ICO EdTech Audit 2025: Key Findings for Schools | DPE

The ICO's edtech audit programme, covering 28 providers used across UK primary and secondary schools, has resulted in one of the most significant data protection reports to affect the education sector in years. Published in June 2025, the ICO's EdTech Examined report made 596 recommendations and found widespread compliance failures in how edtech providers handle children's personal data. This article sets out what was found and what schools and DPOs need to do about it.

 

#	Finding
1	Controller/processor role confusion ~70% of providers were acting as controllers for some processing but hadn't recognised it or met the legal responsibilities that follow.
2	Unlawful secondary use of children's data Many providers used children's data for product development, analytics, and AI training without lawful basis, often without schools knowing.
3	Inadequate contracts ~70% of contracts lacked detail required by Article 28 UK GDPR, leaving schools unable to meaningfully control how pupil data was used.
4	Incomplete ROPAs ~90% of providers had incomplete records of processing, secondary uses were frequently unrecorded.
5	Transparency failures ~80% published privacy information too generic or outdated to meet UK GDPR transparency requirements.
6	Retention period failures ~70% had unclear or unjustifiable retention periods; some retained children's data indefinitely.
7	Missing or inadequate DPIAs Over 40% had not completed a DPIA at all; most of those that had were inadequate or significantly out of date.
8	Sub-processor oversight gaps Half of providers failed meaningful due diligence on sub-processors; some unknowingly permitted AI providers to train on children's data.
9	Breach process failings Over 70% had incorrect breach management processes; several had never logged a breach or near-miss.
10	No data protection by design ~80% could not show data protection had been meaningfully integrated into product development.

 

Schools remain controllers in most edtech relationships and carry legal accountability for how data processed on their behalf is used. The ICO's findings translate into four areas of action.

 

1. Supplier Due Diligence

•       Ask providers to confirm in writing whether they act as processor only, or also as controller for secondary processing (analytics, AI training, anonymisation).

•       Request copies of DPIAs for products you use, providers should supply these free of charge.

•       Obtain a current sub-processor list. Where providers use third-party AI, confirm the AI provider is contractually prohibited from using school data for model training.

 

2. Contract Reviews

•       Check contracts specify which data fields will be processed, in what format, and for how long.

•       Confirm what happens to data at contract end: deletion or return, at the school's choice (Article 28(3)(g) UK GDPR).

•       Ensure contracts include the Article 28(3) mandatory terms; the ICO found many did not.

 

3. Privacy Notices and Transparency

•       Review your privacy notice to confirm it accurately reflects how edtech providers use pupil data.

•       Where providers have updated their privacy information following the audit, check your own notice remains consistent.

•       Ask providers whether they publish a child-friendly privacy policy: the ICO expects this for products used directly by children.

 

4. Breach Reporting

•       Confirm with key providers that they will report ALL breaches to the school without undue delay, regardless of assessed risk level. Policies that restrict reporting to 'high-risk' breaches only do not comply with Article 33 UK GDPR.

•       Review your own breach log, are near-misses recorded as well as actual incidents?

 

DPE Notes This is the most substantive regulatory guidance to emerge from the ICO in the education sector in several years. The controller/processor finding is particularly important: schools are frequently told by providers that they are 'just a processor', but if a provider makes autonomous decisions about retention, data fields, or secondary uses, the legal reality is more complex. This report gives data protection leads the authority to push back. If you would like support reviewing edtech contracts, updating privacy notices, or conducting a supplier audit, please contact the DPE helpdesk via This email address is being protected from spambots. You need JavaScript enabled to view it.

 

The ICO is continuing to work with 12 of the 28 providers where risks were highest. It is also engaging with the UK government on secondary legislation requiring a new statutory code on children's personal data in digital educational settings. The findings from this audit programme will inform that code, meaning the ICO's ten findings are likely to become the baseline for future mandatory standards.

 

 

The ICO's findings map directly onto the services DPE provides to schools, MATs, and local authorities. Our outsourced DPO service,  led by a legally qualified team including a solicitor, and specialists with Masters degrees in data protection law, includes supplier contract reviews, ROPA consultancy, and DPIA support, all tailored to the education sector.

If the ICO's findings have prompted questions about your current edtech arrangements, our data protection audits can assess your supplier relationships and compliance position against the ten areas identified in the report. For schools that need to build staff awareness, our training and consultancy service covers UK GDPR obligations in an education context, including how to identify and manage controller/processor responsibilities in practice; September inset day online training sessions are now available to book. Several free resources are also directly relevant to the ICO's findings: our AI DPIA template supports schools in assessing edtech products that use AI functionality (findings 2, 7, and 10); our DfE Digital Standards overview provides useful procurement context; and our recent article Can You Use AI Safely in Schools? covers the data protection implications of AI tools including ChatGPT, Gemini, and Copilot. Our child-friendly privacy notices address the transparency gap the ICO identified in finding 5. To discuss your school's specific position, contact the DPE helpdesk on 0800 0862018 or at This email address is being protected from spambots. You need JavaScript enabled to view it..

 

What did the ICO find in its edtech audit?

The ICO audited 28 edtech providers used across UK primary and secondary schools in 2024 and 2025. It found widespread compliance failures, including providers acting as data controllers without recognising it, children’s data being used for AI training without lawful basis, incomplete records of processing, missing or inadequate DPIAs, and retention periods that could not be justified. In total the ICO made 596 recommendations, 98% of which providers accepted.

 

What does the ICO edtech audit mean for schools?

Schools remain data controllers in most edtech relationships and carry legal responsibility for how pupil data is used on their behalf. The ICO’s findings mean schools should review their edtech contracts against Article 28 UK GDPR requirements, ask providers whether they are acting as controller or processor for each processing activity, request copies of DPIAs, and confirm that sub-processors, including any third-party AI providers, cannot use school data for model training.

 

Do schools need to update their privacy notices because of the ICO edtech report?

Possibly. If your current privacy notice does not accurately reflect how your edtech providers use pupil data, including any secondary uses such as analytics, product development, or AI training; it may need updating. The ICO found that around 80% of providers published privacy information that was too generic or out of date. Schools relying on that information to inform their own notices may therefore be giving inaccurate information to children and families. DPE’s child-friendly privacy notices and outsourced DPO service can support schools in reviewing and updating their notices.

 

 

•       ICO: EdTech Examined: Key Findings from Our Audits (2025)

•       ICO: Guide to Controllers and Processors

•       ICO: Data Protection Impact Assessments

•       ICO: Personal Data Breaches: A Guide

•       ICO: Age Appropriate Design Code (Children's Code)

•       ICO: Using Children's Information: A Guide

•       DfE: Digital and Technology Standards for Schools and Colleges