The quality of an EdTech provider’s answers to a few pointed data protection questions tells you a great deal about how they will treat your pupils’ data. A compliant, well-run provider answers clearly and confidently; a risky one is vague or evasive. This article gives schools a ready-made set of questions to ask every EdTech provider before adopting a platform.
Quick summary
- A provider’s answers to data protection questions reveal how they handle pupil data.
- Ask about data use, security, storage, retention, data subject rights and compliance evidence.
- Clear, confident, documented answers are a good sign; vagueness or evasion is a warning.
- Use these questions alongside a DPIA and a data processing agreement.
Why these questions matter
Because the school remains accountable for pupil data even when a provider processes it, due diligence is essential. These questions are your practical due-diligence tool — use them before committing, and record the answers as part of your DPIA. See also Choosing GDPR-Compliant EdTech Platforms.
Questions about data use
- What personal data do you collect about our pupils, and is it the minimum necessary?
- For what purposes do you use it?
- Do you ever use pupil data for marketing, advertising or training your own products?
- Do you sell or share pupil data with any third parties?
- Who are your sub-processors, and how do you govern them?
Questions about security
- Is pupil data encrypted in transit and at rest?
- What security measures and certifications do you hold?
- How do you control access to pupil data within your organisation?
- Have you had any data breaches, and how did you respond?
Questions about storage and transfers
- Where is our pupils’ data stored (which country/region)?
- If data is stored or processed outside the UK, what safeguards apply?
- Is your hosting reputable and secure?
Questions about retention and deletion
- How long do you retain pupil data?
- Can data be deleted or anonymised on request?
- What happens to our data when the contract ends?
Questions about data subject rights
- How do you support us in honouring access, rectification, erasure, restriction and objection requests?
- How quickly can you action such requests?
Questions about accountability and documentation
- Can you provide your privacy policy and a DPIA?
- Will you sign an appropriate data processing agreement?
- Can you evidence your compliance, not just assert it?
- Do you provide staff data protection training within your organisation?
- How do you handle data protection by design and default?
How to interpret the answers
| Good sign | Warning sign |
|---|---|
| Clear, specific, documented answers | Vague or evasive responses |
| Data used only to serve the school | Data used for marketing or product training |
| Willing to sign a data processing agreement | Reluctance to sign a DPA |
| Privacy policy and DPIA readily available | No documentation available |
| Can support data subject rights and deletion | Unclear on rights or deletion |
A provider that answers these questions confidently and in writing is demonstrating the accountability GDPR requires.
Frequently asked questions
Why ask EdTech providers data protection questions?
Because the school remains accountable for pupil data; a provider’s answers reveal how they will handle it.
What is the most revealing question to ask?
Whether they use pupil data for anything beyond serving the school (such as marketing or training their own products) — the answer says a lot.
Should we get answers in writing?
Yes. Documented answers support your DPIA and demonstrate the due diligence GDPR expects.
What if a provider is vague about data storage?
Treat vagueness about storage location or access as a warning sign and seek clarity before committing.
Do these questions replace a DPIA?
No. They inform your DPIA and data processing agreement, which remain essential for higher-risk processing.
What documentation should a good provider have?
A privacy policy, a DPIA, a data processing agreement, and evidence of compliance.
Conclusion
A short set of well-chosen questions is one of the most effective data protection tools a school has. Ask every EdTech provider about data use, security, storage, retention, rights and compliance evidence — and judge them on the clarity and documentation of their answers. Providers who protect pupil data well are glad to answer; those who aren’t tell you something important by struggling to.
How AI Buddy supports schools
AI Buddy is built to answer exactly these questions clearly and in writing. Built by Tutopiya to support schools in strengthening areas evaluated during Ofsted inspections, it uses pupil data only to serve the school (never sold or shared for marketing), minimises and pseudonymises that data, encrypts and hosts it on AWS, retains it only as needed (anonymising on account closure), supports defined data-subject rights, and provides a documented privacy policy, DPIA and staff training. AI Buddy is not endorsed or certified by Ofsted; it is built to pass exactly the due diligence this article recommends.
Discover how AI Buddy helps schools strengthen teaching, learning and evidence-informed school improvement. Or start a short consultation with our schools team using the form below.
Sources
- Information Commissioner’s Office, Contracts and data processing agreements (ICO)
- Information Commissioner’s Office, UK GDPR guidance and resources (ICO)
- Department for Education, Data protection in schools (GOV.UK)