ICO Publishes Edtech Report

Educational technology is now embedded in everyday school life, from classroom apps and learning platforms to safeguarding systems, behaviour tools and management information systems. While these technologies can support teaching, administration and pupil wellbeing, they also involve the collection and use of large amounts of children’s personal data, often in circumstances where pupils and parents have limited ability to opt out. From a data protection perspective schools and edtech providers must be clear about who is responsible for processing the data, why it is being used, how long it is kept, and whether the requirements of UK GDPR are being met in practice. 

Last week, the Information Commissioner’s Office (ICO) published ‘Edtech examined’, a report outlining how they “have worked directly with edtech providers to review and improve data protection practices within the sector.” The report details the findings from a programme of consensual audits carried out by the ICO during 2024 and 2025 with 28 edtech providers, whose products are widely used across primary and secondary schools in the UK. The audits examined a range of products including management information systems, safeguarding tools, behaviour management platforms, learning management systems, classroom apps, and data integration services.  

The ICO found positive practices, particularly around information security. 
However, they also identified and addressed compliance gaps across the sector. Common issues included providers not correctly identifying whether they were acting as data processors or controllers — particularly where children’s data was used for product development or analytics.   

The ICO also found: 

  • insufficiently detailed contracts with schools 
  • incomplete data flow mapping 
  • weak application of data minimisation and storage limitation principles  
  • outdated or inaccessible privacy information, and  
  • gaps in Data Protection Impact Assessments.  

The ICO says that, through the audits, it has successfully driven improvements across the sector, with providers accepting and putting in place 98% of the 596 recommendations that were made. It is now engaging with the Department for Education and devolved authorities on their work with schools to help improve how children’s personal information is handled in educational settings. It is also discussing introducing a new edtech code which could contribute to ensuring children’s data is better protected across the tools and platforms schools use widely. 

The Government’s Plans for Children’s Data 

Recent initiatives from the UK Government, such as the Schools White Paper and the Children’s Wellbeing and Schools Act 2026, have major implications for children’s privacy; from age verification to plans for a “Data Spine” to link information across the public sector.   

In Episode 8 of the Guardians of Data podcast, we analyse the Government’s plans for our children’s data, discuss children’s privacy in the internet age and the role Big Tech is playing in the collection storage and analysis of all our data.  We ask if the government is simply trying to do a better job of protecting children or if it is quietly building a surveillance system which will impact all of us. Listen here. 

See also our workshop: Working with Children’s Data.