Posts

“Hey Kid, Are You Even Old Enough to Be Here?” – The ICO vs. Big Social

In today’s hyperconnected world, it’s not uncommon for children to be more tech-savvy than the adults around them. But behind every cute dance video or viral meme lies a sophisticated system of data collection and recommendation algorithms, Many of which are now under scrutiny.

Recently, the UK’s Information Commissioner’s Office (ICO) launched formal investigations into three popular platforms; TikTok, Reddit, and Imgur, over concerns about how they handle the personal data of UK children aged 13 to 17. For educators and parents, this is a timely reminder: understanding the digital environments children are immersed in is no longer optional, it’s essential.

TikTok: Personalised, But At What Cost?

TikTok has become a fixture in many young people’s daily lives. Its algorithm seems almost magical in the way it recommends content. But the ICO is now investigating how that “magic” works when it comes to children’s personal information.

Is TikTok collecting too much data? Are its recommendation systems steering children toward inappropriate or harmful content? These are some of the key questions the ICO aims to answer.

This isn’t the first time TikTok has come under fire. In 2023, it was fined £12.7 million for unlawfully processing children’s data. The platform says it has since improved its safeguards, but the ICO is making sure those promises hold up under inspection.

Reddit and Imgur: How Do They Know a User’s Age?

Unlike TikTok, Reddit and Imgur aren’t in trouble for what they’re showing children, but rather how they determine whether someone is a child in the first place.

Currently, many platforms rely on self-declared age checks, systems that are easy for children to bypass. The ICO is now investigating whether Reddit and Imgur have adequate age verification in place to prevent underage users from accessing potentially inappropriate content.

Reddit has acknowledged the issue and says it plans to implement stronger age verification. Imgur has not yet commented publicly.

The Children’s Code: Why It Matters

These investigations are part of a broader regulatory effort called the Children’s Code, introduced in 2021. The Code sets out 15 standards that online services must meet to ensure children’s personal data is protected.

At its heart, the Code is built on a simple principle: what’s best for the child must come first.

That means:

  • Minimising data collection
  • Avoiding manipulative design
  • Clearly explaining how data is used
  • Ensuring privacy settings are age-appropriate by default

As adults, we play a critical role in helping children navigate digital spaces safely. The ICO’s investigations are an important step toward greater accountability, but regulation alone isn’t enough.

Here are a few ways you can help:

Start the Conversation

Ask children what apps they use and how they feel about them. Make tech a shared topic, not a private one.

Teach Critical Thinking

Encourage young people to question why they’re being shown certain content. What’s the platform hoping they’ll do next: watch more, click something, buy something?

Stay Informed

Keep up with digital safety guidance from trusted sources like the ICO, NSPCC, and Childnet.

Use Tools and Settings

Explore built-in safety and privacy controls on apps your child uses. These can often be customised to offer better protection.

The internet can be a wonderful place for learning, creativity, and connection. But it must also be a safe and respectful space for children. The ICO’s investigations send a clear message to tech companies: if you want to benefit from children’s attention, you must also earn their trust.

Let’s continue working together, as parents, teachers, and guardians, to ensure that the digital world treats our children with the care, respect, and dignity they deserve.

/by

Privacy Goes Global: Why the ICO Has Joined the Global CAPE and, Why Educators Should Take Note

It’s not every day you hear about global privacy treaties in the staffroom. Between lesson plans, playground duties, and wondering why the photocopier only jams when you’re in a hurry, international data agreements don’t always make it onto the radar.

But every now and then, something big happens that’s worth pausing for and, Global CAPE is one of those somethings.

So let’s break it down. No jargon, no legal waffle, just a clear, narrative explanation of what’s going on and why it matters to schools.

First Things First: What on Earth is Global CAPE?

Global CAPE stands for the Global Cooperation Arrangement for Privacy Enforcement. Think of it like an international support group but for data protection authorities. It’s a framework that allows privacy regulators from different countries to work together more easily, especially when investigating cross-border data misuse.

Why is this needed? Because in 2024, data doesn’t stay local. A student might use an education app built in California, hosted in Ireland, with customer support in Singapore. If something goes wrong with how that app handles personal information, who’s in charge?

That’s where Global CAPE comes in. It makes it easier for regulators to:

  • Share information securely,
  • Cooperate on investigations, and
  • Support each other when tackling global privacy issues.

In short, it gives watchdogs more teeth and a few more colleagues to back them up.

So, Why Has the ICO Joined?

Earlier this year, the UK’s Information Commissioner’s Office (ICO) officially joined Global CAPE. It’s part of a growing list of data protection authorities who recognise that privacy is no longer a purely domestic issue.

For the ICO, this move means:

  • More muscle in investigating international companies that may misuse UK citizens’ data.
  • A seat at the table when setting expectations for global data handling, especially for emerging tech.
  • Better collaboration with other countries to address risks affecting UK children and families.

As the ICO put it, this step helps ensure that UK citizens remain protected, even when their data travels the world. And let’s be honest, when it comes to edtech and online tools in schools, data is travelling the world.

Who Else Is in This Data Protection Dream Team?

The list of members includes privacy authorities from:

  • The United States (particularly the Department of Commerce)
  • Australia
  • Canada
  • Japan
  • South Korea
  • Mexico
  • The Philippines
  • Singapore
  • And now, the United Kingdom

It’s a truly international group and one that continues to grow.

Why Should Educators Care?

At this point, you might be thinking: Okay, but how does this affect me, the classroom teacher or school leader?

Here’s the link.

As more schools adopt cloud-based learning platforms, communication apps, and AI-powered tools, the question of where data goes and who is accountable when things go wrong is more important than ever.

When you use an app to track student behaviour, does the data stay in the UK? What happens if that company is based abroad and suffers a breach?

Global CAPE means the ICO can now collaborate more effectively with overseas regulators. That adds a layer of reassurance for schools, especially those using international tools and platforms.

And for school leaders, it sends a gentle but important signal that data protection isn’t just a tick-box, it’s a global issue. The choices you make around platforms, permissions, and parental consent really do matter.

In the grand scheme of education, Global CAPE might not change your day-to-day immediately. But it’s part of a wider story: one where governments are finally realising that digital rights, especially for children, need international protection.

And while your focus may rightly stay on helping students grow, learn, and thrive, you can also be confident that the data trail they leave behind is being watched over by more than just your school server.

Because privacy doesn’t stop at the school gate anymore and now, neither does enforcement.

/by

How the Department for Education ran into trouble with the ICO

Being as clear as mud when it comes to Data Protection

A key principle of data protection is transparency. You must be upfront about what you plan to do with personal data.

A failure to be transparent has recently brought the Department for Education into the Information Commissioner’s Office’s sights. Information from the annual census returns was apparently shared with Immigration Officials, without the data subjects being informed. This is the opposite to what you should be doing.

According to an article in the Guardian the ICO position is that:

“Our view is that the DfE is failing to comply fully with its data protection obligations, primarily in the areas of transparency and accountability, where there are far reaching issues, impacting a huge number of individuals in a variety of ways.”

It’s not clear yet what the consequences for the DfE will be from these findings.

Just a few days before the news about the DfE broke, the Information Commissioner felt compelled to ensure that political parties understood their data protection responsibilities as we head towards the election in December.

In addition to telling the parties that they needed to follow the principles of data protection, she also specifically addressed the controversial issue from the Brexit Referendum and subsequent elections – advertising on social media.  You can read the Commissioner’s full statement here.

These concerns are about transparency. How do you know what someone is doing with your personal data and how that usage might affect your rights and freedoms? The GDPR is very clear about the information that should be provided especially when your personal data is being used. It’s not always clear how well individuals understand the information presented to them, if they are given any at all.

The principle of transparency doesn’t just apply to political parties and government departments. It should be the cornerstone of the data protection policies and practices for every organisation.

So, what does Transparency mean for an organisation in the Education sector?

  • You must be clear about why you are processing personal data
  • You must be able to show you’re using the minimum data necessary
  • You must be able to show you have a legal basis for your processing and sharing of data
  • You must take action to inform individuals about how their data is being processed

How can you demonstrate that you’re meeting these requirements?

Your data mapping, providing it follows the model set out by the ICO will address the first three and your privacy notices should address the last item.

Our experience is that many schools and colleges haven’t mapped their use of personal data to the level of detail that the regulation expects, and this could become a problem if a complaint is raised by a data subject.

You may know in detail how data is collected, stored, updated and shared, but the legislation requires that this is documented. Does your documentation fully cover the movement of personal data around the organisation?

Do your privacy notices strike the balance of informing individuals about how their data is used while being accessible and unambiguous.

While you try and figure out the fake news from the real around the election it may be a good time to ensure that you’re being properly open about the way you collect and use personal data.

If you are unsure how you process data, or would like some guidance on how to document this, please contact our GDPR experts on 0113 804 2035 or click here.

/by