1 min read
‘Dad, how did they know more about me than I know about myself?’
When I recently became a parent, I did what many new parents do—I bought a baby monitor to watch over my child as they slept. What surprised me...
3 min read
9ine
:
Updated on July 3, 2026
The Information Commissioner's Office has audited 28 edtech vendors and published the results in "EdTech Examined: key findings from our audits." The picture it paints is one of a sector where good intentions haven't yet translated into consistent practice, and where the gap, in the ICO's own findings, usually lands on the school to close.
Here's what the audit found, and what it means for the vendors already in your supply chain.
Almost 70% of the providers the ICO looked at were found to be acting as a controller for at least some of their use of children's personal information, even where they saw themselves purely as a processor working to a school's instructions. The confusion often shows up when vendors use pupil data for their own purposes, product development, or producing anonymised statistics, without recognising that this makes them a controller for that activity. It also shows up when vendors roll out new features or new uses of children's data by default, with no way for a school to switch them off.
Impact on schools: the controller-processor split determines who is legally responsible for what. If a vendor's contract or documentation doesn't reflect what it actually does with pupil data, the school is exposed, not the vendor.
Nearly half of the providers audited hadn't fully thought through data minimisation. Some were collecting information their product simply didn't need to function; others couldn't explain why certain data was necessary in the first place. Classroom learning tools were the most common offenders. The ICO's guidance is practical: use a child's initial rather than their full name, capture month and year of birth rather than a full date, and disable non-essential functions by default, all recorded in a DPIA or product design specification.
Impact on schools: this is a fair question to put to any vendor at renewal, ask them to point to where minimisation decisions are documented, not just describe them.
Around 70% of providers either failed to set a clear retention period or held on to children's data for longer than they could justify, usually because a single fixed retention rule was applied across every school using the product, regardless of that school's own policy.
Impact on schools: this is a recurring pain point for schools trying to demonstrate their own retention schedules are being honoured downstream. If a vendor can't tell you their retention period in writing, that's the answer.
Where a vendor is the controller, it must give children the information required under UK GDPR articles 13 and 14, in language they can actually understand. Where a vendor is the processor, its role is to support the school in being transparent, including by sharing the technical detail about how the product processes information that only the developer would know. The ICO was clear that this needs to be concise and in plain language, not buried in a lengthy privacy policy.
Impact on schools: if a vendor can't produce a plain-language explanation a pupil could follow, that's a gap the school will be asked to fill.
The audits turned up significant gaps in the basics of compliance:
Impact on schools: each of these is a specific, answerable question you can put to a vendor before signing or renewing, not a vague box to tick.
Schools can't audit every vendor to ICO standard themselves, but they can ask better questions and expect written answers:
This is exactly the territory the 9ine Platform is built for. The Privacy module gives schools a live Record of Processing, a straightforward way to run and track DPIAs, and a structured process for logging and managing incidents. Vendor Management gives schools independent, traffic-light visibility of the risk each EdTech provider carries, so due diligence isn't left to a vendor's own marketing claims. And Application gives teachers and IT leads a single, approved inventory of the tools actually in use across the school, closing the gap between what's been sanctioned and what's really running in classrooms.
The ICO's message to vendors was that children's rights and privacy need to sit at the heart of every product decision. Ours to schools is the same principle from the other side: you shouldn't have to take that on trust.
Learn more about Vendor Management or book a meeting with one of our team to see how 9ine can help you evidence vendor due diligence ahead of your next renewal cycle.
Source: ICO, "EdTech Examined: key findings from our audits"
1 min read
When I recently became a parent, I did what many new parents do—I bought a baby monitor to watch over my child as they slept. What surprised me...
1 min read
Whether your school is already back in full swing, or still preparing for the upcoming academic year, schools aren’t just welcoming students back to...
1 min read
School leaders today face an emerging “Trojan AI” problem in educational technology. In this context, Trojan AI refers to AI-powered features quietly...