edTech firm sold children’s profiles. ICO audits 28 companies

The Information Commissioner’s Office has published Edtech examined, a report based on its audit of 28 widely used but unnamed edTech providers in England (June 24, 2026).

It found almost 70% could not show that schools had authorised reuse of children’s data for product development, analytics or AI training. One had sold children’s profiles. Around 80% published privacy information too vague to explain what was happening to children’s records.

In one case, data labelled “anonymised” was still identifiable and was being kept indefinitely. In another, a provider had kept a reference key that let anyone “reidentify the information by combining the databases.” Some sub-processors’ terms said “they would keep a copy of children’s information to train their AI” — discovered, the ICO notes, only “during our audit.”

While we welcome the audits, it covered just 28 firms — and only the ones that agreed to be looked at — when children are told to use hundreds from 5-18 across 23,000 schools. As we found and reported in our State of Data 2020 report (section 3.8) England’s 8 million children have a right to quality education but are paying the price for a lack of technology standards and enforcement across education, with risks that last a lifetime. Many schools lack the capacity to do the necessary due diligence to see or understand what the ICO audits have found. Since it doesn’t name the products, schools will be none the wiser which were breaking the law before the interventions and why, or how to tell them apart from others for future. The ICO is playing nice, not naming any companies, but we question if that really serves the best interest of children where their data has been sold (a breach of law comes with a notification obligation) and they’ve not been told, nor helps schools in procurement.

With identify theft widespread, learners need a way to know where any of their records are reused, by whom, why, and when they will be destroyed. We calls for three urgent actions:

• The DfE and ICO must deliver the Code of Practice promised over 18 months ago, to offer governance support on how schools use edTech from collection through to deletion and how and where to enable rights that exist in law, like objection, opt out, to see a copy of the data held, and when to involve parents pre-procurement.
• The Chartered College of Teaching’s EdTech Evidence Board must publish its findings on edTech quality and pedagogy, with impact on learning outcomes, which the ICO’s compliance review did not cover.
• School information management systems must give families a practical way to see and correct the pupil record at the school, or through the parental apps already in use, and who has used them. The infrastructure just needs some tweaking and the data that flows from the Admissions process for a child aged 4 can become better managed, more accurate, and more lawfully processed throughout its lifetime data cycle.

Parents have no idea where their children’s national records have been sent by the government for commercial reuse either. That was audited by the ICO in 2020 coincidentally in the same period as the Learner Records Service breach was exposed involving Trustopia and gambling firms. The Department for Education refused again in 2025 to publish the full findings, the summary of which included that its commercial arm “did not have appropriate controls in place to protect personal data”. That audit found families had no idea the school census feeds the pupils’ records into the National Pupil Database, or which data is distributed.

As with edTech, we’ve seen no evidence of the communication required in law needed to fix that, for learners past or present. The family management tool above, is a way to deliver it. The Department must now take responsibility to make it happen.