Children’s Safety in Tech Part 2: CRIAs & EdTech Services

Read part 1 here!

Edtech services can enhance teaching and learning within the classroom, and we have all become well acquainted with different software over the pandemic to promote a healthy learning environment during distance learning. Schools were able to truly unlock the potential of technology, with the term “...there will never be another snow day again” being thrown around due to our accessibility to online learning. As humorous as it is, it’s true! Risks that would have to be planned for in the past can now be solved by the odd day of online learning, meaning that we have, in a sense, advanced to a point where we are unaffected by risks that would have taken up staff time and bandwidth beforehand. However, although edtech services can come with a plethora of benefits, schools should make an effort to understand that at times, software that benefits the education of a student can come with risks for the child.

No matter what your role is within the school, can you confidently say you know the number of applications, services that you have signed your students up to in your classroom alone? Now think about every department in the school, admissions, finance, IT, how many external vendors are students being enrolled into, and how much of their data is being shared. If say, 100 people came up to you in the street and asked for your personal information, you would want to know exactly what they were going to do with it, maybe where it is stored, but also how it is protected when it is shared with others and stored away. So, why is it any different when it comes to online services? 

Sometimes schools may decide that the benefit that a piece of software brings to the student’s education is worth the risk that is posed to their data. For example, if a teacher had two special education needs and disabilities (SEND) students in their class that needed extra support to learn maths. They have tried different methods of teaching and nothing seems to stick. They find an application that is tried and tested, and seems like an application that will advance the learning of the students. However, there is one catch. The app extensively tracks their learning behaviour and monitors their search history. The school has the option to use this application, whilst taking the risk to the children's data protection as long as they have weighed up the benefit to their learning, and the risks that are posed to them. 

But how can I do this with confidence?

Child Rights Impact Assessments are an easy way to determine whether the edtech services that your school wants to use, benefit the students’ learning enough to approve and participate in the transferring of their data. This type of impact assessment allows schools to take a holistic approach to using software and applications by considering what the risk is to the child’s security and protection. Before performing a CRIA there is a lack of visibility around what risks are posed to the rights and freedoms of the children at your school. Not knowing these risks makes it very hard for schools to mitigate them, and protect the students from harm.  By taking into account the risk factor, schools are not only able to protect students by not using external vendors that don’t adequately protect their data, but also to take accountability and be able to evidence the reasoning behind using the vendor. By having CRIAs peer assessed, schools can also remove the risk of their being a single point of failure within their data privacy compliance programme.

Some of the questions that are asked of you during the process of a 9ine CRIA include:

• Whether the technology creates an online profile of the child, that if not managed, may give rise to others making judgements of that child and potentially contribute to harm
• Whether the technology makes automated decisions to tailor or influence the learning journey of the child
• Whether the technology contributes to or create an online digital footprint of the child
• Whether there are any known data privacy or security concerns for this type of technology

These are just some of the extensive questions asked that will help your school to determine whether an application or piece of software from an external vendor would be safe to use in the classroom. 

Keeping Children Safe in Education (KCSIE) provides regulations for schools to follow in order to, well, keep the children safe in their school. Where KCSIE does not mention the use of CRIAs in their guidelines, the principles that they promote through their guidelines fit nicely into the nature of what a CRIA does. Safeguarding propagates throughout the guidelines provided by KCSIE, and CRIAs embody the holistic approach that schools should encourage when it comes to the safeguarding of students.

To look at it in a direct sense, you know that when you take students on a school trip, or participate in an activity that could lead to physical risk, you should perform a risk assessment; so why is it any different for the online risks for students? 

With the rapid adoption of edtech services due to distance learning, there is not only a need to evaluate the benefit of the child, and account for their rights and freedoms, but to also evaluate the overall safety of using any external vendor. This means completing a vendor assessment, looking at CRIAs, cross border transfers, and procession operation assessments. By performing this risk based assessment, your school is able to pre qualify vendors before you share student data with them, and examine the vendors that you use that may not be adequately protecting student data. You can then be able to bring these issues to the vendor and ask them (1) why they do not have these procedures and processes in place and (2) whether they will be willing to rectify the issues. 

So I have to evaluate my vendors for more than just child rights? That sounds like a lot of effort. 

You’re right. Usually vendor assessments are hard work, and they take a lot of time to complete. However, the vendor assessment tool on the 9ine Privacy Management App takes you through a series of simple questions, allowing schools to spend less time on documentation and more time on tackling the risks that actually negatively impact students. The evaluative questions that are asked of schools within the assessment range from concerns around the child’s self-image and behaviour, to the extent of which they can be contacted through the service that the vendor provides. As we are an education specific consultancy, all aspects of our vendor assessments encompass the safeguarding of the children within your school, especially due to the embedded CRIA. 

In performing a CRIA, your school is well equipped to protect the rights and freedoms of the children in its systems, and understand the risks that are posed to them. If you fail to complete this type of risk assessment, the students at your school may be at a high risk of data exploitation, or even profiling. When handling children's data, the risks that are posed to them become very tangible with the threat of predators targeting children by attempting to access home addresses with the intention of taking their wrongdoings into the physical world instead of online. To mitigate these physical risks schools should use a CRIA to visualise the risks, thus being able to prioritise tasks by criticality to prevent them from becoming a reality for their students.

If anything is mentioned within this article surrounding the safety of your students, please feel free to get in contact with a member of the 9ine team.