Signal / Other / 16 August 2026
ICO actions against EdTech data-handling are tightening
The Information Commissioner's Office has stepped up enforcement against EdTech vendors handling pupil data since 2023. Specific concerns: behavioural-analytics products processing pupil data without adequate data-protection impact assessments, age-appropriate-design-code compliance failures, and inadequate safeguarding-of-children integration.
What is happening
The Information Commissioner's Office has stepped up enforcement against EdTech vendors handling pupil data since 2023. The framework is the Children's Code (the Age Appropriate Design Code), which sets standards for online services likely to be accessed by children. The Data Protection Act 2018 provides the underlying authority.
Specific concerns the ICO has flagged in published guidance and enforcement: behavioural-analytics products processing pupil data without adequate Data Protection Impact Assessments (DPIAs); insufficient transparency to pupils and parents about how data is used; default-on profiling settings; sharing pupil data with third parties for purposes beyond the educational service.
Vendor implications
Three implications for EdTech vendors selling into UK schools:
First, DPIAs are not a procurement formality. The buying school is the data controller and the vendor is the processor; the school is responsible for the DPIA but cannot complete it without vendor input. Vendors who pre-build comprehensive DPIA support material compress procurement materially. Vendors who treat DPIAs as the school's problem face cycle delays.
Second, age-appropriate-design must be evidenced in product, not just claimed in marketing. The ICO has shown willingness to investigate vendors whose marketing claims age-appropriate-design that the product does not implement. Vendors should align design, configuration defaults, transparency notices, and product behaviour with the Children's Code.
Third, sub-processor and data-sharing scrutiny is rising. Schools and trusts increasingly ask detailed questions about which third parties process pupil data, where the data goes, and what controls are in place. Vendors should expect this scrutiny and prepare accordingly.
Looking forward
The ICO has signalled continued focus on EdTech in its published regulatory priorities. Vendors should treat the regulatory environment as tightening, not stable. Investing in compliance evidence and product-level alignment is increasingly a commercial necessity, not a defensive luxury.
Source: ICO Children's Code (Age Appropriate Design Code). Data Protection Act 2018. Editorial observation.