A programme of consensual audits carried out by the Information Commissioner's Office has identified systemic data protection failings across the UK education technology sector, with nearly 70 per cent of providers found to be acting as controllers over children's personal data without recognising or fulfilling that role.
The ICO's Edtech Examined report, published on 24 June 2026, sets out findings from audits conducted with 28 providers during 2024 and 2025, covering management information systems, safeguarding tools, behaviour management platforms, learning management systems, classroom apps and data integration services.
The audited providers were selected to achieve a representative sample and together serve substantial portions of the UK school market: the report estimates that providers audited in the safeguarding and data integration categories together serve more than 90 per cent of UK schools.
Controller/processor misclassification
The most significant finding was that most providers determined themselves to be processors acting solely on school instructions, when in practice they were controllers for significant additional processing activities. Almost 70 per cent of providers were found to be exercising controller functions - determining the purposes and means of processing - without having recognised this, particularly when using children's data for product development, performance analytics, anonymisation, or AI training. Under article 28(10) UK GDPR, a processor that determines the purposes and means of processing becomes a controller by operation of law, regardless of how a contract describes the relationship.
Providers that had not identified themselves as controllers had typically not identified a lawful basis under article 6, had not identified an article 9 condition for special category data including health information, ethnicity and SEND status, had not completed DPIAs, and had not met transparency obligations. The ICO noted that some providers had previously used children's data to create anonymised pupil profiles sold to third parties for education research, processing for which no adequate legal basis had been identified.
AI and third-party sub-processors
The report also noted particular concern about AI-related processing. Several providers had introduced AI-powered features (adaptive learning tools, virtual assistants and content personalisation) without completing DPIAs or adequately assessing fairness and bias risks.
In a number of cases, providers had engaged sub-processors operating on standard terms that permitted the sub-processor to use customer data, including children's data, to train their own AI models. The providers had not exercised the available opt-out and in some cases only became aware of these terms during the audit.
Around half of providers had carried out no meaningful due diligence before engaging sub-processors, and around 30 per cent either lacked prior written authorisation or had not informed schools of sub-processor changes. The ICO said that its position is that general authorisation clauses in contracts must be accompanied by proactive notification to schools before new sub-processors are engaged.
Retention, anonymisation and storage limitation
Around 70 per cent of providers either failed to specify retention periods clearly or kept children's data for periods they could not justify. A recurring finding was that providers stated they would delete data at the end of the retention period but in practice anonymised it instead. In one documented case, what was described as anonymised data remained identifiable by combining two databases using a reference key retained by the provider, constituting pseudonymisation rather than anonymisation and therefore remaining in scope of UK GDPR.
The ICO restated its position that applying anonymisation techniques is itself processing, and that truly anonymous data requires irreversible de-identification assessed against the motivated intruder standard.
Around 70 per cent of contracts between providers and schools were found to lack the detail required by article 28(3), with vague or broad processing descriptions that left providers determining processing purposes and means themselves rather than following documented school
Approximately 80 per cent of publicly available privacy information was found to be insufficiently detailed, with several notices based on generic templates that failed to describe product-specific processing and in some cases contained inaccurate statements about whether special category data was processed.
Security and breach handling
The ICO found comparatively more positive compliance in the information security domain, with most providers having implemented appropriate technical measures including encryption at rest and in transit, role-based access controls, multi-factor authentication and secure development practices. Over 60 per cent maintained external audit or penetration testing programmes, and a number held ISO 27001 or SOC 2 certification.
However, over 70 per cent had inadequate or incorrect personal data breach processes, most commonly failing to understand that processors must report all breaches to the controller without undue delay regardless of assessed risk level (a distinct obligation from the risk-threshold test that applies to controller notifications to the ICO under article 33). Several providers had policies instructing staff to report only high-risk breaches to schools, which the ICO found to breach both article 33 and the terms of provider-school contracts.
Recommendations
In total, the ICO made 596 recommendations, 98 per cent of which providers accepted. A further 139 advisory notes and 118 good practice notes were issued. The ICO followed up with 12 of the 28 providers assessed as presenting the highest risk, requiring evidence of remedial action over periods of up to 12 months.
The report notes that the audits pre-date the Data (Use and Access) Act 2025 and therefore do not address the higher protection requirements for children introduced into UK GDPR article 25 by that Act, nor the new statutory code on children's personal data in educational digital systems anticipated under DUAA secondary legislation.
The ICO's Director of Children's Strategy, Katie Searle, indicated that the findings will inform development of that statutory code.
“Moving forward, the ICO is engaging with the Department for Education and devolved authorities on their work with schools to help improve how children's personal information is handled in educational settings,” a spokesman for the ICO said.
“As part of this, we are discussing how a new edtech code could contribute to ensuring children's data is better protected across the tools and platforms schools use widely, as one of a range of measures to drive lasting change.”
