On 9 July 2026, the DfE added a new section to its Data Protection in Schools guidance: Procuring educational technology (EdTech). It sets out what schools should consider before, during and after procuring EdTech tools, and the questions to put to prospective suppliers. Significantly, it is the first DfE guidance to directly reference the ICO's EdTech Examined audit report, telling schools to take the ICO's findings into consideration when procuring EdTech tools.
This article summarises the new guidance and connects it to three developments we have covered recently: the ICO EdTech audit findings, the June 2026 update to the DfE Cyber Security Core Standard, and the KCSIE filtering and monitoring requirements. Together they form a single, consistent message: procurement is now a data protection and safeguarding function, not just a purchasing decision.
What the new guidance covers
The guidance runs through the full lifecycle of an EdTech relationship. In summary, schools are expected to:
- Consult the DPO at the very start and throughout implementation, not once a contract is signed.
- Complete a DPIA early, before decisions are made about how personal data will be processed, and keep it updated as the tool changes (see our guide to the key elements of a successful DPIA).
- Understand exactly what personal data the tool processes, challenge suppliers to justify every category of data, and switch off optional fields that are not required.
- Identify the correct lawful basis, noting that public task will not cover additional features beyond the school's official duties, and that consent needs a genuine choice and a clear opt-out.
- Map the data flows: ask the supplier to walk through what happens to personal data at every stage, and do not proceed if they cannot.
- Establish controller and processor roles, including sub-processors, and pin responsibilities down in the contract before signing.
- Assess AI functionality: whether the tool generates content, personalises learning, profiles pupils, or uses pupil data for model training, and whether those functions can be switched off.
- Check Children's Code compliance: schools are not directly in scope, but most EdTech tools are, and suppliers acting as controllers must meet the code's standards.
- Consider safeguarding: tools must align with KCSIE duties and filtering and monitoring. arrangements, with the DSL involved in procurement decisions and an audit trail available for safeguarding leads.
- Scrutinise storage, retention and international transfers, including how backups and caches are handled.
- Plan the exit at the start: agreed timescales for return and deletion of data at contract end, with confirmation of deletion from the supplier.
- Evaluate security: encryption, secure authentication, audit logging, intrusion detection, certifications and independent testing.
- Confirm support for data subject rights and breach response, including how quickly the supplier will notify the school of an incident.
- Monitor the supplier on an ongoing basis, with review periods and checks on updates and changes to processing.
The guidance includes worked examples throughout, including one where a school walks away from an AI writing tool because the supplier could not switch off the use of pupil data for AI development and stored data outside the UK. That example alone is a useful benchmark for governors and SLT: it is acceptable, and sometimes necessary, to say no. The 'off by default' expectation is not hypothetical either; we saw a live example when Arbor switched on its AI functionality by default, leaving schools to identify and disable it. Another worked example concerns procuring a new MIS and disabling optional data fields, a scenario we have covered in the DfE's guidance on choosing a new MIS and our considerations when migrating to a new MIS, which also deal with the exit planning and data portability points the new guidance raises.
The ICO EdTech audit: the 'why' behind the guidance
The DfE guidance explicitly directs schools to the ICO's EdTech Examined report and its findings on common data protection risks. Read alongside our summary of the ICO's ten key findings, the new procurement guidance reads as a direct response to what the ICO found across 28 audited providers:
| DfE procurement guidance says | Because the ICO found |
| Establish controller/processor roles early and record them in the contract | ~70% of providers were acting as controllers for some processing without recognising it (finding 1) |
| Ask why each category of data is necessary; challenge secondary uses | Children's data was used for product development, analytics and AI training without a lawful basis (finding 2) |
| Check contract clauses on security, sub-processors, deletion, breach notification and access before signing | ~70% of contracts lacked the detail required by Article 28 UK GDPR (finding 3) |
| Complete a DPIA early and keep it updated; ask suppliers for supporting information | Over 40% of providers had not completed a DPIA at all (finding 7) |
| Know who the sub-processors are and what they do with the data | Half of providers failed meaningful due diligence on sub-processors; some unknowingly allowed AI providers to train on children's data (finding 8) |
| Clarify retention, deletion, backups and caches; plan the exit at the start | ~70% had unclear or unjustifiable retention periods; some retained children's data indefinitely (finding 6) |
| Agree how and how quickly the supplier will notify the school of a breach | Over 70% had incorrect breach management processes (finding 9) |
| Ensure data protection by design and by default is built in, with non-core features off by default | ~80% could not show data protection had been meaningfully integrated into product development (finding 10) |
In other words: the ICO identified where providers fall short, and the DfE has now told schools to interrogate exactly those areas before buying. The questions in the new guidance give data protection leads the authority, and the official backing, to push back on suppliers who claim these checks are unnecessary. Our Supplier Due Diligence Step by Step guide sets out how to run this process in practice, including the Article 28 contract checks and the Supplier Due Diligence Form available to DPE customers.
Security expectations: read alongside the June 2026 Cyber Security Standard
The guidance's security section expects schools to evaluate suppliers on encryption, secure authentication, audit logging and intrusion detection, and to check for independent audits, security certifications and penetration testing. These expectations mirror the direction of the DfE's own Cyber Security Core Standard, updated in June 2026, which now requires:
- MFA on all staff accounts with access to cloud services or on-site systems, and all IT administrative accounts, no longer just senior leaders and those handling sensitive data. When evaluating an EdTech tool, ask whether it supports MFA or SSO for staff access; a tool that cannot is now working against your compliance with the standard.
- All network-connected devices, explicitly including IoT devices, to be securely configured and protected by firewalls, which matters where an EdTech product includes hardware such as cameras or sensors.
- Custom-built or commissioned applications to be developed securely in line with the UK Software Security Code of Practice, a question worth putting to any supplier building something bespoke for your school.
- Tighter account management: accounts created only when needed, access scoped to role, and disabled as soon as someone leaves their role, which should extend to accounts within EdTech platforms, not just your own network.
In practice, the security questions the procurement guidance tells you to ask a supplier are the same standards the DfE expects schools to meet internally. Your supplier's answers should be at least as strong as your own arrangements. The same logic applies to the people who manage your systems: our article Is your IT Support Provider Compliant? covers the equivalent questions to put to your IT support arrangements.
Safeguarding, AI and filtering: the KCSIE connection
The guidance is clear that safeguarding applies to tools and systems, and that procurement decisions must align with KCSIE duties and the DfE Filtering and Monitoring Standard. Points to note:
- AI tools must allow monitoring and supervision by appropriate, authorised staff, and tools children can access need appropriate filtering and monitoring in place.
- The DSL should be consulted alongside the DPO before a decision is made to procure a tool with AI functionality, echoing the DSL's procurement role under the Filtering and Monitoring Standard.
- Tools should include an audit trail enabling safeguarding leads to monitor and review pupil usage
- If there are doubts a tool will fully protect pupils or their personal data, the guidance is blunt: that supplier may not be appropriate for your school
We covered the DSL's responsibilities, the data protection implications of large-scale monitoring, and the SAR discoverability of alerts in The DSL's Guide to Filtering and Monitoring. The same principles, necessity, proportionality, transparency through privacy notices and acceptable use policies, and a DPIA where special category data is likely, apply equally to EdTech tools that generate safeguarding-relevant data. For the AI-specific questions, our practical guide Can you use AI safely in schools? and our summary of the DfE AI Standards cover the same ground the procurement guidance points to, including model training, moderation of outputs, and the controls schools should expect.
What should you do now?
- Build the guidance into your procurement process: no new EdTech tool without DPO consultation at the start, a DPIA where required, and DSL involvement where pupils will use the tool.
- Use the ICO's ten findings as your due diligence checklist when questioning suppliers: controller/processor roles, secondary uses, Article 28 contract terms, DPIAs, sub-processors, retention, breach notification, and data protection by design.
- Add security questions that match the June 2026 Cyber Security Standard: MFA/SSO support, secure development, and how supplier-side accounts are managed and disabled.
- Review existing tools, not just new ones: the guidance expects ongoing monitoring, review of updates, and updated DPIAs and privacy notices when processing changes; the May 2026 updates to our model privacy notices already reflect DUAA and the Children's Wellbeing and Schools Act
- Plan the exit before you sign: agreed timescales for return and deletion of data, confirmation of deletion, and data portability if you switch providers.
| DPE Notes This new section of the Data Protection in Schools guidance is the clearest statement yet that the DPO belongs at the start of the procurement conversation, not the end. It also closes a loop: the ICO told providers what they were getting wrong, and the DfE has now told schools which questions to ask so those failures are caught before contracts are signed. DPE customers can use the Supplier Due Diligence Form and Best Practice Area in the Knowledge Bank to structure these conversations, and our DPO service can support you with DPIAs, contract reviews and supplier assessments. Contact the helpdesk on 0800 0862018 or via |
Frequently Asked Questions
| What is the new DfE EdTech procurement guidance? Published on 9 July 2026 as part of the DfE's Data Protection in Schools guidance, it sets out the data protection considerations for schools before, during and after procuring EdTech tools. It covers DPIAs, lawful basis, data flows, controller and processor roles, AI, the Children's Code, safeguarding, storage and retention, exit planning, security, data subject rights, breaches and ongoing supplier monitoring. |
| Do schools have to complete a DPIA before buying EdTech? A DPIA is required where processing is likely to result in a high risk to individuals' rights and freedoms, for example profiling pupils or large-scale processing of biometric data. The DfE guidance recommends completing it as early as possible, ideally before any decisions are made about how personal data will be processed, and keeping it updated as the tool changes. |
| How does the ICO's EdTech audit affect school procurement? The DfE guidance directs schools to take the ICO's EdTech Examined findings into consideration when procuring tools. The ICO found widespread failures among providers, including unrecognised controller roles, unlawful secondary use of children's data, inadequate contracts and missing DPIAs, so schools should test suppliers against these areas before signing. |
Further Reading
- DfE: Data Protection in Schools,Procuring educational technology (EdTech)
- DPE: ICO EdTech Audit 2025, Key Findings for Schools
- DPE: DfE Cyber Security Standards for Schools, June 2026 Update
- DPE: The DSL's Guide to Filtering and Monitoring
- DPE: Supplier Due Diligence Step by Step
- DPE: Can you use AI safely in schools?
- DPE: What the Data (Use and Access) Act Means for Schools
- ICO: EdTech Examined: Key Findings from Our Audits
- DfE: Filtering and Monitoring Core Standard
Data Protection Education 2026. This article is provided for information and guidance purposes. It does not constitute legal advice. For advice specific to your organisation, please contact your DPE adviser.
