9ine Insights | Latest news from 9ine

ICO's EdTech Examined: what its audit of 28 vendors means for schools

Written by 9ine | Jul 3, 2026 8:57:50 AM

The Information Commissioner's Office has audited 28 edtech vendors and published the results in "EdTech Examined: key findings from our audits." The picture it paints is one of a sector where good intentions haven't yet translated into consistent practice, and where the gap, in the ICO's own findings, usually lands on the school to close.

Here's what the audit found, and what it means for the vendors already in your supply chain.

Vendors are more often controllers than they think

Almost 70% of the providers the ICO looked at were found to be acting as a controller for at least some of their use of children's personal information, even where they saw themselves purely as a processor working to a school's instructions. The confusion often shows up when vendors use pupil data for their own purposes, product development, or producing anonymised statistics, without recognising that this makes them a controller for that activity. It also shows up when vendors roll out new features or new uses of children's data by default, with no way for a school to switch them off.

Impact on schools: the controller-processor split determines who is legally responsible for what. If a vendor's contract or documentation doesn't reflect what it actually does with pupil data, the school is exposed, not the vendor.

Data minimisation is being overlooked

Nearly half of the providers audited hadn't fully thought through data minimisation. Some were collecting information their product simply didn't need to function; others couldn't explain why certain data was necessary in the first place. Classroom learning tools were the most common offenders. The ICO's guidance is practical: use a child's initial rather than their full name, capture month and year of birth rather than a full date, and disable non-essential functions by default, all recorded in a DPIA or product design specification.

Impact on schools: this is a fair question to put to any vendor at renewal, ask them to point to where minimisation decisions are documented, not just describe them.

Retention periods are unclear or excessive

Around 70% of providers either failed to set a clear retention period or held on to children's data for longer than they could justify, usually because a single fixed retention rule was applied across every school using the product, regardless of that school's own policy.

Impact on schools: this is a recurring pain point for schools trying to demonstrate their own retention schedules are being honoured downstream. If a vendor can't tell you their retention period in writing, that's the answer.

Transparency obligations aren't being met

Where a vendor is the controller, it must give children the information required under UK GDPR articles 13 and 14, in language they can actually understand. Where a vendor is the processor, its role is to support the school in being transparent, including by sharing the technical detail about how the product processes information that only the developer would know. The ICO was clear that this needs to be concise and in plain language, not buried in a lengthy privacy policy.

Impact on schools: if a vendor can't produce a plain-language explanation a pupil could follow, that's a gap the school will be asked to fill.

Breach handling, contracts and due diligence are weak spots

The audits turned up significant gaps in the basics of compliance:

  • Over 70% of providers had failed to document personal data breaches properly, or didn't understand the different duties controllers and processors have when a breach happens
  • Around 70% of contracts between vendors and schools lacked the detail required under UK GDPR article 28
  • Half of the providers hadn't carried out meaningful due diligence before appointing a sub-processor
  • Around 20% didn't have an effective DPO in place where one was legally required
  • About 80% hadn't formalised their approach to data protection, with no clear staff responsibilities or documented processes
  • Over 40% hadn't carried out a DPIA for their product at all
  • Around 30% couldn't give schools the functionality needed to action individual rights requests independently

Impact on schools: each of these is a specific, answerable question you can put to a vendor before signing or renewing, not a vague box to tick.

What schools should be doing now

Schools can't audit every vendor to ICO standard themselves, but they can ask better questions and expect written answers:

  • Ask each vendor to confirm, in writing, where they act as controller versus processor for each type of processing
  • Request their Record of Processing Activities, or at least a relevant extract, rather than relying on a generic privacy notice
  • Check whether they've completed a DPIA, and ask to see the summary
  • Look for a named DPO and evidence of due diligence on their own sub-processors
  • Review contracts against UK GDPR article 28 requirements before renewal, not after a concern is raised

How 9ine helps

This is exactly the territory the 9ine Platform is built for. The Privacy module gives schools a live Record of Processing, a straightforward way to run and track DPIAs, and a structured process for logging and managing incidents. Vendor Management gives schools independent, traffic-light visibility of the risk each EdTech provider carries, so due diligence isn't left to a vendor's own marketing claims. And Application gives teachers and IT leads a single, approved inventory of the tools actually in use across the school, closing the gap between what's been sanctioned and what's really running in classrooms.

The ICO's message to vendors was that children's rights and privacy need to sit at the heart of every product decision. Ours to schools is the same principle from the other side: you shouldn't have to take that on trust.

Learn more about Vendor Management or book a meeting with one of our team to see how 9ine can help you evidence vendor due diligence ahead of your next renewal cycle.

Source: ICO, "EdTech Examined: key findings from our audits"