School accounts and edtech: the parent's reasonable role

Part 5 of 18, second of five children-focused posts. Schools collect a remarkable amount of data on children. Some of it is necessary; some of it is not. What a board-director parent should ask, and what they are entitled to.

_Part 5 of 18 in the Digital privacy for board directors series. The second of five posts focused on children._

A UK child between the ages of 4 and 18 spends roughly 7,000 hours in formal schooling. By the end of that period, the institutions teaching them will have created a digital record that, if printed, would fill several lever-arch files. Most of that record exists for good reasons. Some of it exists for poorer ones, often because a school adopted a platform without thinking carefully about the data implications.

This post is for the board-director parent who is reasonably technically literate, has limited time, and wants to know what to ask the school and what to escalate. It is not an argument with teachers, who are largely doing their best. It is a small set of practical questions and reasonable expectations.

What schools collect, broadly

Five categories.

Academic. Marks, grades, internal assessments, exam results, target-tracking data. This is the part of the record that exists in everyone's mental model.

Behavioural. Detentions, rewards, behaviour points, incident logs. Increasingly captured in platforms like ClassCharts, where parents can see live updates. Less well-known: most of these systems also collect data on patterns that, if applied to adults, would be in dispute under the ICO's guidance on profiling.

Pastoral. Counselling notes, mental-health flags, family situation flags, free-school-meal status, special educational needs assessments. The most sensitive category. Should be tightly controlled at the school. Often is not.

Biometric. Fingerprints for cashless catering and library systems, facial recognition for attendance in a small number of schools. UK schools collecting children's biometric data must obtain written consent from at least one parent and offer an alternative, per the Protection of Freedoms Act 2012.

Edtech platform data. Logins, time spent, content interactions, sometimes typing patterns and webcam use, across every educational platform the school has adopted. This is the category that has grown fastest, that schools understand least, and that benefits most from parent attention.

The platforms the typical secondary school is using

A composite list of platforms used by UK secondary schools in 2023, which will overlap with what your child's school uses:

Google Workspace for Education or Microsoft 365 Education (one or the other; rarely both).
A management information system (Bromcom, Arbor, SIMS, ScholarPack).
ClassCharts or Class Dojo or Edulink for behaviour and parent communication.
Show My Homework / Satchel One.
Seesaw, Tapestry, or similar for primary or early years.
Lexia, Bedrock, Sparx, Hegarty Maths, Mathletics, Times Tables Rock Stars — adaptive learning platforms.
Accelerated Reader for reading tracking.
ClassVR or other VR platforms in some schools.
AI-driven safeguarding tools (Smoothwall, Senso, Impero) that monitor children's web and search activity on school devices.

Each of these is collecting data. Each has its own privacy policy. The school has, in theory, signed a Data Processing Agreement with each. In practice, the data-protection officer (DPO) responsible for managing these contracts is usually a teacher or business manager wearing one of several hats, and is not in a position to negotiate terms with major US tech vendors.

What you are entitled to ask

Under UK GDPR and the Data Protection Act 2018, the parent of a child under 13 has the right to make a Subject Access Request on the child's behalf for any data the school holds. Older children may be able to exercise the right themselves, depending on competence. The school has one month to respond.

You do not need to make a formal Subject Access Request to ask reasonable questions. Three questions will get you 90% of the value at a fraction of the friction.

One: what platforms does the school use that hold data about my child? The school should be able to give you a list. If they cannot, that is itself an answer.

Two: how are the safeguarding-monitoring platforms used? Specifically, what are the keywords or behaviour patterns that would generate an alert? Who sees those alerts? What happens to the data after the alert? Some platforms keep logs for years. Some delete them at the end of term. The answers vary widely.

Three: what is the policy on parents accessing the same logs the school sees? Most schools will, on reasonable request, share the platform-level data they hold about your child. Some will not. Both answers tell you something about the school's data-handling culture.

The school subject access request, if you want one

If you do want to formalise the conversation, the ICO publishes a template letter and guidance for parents requesting their child's school records. Three caveats: it takes the school's DPO some time to respond, it is mildly antagonising of the relationship, and it generates a large file you then have to read. Use it where you are concerned, not as the default.

What you should be doing on the home side

Three things on the home side, regardless of what the school does.

One: review the apps and platforms on the child's school device. Whether the device is provided by the school or by the family, the apps installed are visible. Make a list. For any app you do not recognise, ask the school what is this for and what data does it collect? Many of these apps are installed via a school-managed deployment system and the child has no idea what they are.

Two: configure the school device deliberately, if it is yours. If the family provides the laptop or tablet, the family is responsible for the device's general security posture — patching, screen lock, account separation. If you are issued a school-managed device, that device should be used for school work and not as the child's primary device, because the school has visibility of what happens on it. The line is sometimes uncomfortable to enforce, but the principle — the school-managed device is not for personal use — is the right one.

Three: have the conversation about platform monitoring. Children should know that the school monitors what they do on school-managed devices. This is not a betrayal of the parent-child relationship; it is the operating reality of school IT in 2023, and explaining it to the child in their early teens helps them understand the wider concept that systems they use observe them.

What is genuinely concerning, and what is not

To be balanced about this. Most of what schools collect is necessary, lawful, and reasonably well-handled. The pastoral and safeguarding data is often the most sensitive but is also usually the most tightly controlled. The areas where schools are weakest are typically the edtech platforms that proliferated during and after the pandemic and that were adopted under operational pressure rather than careful procurement.

If you are looking for things to push on, push on (a) the edtech platforms whose privacy posture is opaque, (b) any biometric collection where the consent and alternative-provision rules have not been clearly observed, and (c) the safeguarding-monitoring platforms where the keyword and retention policies are unclear.

What this month looks like

One conversation with the school. Three questions in the bag, asked politely, in writing or in person. The reply is itself useful, regardless of content.

In four weeks: the third children-focused post — social media, when, how, and the parent's reasonable role.