Best Practice Update

Graphic representing new DfE guidance on EdTech procurement for schools, focusing on data protection.

On 9 July 2026, the DfE added a new section to its Data Protection in Schools guidance: Procuring educational technology (EdTech). It sets out what schools should consider before, during and after procuring EdTech tools, and the questions to put to prospective suppliers. Significantly, it is the first DfE guidance to directly reference the ICO's EdTech Examined audit report, telling schools to take the ICO's findings into consideration when procuring EdTech tools.

ICO EdTech Examined report graphic, highlighting data protection audit findings for UK schools and children'

The ICO's edtech audit programme, covering 28 providers used across UK primary and secondary schools, has resulted in one of the most significant data protection reports to affect the education sector in years. Published in June 2025, the ICO's EdTech Examined report made 596 recommendations and found widespread compliance failures in how edtech providers handle children's personal data. This article sets out what was found and what schools and DPOs need to do about it.

Graphic representing the Department for Education (DfE) Data Protection in Schools guidance update from June

The Department for Education (DfE) updated its Data protection in schools guidance on 17 June 2026, this refresh aligns the guidance with the wider expected KCSIE 2026 guidance and reinforces existing obligations that schools should already be acting on.

This article sets out what has changed, what it means for your school in practice, and the actions your data protection lead should be taking now.

 

DfE Filtering and Monitoring Core Standard graphic for schools and colleges, essential for safeguarding children.

The Keeping Children Safe in Education (KCSIE) document obliges schools and colleges in England to ensure appropriate filters and appropriate monitoring systems are in place and regularly review their effectiveness”. This responsibility is now a standard, no just a technical tick box, but a core leadership and safeguarding function.

  1. Can you use AI safely in schools?
  2. Guardians of Privacy: Social Media, Privacy, Children and the AI Threat
  3. Visitor Management: A Guide for Schools
  4. Under surveillance: Why your organisation's CCTV might not be compliant
  5. Update to the DfE Digital Cyber Security Standards for Schools and Colleges
  6. Wireless Network Standards for Schools & Colleges: What's New?
  7. World Backup Day: Backups - Your Safety Net
  8. School Cyber Attack: St Anne's Catholic School
  9. Volunteer Acceptable Use Policy & Agreement
  10. Handling Subject Access Requests (SARs) - at the end of term
  11. How should schools manage paper archives?
  12. Navigating the Redaction Divide: SAR or PEX?
  13. Records Management Toolkit: Where do I start with records management?
  14. What type of request have you received? SAR? Educational Record? Or FOI?
  15. SAR Extension Template
  16. Leavers' Memorabilia
  17. Sharing photos on World Book Day: Privacy considerations
  18. Make sure DPE is your registered DPO with the ICO
  19. Supplier Due Diligence Step by Step: Are you sharing personal data with a third party organisation?
  20. Time to kick-start your Clear Desk and Screen policy?
  21. Are Governors the Frontline of Cyber Security? (February 12th is Governors Awareness Day)
  22. DPE Webinar Schedule
  23. The Danger of the 'Data Dump': Why more information isn't always better!
  24. Introducing our new Recording and Transcription Policy
  25. Parents and students covertly recording conversations
  26. New DfE AI Standards
  27. Shareable Snippet: Office Security Best Practices for the Holidays
  28. CCTV Policy update: retention
  29. Shareable Snippet: Confidential waste
  30. Sharing information to safeguard children and young people in the education sector in the UK
  31. Fraud awareness from the DfE
  32. Complaints vs. Data Rights: A Guide
  33. Data Breach: School sends out names and contact details in a spreadsheet.
  34. September 2025 Policy and Document Updates
  35. KCSIE 2025: Data Protection, AI, and Cyber Security
  36. The Online SCR Data Breach: What You Need to Know
  37. Back to School Basics for Data Protection and Cyber Security Compliance
  38. Building a Secure School: Using the ICO Accountability Framework to Meet DfE Digital Standards
  39. Why Physical and Data Security Must Go Hand-In-Hand
  40. Digital Safeguarding: DfE announces statutory DfE Digital Standards
  41. The Data Protection Lead/Champion Role
  42. Changes to the Academy Trust Handbook 2025
  43. Social Media Day 2025
  44. How Ofsted looks at AI during inspection and regulation
  45. Preschool Employment tribunal for the use of WhatsApp
  46. Data Breaches 2025 Report Highlights
  47. Not everyone needs access: The Key to Protecting Sensitive Data
  48. West Lothian Schools in Cyber Attack
  49. National Honesty Day: Transparency
  50. FOI Request - BBC News
  51. Social Media and Marketing Guidelines and Training
  52. New Governor Resources
  53. Does stress lead to more data breaches?
  54. Are teachers using AI? 83% say its a time-saver
  55. DfE Digital Standards - narrowing the digital divide
  56. Arbor AI - On By Default
  57. DfE Guidance: Choosing a new MIS
  58. HCRG Care Group data breach
  59. The Importance of AI literacy and training staff
  60. Short Guide to AI Video
  61. Safer Internet Day, Cyber Security & Data Protection
  62. The Cyber Resilience Championship
  63. The Multiple Dimensions of Supplier Due Diligence
  64. School shares sensitive pupil information as part of an FOI response
  65. AI (Artificial Intelligence) Best Practice Area & Policy
  66. Blacon High School Cyber Attack
  67. WhatsApp and FOI's: ICO Warnings
  68. New AI Guidance from the DfE
  69. What the proposed Government legislative proposal around cyber crime means
  70. ICO report on AI tools in recruitment
  71. DfE update to record keeping and management
  72. Update to data sharing for school immunisation programmes
  73. Early Years Settings and Cyber Security
  74. SLT Digital Lead Profile
  75. The role of governors in cyber security and data protection
  76. Navigating Privacy at the End of Term , Special Occasions and End of Year
  77. Contracts Register
  78. DfE Digital Standards Autumn Update
  79. The importance of knowing how to access your CCTV footage!
  80. Cyber Attack on a Special School
  81. Stealing children's data
  82. What is dark data? (and why does it matter?)
  83. Ofqual highlights the value of cyber security training in schools
  84. Searching for data when you receive a Subject Access Request
  85. Fylde Coast Academy Trust Cyber Attack This Week
  86. Calling all IT leads in schools and mult academy trusts!
  87. Ransomware cyber attack on a school in Bromley
  88. Join Our Social Media Family!
  89. School hit by Cyber Attack
  90. Cyber Security Best Practice Area
  91. DfE Digital Standards for Schools and Colleges Tracker
  92. New Policies, Documents, Letters and Posters page
  93. Schools and Trusts Best Practice Area
  94. The DPE Retention Schedule
  95. Making the Rounds Update (now includes reporting)
  96. ESFA Cyber Essentials Requirement for Colleges from 2024/2025
  97. ICO Reprimands a School
  98. Out of date technology
  99. Data Retention and the Pupil File
  100. Have you assigned your SLT Digital Lead yet?
  101. Getting Started with AI (Artificial Intelligence)
  102. Cyber attack on a school during half term
  103. The rise of cyber attacks in schools are causing pupils to miss classes
  104. ICO: Learning from the mistakes of others report
  105. Cyber attack on a Trust; the aftermath
  106. School Focus: The Vale Federation | Aylesbury
  107. DfE Dealing with Subject Access Requests (SARs) Guidance
  108. Update to the Guidance on Information Sharing from the DfE
  109. FOI Requests generated by Artificial Intelligence
  110. Social Media Best Practice Area
  111. Lettings Best Practice Area
  112. MFA Bombing - What is it?
  113. Protecting your Social Media Accounts
  114. Checklists - Are They Your Most Powerful Compliance Tool?
  115. Product Focus on Checklists : Initial Trust Plan
  116. Product Focus on Checklists : End of Term Checklist
  117. Product Focus on Checklists : Information and Cyber Security
  118. Product Focus on Checklists : Social Media
  119. Product Focus on Checklists : Lettings
  120. Product Focus on Checklists : Record of Processing
  121. Milk Island: The secret location that allows children to view restricted content on Google Maps
  122. Why Data Should Stay Put: Benefits of Keeping Data in Its Original System
  123. Product Focus on Checklists : Data Retention and Destruction
  124. Product Focus on Checklists : Data Migration
  125. Product Focus on Checklists : Biometrics
  126. Product Focus on Checklists : Supplier Due Diligence
  127. Free Cyber help, advice and training with the Cyber Resilience Centres
  128. The Perils of Paper: The Printing Vulnerability
  129. Product Focus on Checklists : FOI
  130. Product Focus on Checklists : Governors and Data
  131. Product Focus on Checklists : DPIA
  132. Product Focus on Checklists : Site Moves
  133. Product Focus on Checklists : Data Breaches
  134. Product Focus on Checklists : Subject Access Requests
  135. Product Focus on Checklists : Bring your own device
  136. Product Focus on Checklists : Working out of school/offsite
  137. Cyber Attack on a School
  138. Product Focus on Checklists : Redaction
  139. Why Due Diligence is Important: Fake apps
  140. Product Focus on Checklists : CCTV
  141. Product Focus on Checklists : Clear desk
  142. Product Focus on Checklists : Commitment to compliance
  143. Product Focus on Checklists : Photos and video
  144. Product Focus on Checklists : Passwords
  145. Product Focus on Checklists : Information Classification
  146. Free cyber training for staff
  147. DfE Digital Standards Update
  148. The Mother of all Breaches
  149. International Data Transfers (part 1): Navigating Cross-Border Data Transfers: Understanding EU SCCs, UK Addendum, and UK IDTA
  150. ClassCharts Possible Data Breach
  151. Where is your data stored?
  152. IAPP looks at AI privacy risks
  153. If you suspect a financial scam .....
  154. School Focus: St Bernadette's Catholic Primary School | Brighton
  155. Guardians of Privacy: 16. Social Media Checklist
  156. Guardians of Privacy: 15. Navigating Social Media in Educational Settings Summary
  157. Guardians of Privacy: 14. Social Media and Cyber Bullying
  158. Guardians of Privacy: 13. Social Media, Copyright and Intellectual Property
  159. Guardians of Privacy: 12. Social Media and Going Viral
  160. Guardians of Privacy: 11. Staff Social Media Accounts
  161. Guardians of Privacy: 10. Social Media and Cookies
  162. Guardians of Privacy: 9. Social Media and Morality
  163. New Resources for Schools from the ICO
  164. Guardians of Privacy: 8. Social Media Policies
  165. Guardians of Privacy: 7. Social Media Data Retention
  166. Guardians of Privacy: 6. Posting Safely
  167. Guardians of Privacy: 5. Social Media and Consent
  168. Guardians of Privacy: 4. Social Media Access Control
  169. Guardians of Privacy: 3. Social Media Channels
  170. Guardians of Privacy: 2. Law and Regulations
  171. The ICO reprimands a Multi Academy Trust
  172. Guidance for the use of school email and applying email retention in schools
  173. Data Protection Tips for Early Years Settings
  174. Children's Privacy around the world is a puzzle
  175. Trust Initial Plan Checklist Update
  176. Records Management Best Practice Update
  177. What do I need to redact?
  178. Trust Initial Plan for Data Protection Compliance (for Multi Academy Trusts)
  179. Google for Education Resources: Helping IT Admins meet DfE digital and technology standards
  180. Lettings Best Practice and Guidance
  181. Considerations when migrating to a new MIS
  182. Public bodies and sensitive data
  183. Get a DPE Badge for your website!
  184. ICO: 10 Step guide to sharing information to safeguard children
  185. Help after a Cyber Attack/Incident
  186. Data Protection and Cyber Security (Inset Day) Training Ideas
  187. How KCSIE is linked to Cyber Strategy
  188. Handling Freedom of Information Requests the right way
  189. Where's Harry the Hacker?
  190. The ICO Reprimands a school
  191. Redaction Guidelines Updated
  192. Using WhatsApp in Schools
  193. How to contact us for support, subject access requests, data breaches and FOI's
  194. FOI: Reinforced Autoclaved Aerated Concrete
  195. FOI: Henry Jackson Society
  196. FOI: Vaccination Justifications
  197. How the Record of Processing Can Help You
  198. What does a Data Protection Officer Do?
  199. Carrying out Supplier Due Diligence
  200. How Long Should You Keep Personal Data For?
  201. B&H FoI: Racist/religious incidents/bullying
  202. Protocol for Setting Up and Delivery of Online Teaching and Learning
  203. Class Dojo International Data Sharing
  204. Model Publication Scheme: Amendments, Improvements and Updates
  205. Transparency
  206. Research projects and GDPR
  207. Secure file transfer of files using Royal Mail
  208. Emergency contacts and consent
  209. Key elements of a successful DPIA
  210. FOI Publication Schemes
  211. Best Practice for Managing Photos and Video
  212. New Drip Feeds: Recognise and Respond to Subject Access Request
  213. When to contact the Data Protection Officer?
  214. National child measurement programme
  215. Headteacher fined for breach of data protection legislation
  216. Acceptable Use Policy

Search