The ICO Has Just Audited 28 EdTech Providers. The Findings Should Concern Every School

The 60-second Briefing

• The ICO published its 'Edtech examined' report on June 24, after consensual audits of 28 widely-used EdTech providers.
• The audit covered MIS, safeguarding tools, behaviour management platforms, learning management systems, classroom apps, and data integration services.
• Common findings included controller/processor confusion, insufficiently detailed contracts, incomplete data flow mapping, weak data minimisation, outdated privacy information, and gaps in DPIAs.
• Information security was a positive area. The substantive failings are governance, not technical.
• The ICO is now in discussions with the DfE on a new EdTech code that could become statutory.

On June 24, the Information Commissioner's Office published Edtech examined, a report on what it found when it audited 28 widely-used EdTech providers across UK primary and secondary schools. The audits were conducted consensually during 2024 and 2025 and covered a broad cross-section of suppliers – management information systems, safeguarding tools, behaviour management platforms, learning management systems, classroom apps, data integration services. Almost every product a school of any size is currently running.

It is the most consequential piece of EdTech regulatory news this year, and it has, for the most part, sailed past unnoticed. The trade press carried short notices. The mainstream education press barely touched it. And yet for anyone with a procurement remit, this is the regulator essentially saying out loud: the suppliers you are buying from are not yet ready for the standards you should be holding them to.

Let me walk through what the audit actually found.

The headline issue is structural. A significant number of audited providers could not consistently say whether they were acting as a data controller or a data processor on schools' behalf. The distinction is fundamental – controllers decide why and how personal data is processed, processors do what they are instructed to do. In a schools context the school is usually the controller and the EdTech supplier is usually the processor. But the ICO found that when children's data was being used by the supplier for product development or analytics, that boundary blurred. The supplier was effectively becoming a controller for that secondary purpose, without making it clear to the school, and without the contractual paperwork being updated to match. That is not a paperwork problem. It is a fundamental governance problem, because it affects whose responsibility it is when something goes wrong.

The second cluster of findings was around contracts and data flows. Many provider contracts with schools were insufficiently detailed, and data flow mapping was incomplete. In practice that means the supplier could not always tell the auditor, with precision, where a particular piece of pupil data was processed, by which sub-processor, in which country, and for how long. Anyone who has tried to fill in a DPIA for an EdTech tool will recognise this feeling. You ask the supplier where the data goes. You get a vague answer. You ask for the sub-processor list. You get a partial one. You ask about data residency. You get a phrase like "we use industry-leading cloud providers" and a polite assurance that everything is fine.

The third cluster was data minimisation and storage limitation – the principle that you collect only what you need and keep it only as long as you need it. The audit found weak application of both. Privacy information was outdated or hard to find. And, perhaps most importantly, gaps in DPIAs were widespread. A DPIA is the document that demonstrates to the regulator that a school or supplier has thought carefully about the risks of a processing activity. If the DPIA is incomplete, the demonstration is incomplete.

What the audit found positive, and this is worth saying, was information security. The cyber side of the equation – encryption, access controls, incident response – was generally in better shape than the governance side. That matters because it tells us something about where the EdTech sector has been investing its compliance effort. Suppliers have, broadly, taken cyber seriously. They have not, broadly, taken data governance equally seriously.

There is a sharp connection to draw here with The 73% Problem. That post was about the schools side of the cyber equation, where the Cyber Security Breaches Survey showed secondary breach rates jumping to 73% and supply chain security as the weakest area in the 10 Steps framework. The CSBS told us schools were exposed because their suppliers were not being held to a meaningful standard. The ICO audit has now told us, on the same suppliers, what those standards look like in practice. Two halves of the same picture have arrived in the same quarter. A school running EdTech tools whose suppliers cannot meet the ICO's audit expectations is a school whose data is structurally at risk, and whose risk register is incomplete if it does not reflect that.

A connection worth drawing with last week's post. The Pioneer Group Confession made the case that AI tools should be assessed against a procurement filter built around cognitive impact, evidence base, and data governance. The procurement template I released alongside that post had a Section 4.4 covering exactly the data protection ground the ICO has just audited – lawful basis, DPIA scope, sub-processor lists, retention periods, incident response. The ICO has, without intending to, provided one of the cleanest possible justifications for that section. Most of the EdTech providers selling to schools cannot today answer those questions to the regulator's standard. Schools that are not asking them are buying blind.

But this audit was not about AI. It was about every category of EdTech tool that schools run. That matters because the procurement discipline the AI conversation has prompted needs to broaden out. The same questions should be asked of the new behaviour management platform, the new safeguarding overlay, the new attendance dashboard, the new learning management system. The supplier may not be selling a chatbot, but it is still processing children's data, and the audit findings apply to it just as much as they apply to a generative AI tool.

For schools, the practical work that follows is reasonably clear, and most of it does not require a budget.

The first piece is contract review. Pick the five EdTech suppliers the school is most dependent on. Read the data processing addenda. Ask, with specificity, whether the supplier is acting as a processor for everything they do with pupil data, or whether they are also acting as a controller for any secondary purposes like product development, analytics, or aggregated insights. If the answer is unclear, escalate it. If the answer is "we are processors for everything," ask for the documentary evidence that backs that up.

The second piece is DPIA refresh. The ICO is looking for DPIAs to be live documents, not artefacts written once when the tool was bought and never opened again. Pick the highest-risk processing activities – your MIS, your safeguarding platform, anything involving health, SEND or pastoral data – and bring those DPIAs up to date with current supplier information, current sub-processor lists, and current data flow maps.

The third piece is asking the question the auditors asked. Where, precisely, does pupil data go? Through which sub-processors? In which countries? Stored for how long? If a supplier cannot answer that question on demand, the question itself becomes the problem. Suppliers who could not answer the ICO are unlikely to suddenly be able to answer the school. But the gap, once documented, is part of the school's risk register, and that record will matter when the new EdTech code arrives.

Which brings me to the strategic context. The ICO is now in discussions with the DfE on a new EdTech code. Codes of practice carry statutory weight – they are admissible in regulatory enforcement and in court. If a code is introduced, the audit findings of June 2026 become not just instructive but compliance-critical. Schools that have got ahead of the curve will be in a position to evidence good practice. Schools that have not will be looking at a window of perhaps eighteen months to close the gap before the regulator starts measuring them against it.

There is one more piece worth adding, because the audit has been read in some quarters as bad news for EdTech. It is not, really. The regulator's job is to find the gaps. The audit was consensual, the findings were specific, and the report itself notes that the audits resulted in 596 recommendations across the 28 providers, of which 98% were accepted and put in place. The sector is moving in the right direction. The issue is that the schools doing the buying are not yet routinely demanding the standards the regulator has now articulated. The supplier side will rise to the bar the buyer side sets, and at the moment, the buyer side is not setting a bar high enough.

The ICO audit has done UK schools a quiet but enormous favour by mapping the supplier-side gaps in a market that has historically resisted scrutiny. The responsibility for closing those gaps does not sit only with the suppliers. It sits with the people writing the purchase orders.

For IT directors, DPOs and bursars, the call to action is easy. Read the report. Pull out the five providers the school most depends on. Apply the audit questions to them. Update the DPIAs. Bring the findings to next term's risk committee. The work is unglamorous and procedural, but the regulator has just given the procurement conversation a level of authority it has not had before.

Use the authority.

See you in the digital staffroom.