ICO Edtech Report Puts DfE and UK Schools on Data Notice

24th Jun 2026
The ICO has moved its children’s data work deeper into the school technology market, publishing Edtech examined after audit work carried out in 2024 and 2025 across products used in UK primary and secondary schools. The report sits between the regulator’s existing Children’s code work and the next phase of policy discussion with the Department for Education over whether more specific rules are needed for educational technology used by schools. The ICO said on 24 June 2026 that it had worked directly with 28 edtech providers through consensual audits covering management information systems, safeguarding tools, behaviour management platforms, learning management systems, classroom apps and data integration services. The regulator reported positive practice on information security, but found repeated compliance gaps around processor and controller status, school contracts, data flow mapping, data minimisation, storage limitation, privacy information and Data Protection Impact Assessments. It said providers accepted and implemented 98% of the 596 recommendations made through the audit programme. The Department for Education and devolved authorities are now part of the next stage because the ICO said it is engaging with them on how children’s personal information is handled in educational settings. UK GDPR, the Data Protection Act 2018, the Children’s code and the Data (Use and Access) Act 2025 frame that work because the legal question is not only whether edtech products are secure, but whether schools and suppliers can justify why pupil data is collected, who controls it, how it is reused and when it is deleted. Academy trusts and local authorities are also exposed where procurement records, supplier due diligence or school-facing contracts do not match how a platform actually processes children’s information. Solicitors, barristers and in-house counsel advising schools, trusts, councils or suppliers should treat the report as a prompt to review edtech contracts, DPIAs, privacy notices and data maps before any formal code is introduced. The highest-risk area is role classification, especially where a supplier described as a processor uses children’s data for analytics, product development or service improvement in ways that may give it independent control over the purpose of processing. Legal teams should also check whether retention periods are documented, whether parents and pupils can understand privacy information, and whether schools have enough evidence to show that data minimisation has been applied in practice. The ICO has not named the 28 providers, which limits the immediate corporate monitoring value of the report, but it has set a clear compliance marker for the edtech market. The ICO and Department for Education now face the specific question of whether a new edtech code is needed to convert the audit findings into enforceable expectations for schools, suppliers and their legal advisers.