the DPA 2018 should apply to the education data collected and processed by edtech companies in UK schools.
- There is need for a review of the procedures used for accessing National School Data from the Department for Education (DfE), as well as for stricter adherence to the Five Safes framework as required by the DEA 2017.
- The DfE should produce guidance for edtech companies, detailing how learning tech must fulfil a defined educational purpose that’s supported by ‘robust’ evidence. The DfE should define, in detail, the meaning of an educational purpose and maintain an independent evidence base to back it up. The Department should also offer guidance on the use of experimental edtech tools with no proven evidence base in schools, as well as rules related to the participation of school students in research trials for commercial edtech products.
- Create a LendEd library to construct a different way to rate products based on formal evidence rather than anecdotal opinions – which, says the DFC, is not a good basis to assess the effectiveness of learning tools.
- Government must develop rules for schools’ procurement of learning tech. It is their responsibility to produce an independent oversight mechanism as the “overall duty bearer”.
- The DfE should work alongside the ICO to ensure edtech companies comply with the law as so far, the government has not paid sufficient attention to their compliance with data protection laws.
- The Schools Commercial Team, which oversees procurement within the DfE, should develop specific procurement rules for schools entering into contracts with learning edtech companies, also covering products that are offered for ‘free’.
- As a matter of public policy, the government must set limitations on the terms edtech companies use to contract with children via schools.
- The ICO should develop standard contractual clauses between schools and edtech companies, detailing the kinds of data that can be processed from children under a legitimate and lawful basis.
- If the UK is to lead in the global education marketplace, compliance with the best international standards on data protection and child rights makes good business sense.