The ICO's EdTech audit: A warning shot before the rules are written
The Information Commissioner's Office (ICO) has published EdTech examined: Key findings from our audits, a report drawing together the cross-sector findings from consensual audits of EdTech providers carried out over 2024/2025 (the “Report”). The Report synthesises common themes across all audited providers; each organisation separately received its own confidential individual audit report.
The ICO audited 28 businesses across the full range of EdTech providers, including: management information systems; safeguarding tools, behaviour management platform; learning management systems; classroom apps and data integration services.
The Report raised concerns in relation to EdTech developers and providers approach to data protection compliance in several areas, making 596 compliance recommendations to those organisations it audited.
We break down the key areas that EdTech Providers need to look at:
Providers are Processors… but are they also Controllers?
The main issue the Report identifies is the confusion that providers have regarding their status as a processor (usually their primary role) but frequently also having the status of a data controller in relation to the personal data they process. This confusion is the root cause of other compliance issues that the Report identifies.
The vast majority of providers had correctly identified themselves as processors where they provide their core product. However, almost 70% of providers were found to also be controllers for additional processing, such as product development, analytics, anonymisation, training AI or selling/sharing anonymised profiles, but had not recognised this.
Where a provider does not recognise itself as a controller, it risks breaching the various obligations UK GDPR places upon it as a controller, including transparency and having a lawful basis for processing personal data.
Lack of transparency
The audit found that most providers publish privacy notices on their websites but the information in certain notices was generalised and non-specific. Some notices had not been reviewed and updated for some time and therefore included inaccurate and outdated information.
This lack of transparency is a pronounced issue where the processing of children’s data is concerned. It makes it difficult for schools to tell families and children about how EdTech products use their information, which could undermine the uptake of those products.
On a positive note, some suppliers displayed good practice providing: (i) detailed explanatory resources; (ii) privacy explainers (sometimes with privacy notices written in a child friendly manner); and (iii) evidence of the safeguards available proactively on their website or in dedicated online portals.
Contractual gaps
Whilst almost all EdTech providers entered into written agreements or published terms of use with schools, 70% of the agreements audited lacked detail or were not fully compliant with UK GDPR’s requirements for processing terms.
Not assessing the impact
Providers in some cases had not prepared a Data Protection Impact Assessment (“DPIA”) to assess the risks that the processing might pose to children. Others had conducted DPIAs but those documents did not describe the processing or the safeguards to children’s data in sufficient detail. This is a symptom of the confusion around whether providers are controllers when they use data in some cases.
Re-purposing and AI training
Many providers used children’s data to analyse product performance; develop and test new products; and produce anonymised data for other purposes. Some also used children’s information to train AI functionality or shared anonymised information with third parties.
The providers often had access to the data in their role as a processor. This meant they could not demonstrate that their re-use of the data for such purposes was fair or that they had a lawful basis for the further processing. This exposed children to the risk of losing control of their own information.
Other areas to improve
Whilst the majority of providers had undertaken at least some mapping of data flows, most had not maintained a compliant record of processing activities (“ROPA”) - with around 90% of ROPAs missing required information concerning use of children’s personal information. This led to gaps in oversight of the processing of children’s data
Many providers had not set specific retention periods for the storage of children’s data. In some cases, it was not clear what the provider would do with the data at the end of the retention period. This also exposed the children’s data to higher risk of data breaches
Weaknesses in data privacy governance were noted on a number of occasions with nominated Data Protection Officers (“DPO”) or managers responsible for compliance not fully appreciating the extent of their responsibilities and in the case of DPOs direct accountability to the corporate board of directors
Some providers did not obtain appropriate authorisation from school leaders or undertake due diligence of their sub-processors
Providers usually had data breach procedures in place but they were sometimes vague and did not specify key steps in responding to a data breach
Not all providers could demonstrate that they had taken a data protection by design approach in developing their products. Some providers had introduced AI functionality without safeguards, whilst others rolled out new product features with them switched “on” by default
Get in touch
Key takeaways
We were unsurprised by the findings of the Report, which marks the beginning of closer regulatory scrutiny of the EdTech sector. The ICO is continuing to work with 12 of the 28 audited providers for up to 12 months to ensure compliance improvements are implemented, and has stated its intention to monitor and enforce data protection compliance across the sector. The Report’s findings are also likely to underpin a future statutory code on the use of children’s data in the education sector.
Providers and the educational establishments that appoint them should take this golden chance to upgrade their data protection compliance before the ICO comes knocking.
A link to the ICO statement about the report can be found here.
A link to the ICO report can be found here.
How Freeths can help
Freeths holds a leading position in advising EdTech businesses. Our experienced team of data protection and EdTech specialists is ready to assist providers as to how to get their EdTech compliance programme up to speed, including:
Controller or processor advice
Compliance Audits
Data Protection Impact Assessments
Processing contract and supply chain
Data Protection Governance
Data Protection By Design
Records of Processing
Policies and procedures
Training (including at Board level)
Please get in touch with the team to discuss how we can help.
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.
Contact us today
Whatever your legal needs, our wide ranging expertise is here to support you and your business, so let’s start your legal journey today and get you in touch with the right lawyer to get you started.
Get in touch
For general enquiries, please complete this form and we will direct your message to the most appropriate person.