What schools should ask e-learning providers about children's data protection, from GDPR compliance to the ICO Children's Code.
As more schools adopt e-learning platforms for curriculum delivery, one question should sit at the top of every safeguarding lead's agenda: how is my students' data being protected?
Online learning brings real benefits -- students learn at their own pace, teachers get instant progress reports, and schools can deliver specialist content like road safety education efficiently. But every platform that processes children's data carries responsibilities under UK GDPR, the Data Protection Act 2018, and the ICO's Children's Code. Here is what you need to know.
Under UK GDPR, children are recognised as vulnerable data subjects who deserve specific protection. The ICO is clear: children may be less aware of the risks and consequences of data processing, and organisations handling their information must design their services with this in mind.
The ICO's Age Appropriate Design Code (commonly known as the Children's Code) sets out 15 standards that online services must follow when processing children's data. These include data minimisation, high privacy by default, and ensuring the best interests of the child are a primary consideration.
With the Data (Use and Access) Act 2025 now in force, the regulatory landscape is tightening further. The ICO is developing a new statutory code specifically covering children's data in educational technology. Schools and providers that are not already taking compliance seriously will find themselves under increasing scrutiny.
The Children's Code does not apply to schools directly. But it can apply to the edtech providers schools use, particularly where a provider processes data beyond the school's direct instructions or offers a service accessed on a direct-to-consumer basis.
Even where the Code does not formally apply, the ICO has stated that organisations should not use processor status to avoid child-centred design. E-learning providers working with children should still apply the Code's key principles:
A Data Protection Impact Assessment is not optional when processing children's data at scale through a technology platform. Under Article 35 of UK GDPR, a DPIA is mandatory when processing is likely to result in a high risk to individuals' rights and freedoms.
Processing children's data through an e-learning platform typically triggers multiple DPIA criteria: vulnerable data subjects, systematic monitoring, cloud-based technology, and processing across multiple schools.
A thorough DPIA should identify every data category collected, map where it flows (including sub-processors and international transfers), assess risks, and document mitigations. If your e-learning provider cannot show you a completed DPIA, that is a significant red flag.
One of the clearest indicators of a responsible provider is what data they do not collect. A platform delivering cycling safety training to Year 7 students does not need home addresses, phone numbers, or dates of birth.
Schools should ask providers to confirm exactly which data fields are collected, both during onboarding and automatically during platform use. Technical data like IP addresses may be necessary for security, but it should be justified and documented. Ask: Can you show me a data inventory listing every field collected, its purpose, and its retention period?
A common misconception is that schools need parental consent to share student data with e-learning providers. In most cases, they do not.
For state schools, the appropriate lawful basis is typically Article 6(1)(e) -- public task. Delivering curriculum-aligned education, including road safety, falls within the school's statutory function under the Education Act 1996. The school is the data controller; the e-learning provider is the data processor, acting on the school's instructions.
This distinction matters. The ICO advises against using consent in education settings because of the inherent power imbalance between schools and families. If consent were withdrawn, the school would have to stop processing entirely -- impractical for a programme embedded in the curriculum.
What schools must do is inform parents. A clear information letter explaining the programme, what data is collected, who processes it, and how to raise concerns satisfies transparency obligations under Articles 13 and 14. This is an information notice, not a consent form.
Before signing a contract with any platform that will process student data, safeguarding leads and DPOs should ask:
At BCSA Training, we built our compliance framework before onboarding our first school, not after.
Our approach to children's data protection includes:
We collect only name, school, year group, and a login identifier. No home addresses, phone numbers, personal emails, or dates of birth.
The ICO's December 2025 strategy update confirmed that edtech remains a priority enforcement area. The Data (Use and Access) Act 2025 introduces strengthened obligations for online services accessed by children, and the ICO is developing a dedicated statutory EdTech code. Schools that choose providers with strong compliance foundations now will not need to scramble when new requirements arrive.
If you are a safeguarding lead, DPO, or headteacher evaluating e-learning platforms, data protection compliance should be part of your procurement checklist alongside pedagogy and price.
We are happy to share our DPIA, Data Processing Agreement, retention policy, or any other compliance documentation with your school's data protection lead.
Learn more about our safeguarding approach or get in touch to discuss how we protect your students' data.
Book a demo with our team or request pricing for your organisation.
