Who controls children’s education data? A socio-legal analysis of the UK governance regimes for schools and EdTech

A socio-legal analysis of the UK governance regime for data collected from children at school for teaching and learning contrasts the government-mandated data collection by schools to inform educational policy and planning with data processed and shared with third parties by commercial EdTech providers. We find the former is effectively governed by the government's 'Five Safes Framework' with some problematic exceptions. By contrast, EdTech providers process a growing volume of personal data under the DPA 2018/UK GDPR with a looser enforcement regime. While schools have few mechanisms and insufficient expertise or resources to hold EdTech providers accountable for processing children's data, EdTech providers have considerable latitude in interpreting the law. Consequently, and paradoxically, regulations governing (mostly) deidentified data used for public purposes are more systematically enforced than those governing personal (identifiable) data used for public and commercial purposes. We conclude with recommendations so that education data can serve children's best interests.