_An update to the 2023 post on school accounts and edtech. The second of five 2026 updates to the children-focused posts in the privacy series._

When I wrote about school edtech in May 2023, the landscape was a sprawl of platforms with very uneven privacy postures, adopted under pandemic-era pressure and never fully reassessed. Three years on, the sprawl has consolidated somewhat, the ICO has acted on several of the worst-behaved vendors, and a category that did not exist in 2023 — AI in the classroom — has arrived as operational reality. The three questions I recommended parents ask in 2023 still work; some new ones are warranted.

The consolidation

The largest single shift since 2023 is platform consolidation. The pandemic-era explosion of edtech tools has, predictably, given way to a tighter market dominated by a few familiar names. The 2026 picture in a typical UK secondary school:

The new layer, that did not exist in 2023:

What the regulator has done

A short list of enforcement actions since the 2023 post.

The ICO action against TikTok for processing children's data — £12.7m in April 2023 — was the headline that mattered most. It established that the children's-data provisions of UK GDPR were enforceable in scale rather than just principle. The platforms learned the lesson and have shipped product changes.

The ICO's joint work with the Department for Education on edtech compliance, ongoing through 2024-25, has tightened expectations of vendors but produced fewer headline fines. The direction is real.

The DfE's AI guidance for schools was first published in late 2023 and has been updated repeatedly since. It is not law; it is the operational guidance schools work to, and the more recent versions are more direct about what is acceptable.

Several individual schools and trusts have, over the past two years, had data-protection incidents disclosed publicly. The pattern is consistent: the breach itself is typically of a third-party edtech vendor, not the school's own systems. This is the same supply-chain pattern that runs through the rest of UK cyber compromise in 2026.

What parents should be asking now

The three questions from 2023 still work. Two new questions are warranted.

The 2023 questions, restated. What platforms does the school use that hold data about my child? How are the safeguarding-monitoring platforms used — what triggers an alert, who sees it, what happens to it? What is the policy on parent access to the same data the school sees?

New question one: what AI tools is the school using, on whose data? This is the question the 2023 post did not need to ask. By 2026, the school uses AI for X could mean anything from teachers use Copilot to draft worksheets to students' work is automatically graded by an external AI system. The data implications differ sharply between those poles. Ask the school for the list. Schools that have thought about this can answer it. Schools that have not, are themselves at risk of UK GDPR exposure on the routine use of personal data through AI vendors.

New question two: how is my child's work being used to train AI? A small but real concern. Some edtech vendors include, in their terms, the right to use student work to improve their models. Schools that have signed contracts containing this without negotiating it out have exposed their students' written work to indefinite reuse. The DfE guidance now warns against this; not every school has rewritten its contracts to match.

The phones-in-school shift

A development that does not strictly fit edtech but materially affects the daily reality. The DfE's mobile phones guidance of February 2024 has, in two years, made phone-free school days the default at most UK secondaries. This is operationally one of the most significant shifts in school life of the past decade. The implications:

What good practice looks like in 2026

Three things that are different from 2023.

The platform inventory the school can produce. A school in 2026 should be able, on reasonable request, to provide a list of the platforms it uses, with the broad categories of data each holds and the contractual basis. Schools that have done their UK GDPR work can produce this. Schools that have not, cannot. The question is increasingly being asked by parents and by inspections.

The AI usage transparency. A school's standing position on AI — what it uses, in which classes, with what data — should be communicable in a paragraph. Many schools have this and some have not yet got there. The DfE guidance now expects them to.

The age-appropriate-experience defaults. Where a school adopts a platform that has age-appropriate settings (most major US platforms now do), the school should be configuring them. The default should be the more restrictive option, not the less. A common pattern in 2023 was schools rolling out Google Workspace with adult defaults; this is now visibly less common, in part because Google's own configuration tooling has improved.

What does not need updating

The principles are unchanged.

Schools are processing personal data and have legal obligations under UK GDPR. Parents have rights, including subject-access rights for under-13s. The school's safeguarding work is necessary and tends to be the most tightly controlled. The edtech sprawl is where the privacy weaknesses cluster. The parent's reasonable role is to ask three (now five) practical questions and to listen to the answers.

What this month looks like

One conversation with the school. The three 2023 questions, plus the two new ones about AI. Polite, in writing or in person. The answers are themselves the information.

Next month: social media, revisited. The 2023 framework still mostly works; the world it was framed against has shifted in interesting ways.