Skip to the main content.

6 min read

DfE EdTech procurement guidance: the Department is joining the dots for schools

DfE EdTech procurement guidance: the Department is joining the dots for schools
DfE EdTech procurement guidance: the Department is joining the dots for schools
13:01

The Department for Education has on July 9th 2026 published specific guidance on procuring educational technology within its wider Data protection in schools guidance.

The guidance does not create an entirely new set of obligations for schools. Schools have always needed to understand what personal data is processed, why it is processed, which vendors are involved, whether a DPIA is required, what contract terms apply, how data is secured, and how children are protected.

What matters is that the DfE is now joining the dots more explicitly for schools.

EdTech procurement is being positioned not simply as an IT, finance or teaching and learning decision, but as a connected governance decision involving data protection, safeguarding, AI, cyber security, contracts, vendor accountability, filtering and monitoring, and ongoing oversight. The guidance says schools must make sure that personal data processing complies with data protection law when they buy or start using EdTech, and that data protection by design and by default should be built into the use of any tool.

The legal and governance questions are not new. The operational complexity is.

The DfE is making the procurement process clearer

The DfE guidance helps schools understand what should be considered before, during and after procuring EdTech tools. It specifically says schools should consult their Data Protection Officer at the very start and throughout implementation.

That is a significant message.

Too often, privacy, safeguarding, cyber security or vendor review happens after a tool has already been chosen, trialled or even used. The DfE is making clear that these questions need to be part of the procurement process from the beginning.

The guidance also points schools to the ICO’s recent EdTech Examined report and says schools should take the findings into consideration when procuring EdTech tools.

That matters because the ICO’s work highlighted a number of recurring issues in the EdTech market, including confusion around controller and processor roles, unclear contracts, incomplete data mapping, weak retention arrangements, DPIA gaps, sub-processor oversight and data protection by design.

The DfE is effectively saying: these findings should influence how schools buy and review EdTech.

This is not just a procurement checklist

The DfE guidance covers a wide range of areas schools should already be considering, but which are often managed separately.

Schools need to understand what personal data is used by a tool, whether special category data is involved, and whether the data being collected is proportionate to the educational purpose. The guidance gives the example of a maths practice application that should only need limited information, rather than wider data from the MIS simply because more data is available.

Schools also need to document the lawful basis for processing, understand data flows, and ask suppliers to explain what happens to personal data at every stage. If a supplier cannot explain the data flow, the DfE says the school should ask them to find out before procurement proceeds.

The guidance also makes clear that schools need to understand responsibility for the data. Schools are usually controllers for the personal data they process, but suppliers may act as processors, joint controllers or independent controllers for particular features, especially where they use data for their own purposes or provide additional features outside the school’s requirements.

Contracts and data processing agreements also need proper scrutiny. The DfE says responsibilities should be clearly assigned, and that contracts should cover security measures, sub-processors, deletion and return of data, breach notification and staff access control.

None of this is new in principle.

What is new is the way the DfE has brought these expectations together into a school-facing EdTech procurement process.

AI makes this more urgent

The DfE guidance includes specific points on AI in tools.

It says schools must assess how AI is used, including whether a tool generates content, responds to pupil information, personalises learning using pupil data, processes further pupil personal data, enables interaction with chatbots or other users, or uses automated decision-making or profiling.

Suppliers must be able to explain how the tool works, including how AI outputs are moderated, whether data is used to train the AI model, how inaccuracies and bias are mitigated, and what controls and restrictions schools have available.

This is a critical development for schools.

AI is increasingly being added into tools that schools already use. A school may not be buying a new “AI product”; it may be renewing or updating a platform that now includes AI functionality. That means vendor review can no longer be limited to new purchases. Schools need a process for reviewing existing tools when functionality changes.

The DfE guidance also gives a useful example of an AI writing tool. In that example, the school established that pupil data could be used to develop AI functionality, that the function could not be turned off, and that data was stored outside the UK. The school therefore decided the supplier did not meet its internal policy requirements and chose not to proceed.

That example is important because it shows what good governance looks like. The school did not simply ask whether the tool was useful. It considered data use, AI training, storage, policy alignment and whether the school had sufficient control.

This is where the Diamond Formation is directly relevant

The DfE guidance makes clear that EdTech procurement cannot sit with one person or one function.

The questions it raises cut across technology, safeguarding, privacy, finance, teaching and learning, contracts and leadership accountability.

That is exactly why 9ine developed the Diamond Formation.

The Diamond Formation brings together the four perspectives schools need when approving, reviewing and governing EdTech and AI-enabled tools:

Academic — does the tool support teaching, learning, assessment, inclusion or workload in a meaningful way?

Technology — can the tool be implemented, secured, monitored and supported properly?

Digital Safety / Safeguarding — could the tool expose pupils to harm, inappropriate interaction, unsafe content, dependency, bias or misuse?

Privacy — what data is processed, where does it go, who is responsible, are sub-processors involved, is AI training taking place, and is a DPIA needed?

The DfE guidance says schools should involve the DPO early, consider safeguarding and online safety, understand AI use, assess data flows, review contracts, clarify controller and processor roles, check security, and involve the Designated Safeguarding Lead where children may access the tool.

In practice, that is the Diamond Formation in action.

It gives schools a way to move EdTech procurement from isolated approval to joined-up governance. It helps ensure that educational value, technical control, safeguarding risk and data protection are considered together before a tool reaches children.

Policy sets the boundaries. Procurement checks the tool. The Diamond Formation makes sure the right people are involved in the decision.

The link to KCSIE 2026

The DfE’s EdTech procurement guidance also links procurement to safeguarding duties. It says schools must ensure that systems and products align with internal safeguarding and online security policies and the safeguarding duties set out in Keeping children safe in education.

That connection matters even more because Keeping children safe in education 2026 has now been published for information and comes into force on 1 September 2026. Schools and colleges must continue to use KCSIE 2025 until 31 August 2026, but the 2026 version is now available for planning.

The direction is clear: online safety, AI, filtering and monitoring, safeguarding, information security and evidence of oversight are becoming more closely connected.

The EdTech procurement guidance says that when children may access tools or technology, appropriate filtering and monitoring systems need to be in place. It also says the Designated Safeguarding Lead should be involved in procurement decisions, and that tools should include an audit trail enabling safeguarding leads to monitor and review pupil usage.

This is a joined-up safeguarding and governance expectation.

Schools need to know not only that a tool has been purchased, but that it has been assessed, configured, monitored, reviewed and connected to the school’s wider safeguarding and data protection arrangements.

The problem for schools is fragmentation

The difficulty for most schools is not that they are unaware of their responsibilities.

The difficulty is that the evidence sits in too many places.

Vendor documents may sit in email folders. DPIAs may sit with the DPO. App requests may sit with IT. Contracts may sit with finance. Safeguarding concerns may sit with the DSL. AI governance may sit with a working group. Staff guidance may sit in a shared drive. Parent communication may be handled separately.

This creates a practical governance problem.

A school may have reviewed a vendor, but not connected that review to the application staff are using. It may have completed a DPIA, but not updated it when a supplier adds an AI feature. It may have a contract, but not a clear record of sub-processors or deletion terms. It may approve an application, but not provide teachers with guidance at the point of use. It may have safeguarding concerns, but not connect them to procurement or vendor assurance.

The DfE guidance makes the connections clearer. Schools now need an operating model that makes those connections manageable.

How 9ine supports schools

9ine helps schools govern technology, data and AI with confidence.

Our platform and services are designed to help schools turn EdTech procurement, vendor due diligence and AI governance into a structured operating model.

Vendor Management helps schools assess EdTech products from a privacy, AI, cyber and digital safety perspective. It gives schools product-level vendor intelligence, evidence, traffic-light indicators and recommended tasks.

Application Library gives staff a clear view of approved tools and a structured route to request new applications. It helps schools reduce unmanaged EdTech adoption and gives teachers practical guidance on safe and responsible use.

Privacy supports Records of Processing, DPIAs, vendor-linked processing activities, incidents, retention and accountability evidence.

Governance turns risks, issues, tasks and decisions into managed work, with ownership, actions, review dates and leadership reporting.

Contract connects technology use and vendor risk to cost, renewal, contract terms and supplier performance.

Application Parent Portal helps schools publish selected information about approved applications to parents, supporting transparency around EdTech, AI, privacy and digital safety without losing control of the message.

9ine services provide additional support where schools need expertise, including DPO support, vendor review, cyber security testing, Security & Systems assessments, AI governance consultancy and wider technology risk reviews.

The value is not simply that schools can answer the DfE’s procurement questions. It is that they can evidence how those answers were reached, who was involved, what decisions were made, what actions were assigned and what remains under review.

The practical next step

Schools should now review their EdTech procurement and approval processes against the DfE guidance.

The question is not whether these duties are new. They are not.

The question is whether the school’s current process is strong enough to join together data protection, safeguarding, AI, cyber security, vendor assurance, contract management, staff guidance, parent transparency and leadership reporting.

A strong process should involve IT, privacy, safeguarding, finance, teaching and learning, and senior leadership. It should link vendor assessment, application approval, DPIAs, contracts, staff guidance, parent communication and ongoing monitoring.

The DfE has made the connections clearer.

The next question is whether your school can evidence those connections in practice. Book yourself a guest pass to learn more about how our platform supports you meeting DfE expectations.



KCSIE 2026 is confirmed: AI is now part of the safeguarding system

1 min read

KCSIE 2026 is confirmed: AI is now part of the safeguarding system

The finalised Keeping Children Safe in Education 2026 guidance is published and comes into force on 1 September 2026. For schools, the most...

Read More
Outlook: AI in Safeguarding – What to Expect in KCSIE 2025

1 min read

Outlook: AI in Safeguarding – What to Expect in KCSIE 2025

KCSIE is due to be published soon and, according to sources, is expected to undergo a significant upgrade, potentially even a complete rewrite. In...

Read More
KCSIE 2025: What We Got Right (and What We Didn’t) About AI and Safeguarding

1 min read

KCSIE 2025: What We Got Right (and What We Didn’t) About AI and Safeguarding

When we published our forecast on how KCSIE 2025 might address Artificial Intelligence, we speculated that the Department for Education was poised to...

Read More