This assessment is published to satisfy the duty under section 36 of the Online Safety Act 2023 (children's access assessment) and to document our approach to the ICO's Age Appropriate Design Code(the Children's Code).
1. Overview
School Atlas is an information service aimed at UK parents, carers, and school staff. It is not designed for children, does not market to children, and does not offer features that appeal primarily to under-18s (no games, social graph, entertainment, or identity-expression features). Account creation is restricted to users aged 16 and over.
However, under both the Online Safety Act and the ICO Children's Code we must consider whether children are likely to access parts of the service, regardless of target audience, and apply proportionate protections where they are.
2. Service surfaces
- Public-facing content (school profiles, guides, tools, reviews). Accessible without an account.
- Parent account (shortlists, child profiles, comparisons, AI Advisor, newsletter). Requires signup (16+, email-verified).
- Institution portal (school staff managing their profile). Requires claimed or subscribed institution seat.
3. Are children likely to access the service?
3.1 Public-facing content
Children aged 13–17 researching post-16 options (sixth form, colleges, independent schools) are likely to access public-facing content directly, and parents may share guide articles with under-13 children in a supervised context. We therefore treat the public site as likely accessed by a significant number of children.
3.2 Parent accounts
Account creation requires a self-declared age of 16+ and a verified email address. We conclude that children under 13 are unlikely to hold accounts. 13–15 year-olds could in principle self-declare a false age; the risk is mitigated by email verification and by the absence of features that attract unsupervised child use (no social surface, no messaging, no entertainment content).
3.3 Child profiles inside a parent account
Parents may add child profiles to their own account (name, year group, SEN notes, preferences). These children are not users of the service; they are data subjects whose personal data is entered by a parent acting with parental responsibility. Children do not log in, post, receive messages, or see any service surface via a child profile.
3.4 Institution portal
The portal is used by adult school staff. Children are not likely to access it.
4. Conclusion
Children are likely to access the public-facing contentof School Atlas. They are not likely to hold accounts in material numbers, to post reviews, or to use the institution portal. We therefore apply Children's Code protections site-wide, and additional protections to any feature that could be used by a child (however rare).
5. Applying the 15 Children's Code standards
1. Best interests of the child
Child welfare takes precedence over commercial interests. The platform is funded by school subscriptions, not advertising aimed at children. Content decisions give weight to accuracy and safeguarding over engagement.
2. Data protection impact assessment
Child-profile data is minimal (name, year group, optional SEN notes, preferences) and is processed only to personalise school shortlisting for the parent. A DPIA is maintained internally and reviewed when features change.
3. Age-appropriate application
Because we apply Children's Code protections site-wide, we do not need to segment experiences by age bracket. Account creation is blocked under 16; all unauthenticated content is written in accessible English suitable for a general audience aged 13+.
4. Transparency
Our Privacy Policy includes a dedicated Children's Privacy section in plain English. Cookie use is disclosed at first visit with granular controls.
5. Detrimental use of data
Child-profile data is never used for profiling for marketing, advertising, or any automated decision with legal or similarly significant effect. It is not shared with schools, is not used for re-targeting, and is not used to train third-party models.
6. Policies and community standards
Our Moderation Policy, Terms of Service, and this assessment set out the standards we hold ourselves to and how to report breaches.
7. Default settings
Account defaults are the most privacy-protective: no marketing emails, no public profile, no geolocation share, no third-party analytics until consented. Child profiles are visible only inside the parent's own account.
8. Data minimisation
We collect the minimum needed to run the service. Child profiles are optional; a parent can use the platform fully without creating any. SEN free-text is optional and never required.
9. Data sharing
Child-profile data is not shared with third parties, schools, or advertisers. Sub-processors who technically host data (Supabase, Vercel) are listed in the Privacy Policy.
10. Geolocation
“Schools near me” uses the device's browser geolocation prompt; the result is kept in the browser and is not sent to our servers. Parent postcodes are collected for the parent account only, not attached to any child profile.
11. Parental controls
Child profiles are created and controlled by the parent. Only the parent account-holder can view or edit them. Parents can export or delete child profiles at any time from /account/children.
12. Profiling
We do not profile children. Parent-facing personalisation (suggested schools for a child's year group and phase) uses the child profile data but is disclosed, is not used for advertising, and can be disabled by removing the child profile.
13. Nudge techniques
We do not use nudges designed to encourage children to weaken their own privacy or provide unnecessary data. Accounts default to privacy-protective settings.
14. Connected toys and devices
Not applicable.
15. Online tools
Accessible routes to rights (data export, deletion, privacy settings) are available in the account area and via privacy@schoolatlas.co.uk.
6. Online Safety Act children's duties
Where children are likely to access public content, we apply the mitigations described in our Illegal Content Risk Assessment (pre-publication moderation, notice-and-takedown, no messaging, no image upload). We do not publish content that is primary or priority content harmful to children under the Act: no pornography, no content promoting self-harm or eating disorders, no violence or dangerous stunts, no bullying of named individuals.
7. Age assurance
Because the service is not directed at children and does not host content harmful to children, the ICO regards self-declaration with email verification as proportionate age assurance at present. We will reassess if we introduce features that materially change risk.
8. How to report a concern
- Safeguarding concerns: safeguarding@schoolatlas.co.uk (non-emergency). In an emergency call 999 or the NSPCC on 0808 800 5000.
- Content reports: moderation@schoolatlas.co.uk.
- Privacy / data rights: privacy@schoolatlas.co.uk.
9. Review cycle
This assessment is reviewed at least annually (next review 21 April 2027) and whenever we introduce a feature that could materially affect children's use or safety.
This document does not create any legal obligation beyond those already imposed by the Online Safety Act 2023, UK GDPR, and DPA 2018, and does not constitute legal advice.