ICO audit confirms serious concerns about children’s data in education technology
The Information Commissioner’s Office (ICO) has published its long-awaited report into the data protection practices of 28 major education technology providers used in schools.

The Information Commissioner’s Office (ICO) has published its long-awaited report into the data protection practices of 28 major education technology providers used in schools.
The findings are concerning, but they are not surprising. They echo many of the issues identified by the Digital Futures for Children Centre‘s (DFC) earlier research into how children’s data is collected and used by education technology providers, and reinforce the need for stronger safeguards across the sector.
Among the ICO’s findings were that:
- Many providers had not properly assessed the risks their products pose to children and their privacy.
- Nearly 80% could not demonstrate how they had embedded data protection into product design or meaningfully considered children’s needs in design decisions.
- Providers were often using children’s information for their own purposes, including product development, without being able to demonstrate that this processing was fair, as per GDPR rules.
- Several AI-powered features lacked adequate safeguards, particularly where third-party AI systems were involved.
- The ICO found examples of contracts that allowed children’s information to be retained to train AI systems.
- Many providers could not justify how long they retained children’s information, and nearly all had incomplete records of their data processing.
These findings matter because education technology is different from most online services. Children do not get a choice whether they use these products. Schools also entrust providers with some of the most sensitive information that exists about children and their families, including information about health, special educational needs, behaviour and family circumstances. Children, parents and schools have a right to expect that this information is handled lawfully, responsibly and in children’s best interests.
One particularly significant finding concerns accountability. The ICO found that many providers were using children’s information for their own purposes, while failing to recognise that this made them responsible for that processing. This reflects our long-standing concerns that some providers have relied on schools to shoulder legal responsibility, even where companies are making decisions about how children’s data is used to improve their own products.
“The ICO’s findings confirm what the Digital Futures for Children Centre’s research highlighted several years ago: too many EdTech providers are failing to protect children’s privacy. In a context where the majority of children have no choice but to use these services, that is unacceptable.
“We welcome this long-overdue scrutiny and the ICO’s commitment to begin work on an EdTech Code of Practice, something 5Rights and the Digital Futures for Children Centre have long called for. We look forward to working with the ICO to ensure the Code puts children’s rights at its heart and gives schools and parents confidence that the products they use meet the highest standards of privacy and accountability.”
Colette Collins-Walsh, Head of UK Affairs at 5Rights
The ICO’s report lays bare the urgent need to improve privacy standards in education technology. But children’s experiences of EdTech are about more than data protection alone. Through our Better EdTech Futures for Children project, 5Rights is examining how education technology impacts children’s right to education more broadly, helping to ensure that the digital tools used in schools are designed in children’s best interests.
As technology becomes an increasingly central part of children’s education, we must be able to answer both the what and the why: what technology is being introduced into classrooms, and why it is being used. Those decisions should be grounded in robust evidence, children’s rights and their best interests. Children deserve nothing less.
