Over the last month, several education technology stories have landed that, on the surface, look separate.
A major student information and counselling platform has faced a significant settlement over alleged student tracking. Canvas has continued to deal with the fallout from a major breach. The UK Cyber Security Breaches Survey has shown another sharp increase in attacks on schools. MagicSchool has received a privacy badge from Common Sense Media, despite wider concerns identified through our own assessment. Boston Public Schools has announced that AI fluency will become a graduation requirement.
Different stories. Different jurisdictions. Different risks.
But I think they all point to the same underlying issue.
Schools are now expected to govern technology, data and AI in a way that is joined up, evidenced and operational. The problem is that, in many schools, the structures have not yet caught up with the reality.
Privacy may sit with one person. Safeguarding with another. Cyber security with IT. AI with a working group. EdTech approval with academic leadership. Contracts with finance. Training somewhere else entirely.
That model no longer works.
The risks now move across all of those areas at once.
An AI tool is not just an academic decision. It may be a safeguarding decision, a privacy decision, a procurement decision, a cyber decision and a training decision.
A learning platform breach is not just an IT incident. It may involve parent communications, breach assessment, supplier assurance, DPIA review, leadership reporting and board oversight.
A vendor privacy badge may be useful, but it does not remove the need for a school-specific, independent assessment of privacy, safeguarding, AI, cyber and product safety risks.
A cyber statistic is not just a number. It is a governance prompt.
What we are seeing is the collapse of the old idea that technology governance can be managed through isolated policies, annual reviews and informal approval routes.
It cannot.
The PowerSchool/Naviance settlement should make every school pause.
The allegations relate to third-party tracking technology embedded in Naviance, including tools that reportedly captured keystrokes, clicks and private counsellor messages over a period of several years.
Whether a school uses Naviance or not, the lesson is broader.
Too often, vendor due diligence focuses on the documents a supplier provides: the privacy notice, the data processing agreement, the security statement, the sub-processor list.
Those documents matter. But they are not the whole picture.
Schools also need to understand what the product is actually doing. What scripts are running? What analytics tools are embedded? What telemetry is collected? Are session replay tools being used? Are pupils’ interactions being monitored, analysed or shared in ways the school has not properly understood?
This is where I think the sector needs to be much more honest.
A signed DPA does not automatically mean a vendor is safe. A procurement approval does not mean the risk has been understood. A privacy notice does not mean the school has visibility of the technical reality.
Schools need a better model for vendor assurance.
That means asking better questions, maintaining live vendor records, linking suppliers to Records of Processing, completing DPIAs where required, reviewing AI and safeguarding implications, and making sure that risks become assigned actions rather than unresolved concerns.
This is exactly why we have built Vendor Management and Privacy into the 9ine platform. Schools need a way to move from informal supplier review to structured, evidenced third-party risk management.
The point is not to make procurement harder. It is to stop schools finding out too late that the real risk sat inside the product all along.
The continuing fallout from the Instructure Canvas incident is another example of the same problem.
Canvas is not a peripheral tool for many schools. It is a core learning platform. When a platform like that is affected by a major security incident, schools cannot simply wait for the vendor to publish updates and hope the matter resolves itself.
They need to know what to do.
Was our school affected? What data was involved? Do we need to record this as a security incident? Does it meet the threshold for notification? Do parents or staff need to be informed? Does our DPIA need updating? What assurance do we need from the vendor? What do governors need to know?
These are not questions that should be invented during the crisis.
They should already sit inside an incident response process.
At 9ine, we see this regularly. Schools are often committed, responsible and diligent, but the process is fragmented. The IT team may be chasing the vendor. The DPO may be considering notification thresholds. The leadership team may be asking what to say to parents. Governors may be asking whether the school was exposed. Everyone is trying to do the right thing, but the structure is not always there.
That is why incident management has to be operational.
It needs records. It needs decision-making criteria. It needs ownership. It needs communications planning. It needs supplier assurance. It needs escalation routes. It needs governance reporting.
The news cycle will always move faster than the school's internal process. The only way to manage that is to have the process ready before the incident happens.
The UK Cyber Security Breaches Survey should be required reading for school leaders and governors.
The reported increase in secondary schools identifying breaches or attacks is not a marginal issue. It shows that schools are firmly in the threat landscape.
I still hear versions of the same argument: we are not a bank, we are not a large corporate, we are not an obvious target.
But schools hold valuable data. They run complex systems. They have large numbers of users. They rely on cloud services. They have time-pressured staff. They have limited budgets. They cannot afford prolonged disruption. That makes them attractive and vulnerable targets.
The response cannot be an annual cyber check that produces a long list of findings and then fades into the background.
Schools need a cyber resilience programme.
That means understanding vulnerabilities, prioritising remediation, improving cloud security, strengthening identity and access controls, testing backups, training staff, rehearsing incidents and reporting progress to leadership.
Most importantly, findings need to become managed work.
This is a point we keep making through our Security & Systems work. A vulnerability report has limited value if no one owns the actions. A penetration test is not the end of the process. A cloud security assessment is not the improvement itself.
The value comes when risks are assigned, deadlines are set, progress is tracked and leadership can see what is improving.
That is the difference between a report and an operating model.
MagicSchool receiving a Common Sense Media privacy badge is interesting, but I do not think schools should interpret that as the end of the due diligence process.
In fact, this story raises a bigger question for the EdTech market.
Are some EdTech businesses choosing the easiest badge to obtain, rather than putting themselves through a more rigorous, independent assessment of privacy, safeguarding, AI, cyber and child safety risks?
From our own review of MagicSchool, we do not think the Common Sense Media assessment tells the whole story.
Our assessment identified a number of wider concerns. MagicSchool’s Data Protection Addendum appears to be primarily structured around US state requirements, with a European annex for GDPR, but it does not clearly address data protection obligations for schools operating outside the US and EU. That creates uncertainty for international schools and schools operating across different jurisdictions, where local data protection requirements may not be sufficiently covered.
We also identified AI and product safety concerns. For example, AI-generated content does not appear to be clearly labelled in all applicable contexts, which creates a risk that users may not distinguish between human-created and AI-generated material. That matters because pupils and staff may over-rely on AI outputs or misunderstand their accuracy and provenance.
There are also concerns around filtering, harmful content prevention and contextual moderation. Our assessment notes that while moderation appears to be in place, it is not sufficiently clear that moderation operates in context, rather than relying on keyword-based controls, or that it sufficiently considers SEND or vulnerable learners.
We also identified safeguarding and developmental concerns around student-facing AI tools. MagicSchool uses AI-powered student chatbot features, and our assessment recognises that large language models remain inherently prone to bias, inaccuracy and variability. Even where the vendor has a safety loop and evaluation model, those risks cannot be fully eliminated.
That is the point.
A privacy badge may tell a school something useful. It may show that a vendor has met a particular privacy rubric. It may be a positive signal. But it does not necessarily answer the broader school governance questions.
Does the tool create safeguarding risks?
Does it create AI transparency risks?
Does it differentiate controls by age or developmental stage?
Does it support vulnerable learners appropriately?
Does it create over-reliance on AI dialogue?
Does it provide enough contractual assurance for schools outside the US?
Does it give schools sufficient evidence to support their own DPIA, AI risk assessment and safeguarding review?
This is where we believe Common Sense Media’s checks are relatively weaker than the more rigorous process we apply through 9ine Vendor Management.
Our vendor assessment does not only ask whether a product has a privacy posture. It looks across privacy, safeguarding, AI, cyber security, digital safety, contractual assurance, use of children’s data, age appropriateness, product safety and school accountability.
That distinction matters.
Schools are not buying tools in the abstract. They are deploying them into classrooms, with children, staff, sensitive data, safeguarding duties, local legal obligations and real-world educational contexts.
A badge can be useful. But it should not become a shortcut.
For schools, the practical message is this: treat badges as signals, not substitutes. A Common Sense Media badge may support due diligence, but it should not replace an independent, school-specific assessment of privacy, safeguarding, cyber and AI risk.
For EdTech vendors, there is another message.
If your product is genuinely safe, transparent and appropriate for schools, then a broader independent assessment should not be something to avoid. It should be something to welcome.
Boston Public Schools making AI fluency a graduation requirement is a major signal.
It shows that AI is moving from novelty to curriculum. Schools will increasingly be expected to prepare pupils to understand and use AI critically, responsibly and effectively.
I think this is right.
But AI literacy cannot be separated from AI governance.
If a school wants pupils to become AI fluent, it must also decide what responsible AI use looks like. Which tools are appropriate? What data can be entered? What support do teachers need? How do pupils learn to question outputs? How do they recognise bias? How do they avoid over-reliance? How do they understand academic integrity? How do they protect personal information? How do they report harmful or unsafe AI-generated content?
This is where teacher agency and student agency matter.
AI gives access to intelligence. Agency is what allows people to use that intelligence deliberately, critically and safely.
The role of the school is not simply to provide AI tools. It is to create the conditions in which staff and pupils can use AI well.
That requires approved tools, clear guidance, training, policy, safeguarding routes, privacy controls and leadership oversight.
Again, this is not just an IT project. It is a whole-school governance challenge.
The real lesson from this month is that schools need to stop treating technology governance as a series of separate compliance tasks.
Vendor due diligence, cyber resilience, privacy management, EdTech approval, AI assurance, contract control, staff training and leadership reporting are now part of the same operating environment.
The schools that manage this well will not be the schools with the longest policies. They will be the schools with the clearest structures.
They will know what technology they use. They will know which vendors are involved. They will know what data is processed. They will know which tools use AI. They will know what risks exist. They will know who owns the actions. They will know what evidence exists. They will know what leadership needs to see.
That is what we mean when we talk about governing technology, data and AI with confidence.
At 9ine, our platform and services are designed around that reality.
Privacy helps schools manage Records of Processing, DPIAs, incidents, retention, rights requests and accountability.
Vendor Management gives schools independent intelligence on privacy, safeguarding, AI and cyber risk.
Application gives staff a safe and guided way to discover, request and use approved EdTech.
Contract helps schools connect technology use to cost, renewal and supplier performance.
Governance turns risks, issues and actions into managed work.
Academy LMS helps schools build staff capability in privacy, cyber security and AI.
Our services provide expert support where schools need additional capacity, assurance or challenge: DPO Essentials, Security & Systems, cyber testing, cloud security assessments, penetration testing, AI governance consultancy, procurement support and training.
This is the model schools now need.
Not because technology is slowing down. It is not.
Not because risk is becoming simpler. It is not.
But because schools need a way to move forward safely, deliberately and with evidence.
This month’s news should not lead to panic. It should lead to structure.
And for schools, structure is now the difference between reacting to technology risk and governing it properly.