Skip to main content

Tech must be safe for kids. Be the change.

ICO audit confirms serious concerns about children’s data in education technology

The Information Commissioner’s Office (ICO) has published its long-awaited report into the data protection practices of 28 major education technology providers used in schools.

The Information Commissioner’s Office (ICO) has published its long-awaited report into the data protection practices of 28 major education technology providers used in schools.

The findings are concerning, but they are not surprising. They echo many of the issues identified by the Digital Futures for Children Centre‘s (DFC) earlier research into how children’s data is collected and used by education technology providers, and reinforce the need for stronger safeguards across the sector.

Among the ICO’s findings were that:

  • Many providers had not properly assessed the risks their products pose to children and their privacy.
  • Nearly 80% could not demonstrate how they had embedded data protection into product design or meaningfully considered children’s needs in design decisions.
  • Providers were often using children’s information for their own purposes, including product development, without being able to demonstrate that this processing was fair, as per GDPR rules.
  • Several AI-powered features lacked adequate safeguards, particularly where third-party AI systems were involved.
  • The ICO found examples of contracts that allowed children’s information to be retained to train AI systems.
  • Many providers could not justify how long they retained children’s information, and nearly all had incomplete records of their data processing.

These findings matter because education technology is different from most online services. Children do not get a choice whether they use these products. Schools also entrust providers with some of the most sensitive information that exists about children and their families, including information about health, special educational needs, behaviour and family circumstances. Children, parents and schools have a right to expect that this information is handled lawfully, responsibly and in children’s best interests.

One particularly significant finding concerns accountability. The ICO found that many providers were using children’s information for their own purposes, while failing to recognise that this made them responsible for that processing. This reflects our long-standing concerns that some providers have relied on schools to shoulder legal responsibility, even where companies are making decisions about how children’s data is used to improve their own products.

The ICO’s report lays bare the urgent need to improve privacy standards in education technology. But children’s experiences of EdTech are about more than data protection alone. Through our Better EdTech Futures for Children project, 5Rights is examining how education technology impacts children’s right to education more broadly, helping to ensure that the digital tools used in schools are designed in children’s best interests.

As technology becomes an increasingly central part of children’s education, we must be able to answer both the what and the why: what technology is being introduced into classrooms, and why it is being used. Those decisions should be grounded in robust evidence, children’s rights and their best interests. Children deserve nothing less.



Tech must be safe for kids. Be the change.

Join us in asking our leaders to be more ambitious and require companies do the right thing by our children.