The ICO has just published a report on its work with EdTech providers. This may sound like something of niche interest, but I was struck when reading it by how the issues the ICO identifies will be familiar to organisations in almost every sector. For example:
- Contracts between schools and edtech providers didn’t always identify processing activities clearly.
- In some cases providers were using children’s information for their own purposes (for example developing and testing new features or other products). This meant they were acting as a controller, but the providers hadn’t recognised this.
- In other cases, providers had recognised they were controllers for some processing, but their RoPA and contracts did not identify clearly and consistently when this was the case. This led to uncertainty about other important responsibilities, such as who they should notify in the event of a data breach. In some cases internal policies setting out when the provider should report data breaches to schools were wrong.
- Where service providers didn’t recognise they were controllers, they also hadn’t complied with other responsibilities as a controller, such as identifying a lawful basis for the processing, carrying out DPIAs and notifying data subjects.
- Since children and parents had no awareness of the provider’s use of their data, it was questionable whether this processing was fair.
- Some providers had retention periods but deletion cycles weren’t being carried out in line with these requirements. Others were anonymising the data without informing their customers, so they could continue to use the data for their own purposes. As the ICO points out, anonymising data is a form of processing, so must still comply with data protection law.
These themes have all been raised by regulators before. The CNIL published guidance in 2022 which said that processors could re-use data for their purposes only where the original controller had granted explicit permission, and the new purpose was “compatible” with the original purpose for processing. The AEPD raised the issue of transparency and fairness in its recent fine of Amadeus when it commented that it would be pointless for Amadeus to provide an opt-out mechanism by which data subjects could object to re-use of their data by Amadeus when they had no idea that Amadeus was using their data. In SRB v EDPS the CJEU held that individuals should be informed of potential recipients of their data, based on the identifiable nature of the data subject at the time of collection, from the perspective of the controller, i.e. rather than whether the data was anonymous in the hands of the recipient.
Faced with such a persistent problem, what practical steps can controllers take to address it? Here are specific takeaways from the ICO report for controllers to think about when concluding new contracts:
- Are the services and processing activities described clearly?
- Make sure your contract clearly identifies when the supplier will be acting as a processor. If it’s not clear when the supplier is a processor, it’s not clear when the Article 28 obligations apply to their activities.
- Include specific provisions on what you are prepared to allow in terms of data re-use. Are the provider’s proposed re-uses compatible with your original purpose of processing?
- Consider how the data re-use will be communicated to data subjects.
- If your provider announces they are adding AI to their product, and they are using a third party product to do this, make sure that restrictions on data re-use have been passed on in their contract with the AI provider.
- Specify when you require the provider to inform you about data breaches to avoid any doubt. You may want to review their incident management process to check that it’s consistent with this.
- Ask the provider for specific information on how they handle data deletion

/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2025-09-29-13-48-10-128-68da8e1af6347a2c4b96de4e.png)
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2025-04-24-13-30-15-563-680a3ce71f52562e73495f5e.png)
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2024-08-23-11-31-07-354-66c872fb971eecc249d83d40.png)
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2024-08-01-13-11-10-549-66ab896ee543bf94f9636c73.png)