- Tammy Buchanan
- Best Practice Updates
The ICO's edtech audit programme, covering 28 providers used across UK primary and secondary schools, has resulted in one of the most significant data protection reports to affect the education sector in years. Published in June 2025, the ICO's EdTech Examined report made 596 recommendations and found widespread compliance failures in how edtech providers handle children's personal data. This article sets out what was found and what schools and DPOs need to do about it.
The Department for Education (DfE) updated its Data protection in schools guidance on 17 June 2026, this refresh aligns the guidance with the wider expected KCSIE 2026 guidance and reinforces existing obligations that schools should already be acting on.
This article sets out what has changed, what it means for your school in practice, and the actions your data protection lead should be taking now.
The Keeping Children Safe in Education (KCSIE) document obliges schools and colleges in England to “ensure appropriate filters and appropriate monitoring systems are in place and regularly review their effectiveness”. This responsibility is now a standard, no just a technical tick box, but a core leadership and safeguarding function.
In May 2026, Shottermill Junior School in Haslemere, Surrey became the latest UK primary school to fall victim to a ransomware attack. The LockBit 5.0 group officially listed the school as a victim on 9 June 2026, with threat intelligence monitors detecting the initial network infiltration as far back as 20 May 2026. This means the attackers had approximately three weeks of dwell time inside school systems before the attack became public knowledge.
When a Multi-Academy Trust (MAT) accidentally leaks highly sensitive pupil data, it makes national headlines.
Earlier this year, we brought together schools and multi academy trusts from across the sector for a day focused on something that continues to challenge us all: data protection in education.
The response was incredible.
On 4 June 2026, Powys County Council confirmed that a cyber security incident had resulted in the theft of personal data belonging to pupils, staff, and others connected to schools in mid-Wales. Thirteen schools were affected by the wider incident, with personal data specifically taken from at least one. The attack was first identified in April 2026 and, according to the council, was “quickly contained”, but not before unauthorised access to personal data had already occurred.
We present an article written by our Featured Guest Expert Ralph T O'Brien for our school and multi academy trust customers about the Data Use and Access Act where he breaks down what the latest legislative changes mean for the education sector.
📢 Thinking about your training for inset days in September? Then look no further and book onto our online training sessions.
ChatGPT, Gemini, Copilot and Data Protection
A Practical Guide for School Leaders and Data Protection Officers
This article combines guidance from the Guardians of Privacy series, produced by Data Protection Education in collaboration with Litus Digital, with urgent new advice issued in May 2026 following confirmed blackmail attempts against UK schools using AI-manipulated images of children. Key sources include the UK Safer Internet Centre (8 May 2026) and the Internet Watch Foundation.
©2026 Data Protection Education Ltd.