Digitalisation is advancing across all sectors, including education. From adaptive learning platforms to digital assessments and student tracking systems, educational institutions are embracing technology on a large scale. This shift provides many opportunities, but it also entails significant obligations. One of those obligations is ensuring the safe use of digital learning tools. In addition, educational institutions bear responsibility for lawful data processing under the General Data Protection Regulation (GDPR). How should you, as an educational institution, navigate this maze of digital learning tools? In this blog, we explore the procurement of digital learning tools. Further, we discuss key considerations and how educational institutions can apply them before and during the procurement process. Finally, we highlight the Dutch IBP (Information Security and Privacy) framework and explain how it can serve as a starting point for procuring any digital learning tool.
What are digital learning tools?
Digital learning tools encompass a wide range of digital applications that educational institutions use to support the learning process. These tools include not only digital teaching methods or online learning environments, but also educational apps, digital assessments, student tracking systems and platforms that enable adaptive learning. These applications facilitate personalised education by analysing learning performance and tailoring content accordingly.
Using these applications typically means that educational institutions process personal data of pupils and students. They process basic personal data such as names and login credentials, but also more sensitive information such as learning performance, behavioural data and progress analyses. In some cases, they even apply profiling or automated decision-making. Given these often intensive and sometimes large-scale data processing activities, educational institutions should be aware of the privacy implications of digital learning tools and the obligations the GDPR imposes.
Roles and responsibilities
A key starting point when procuring digital learning tools is determining the supplier's role under the GDPR. Is the supplier purely a processor, or also a controller? You establish this by assessing whether the supplier acts solely on your instructions or also makes its own decisions about how personal data are used. If the supplier acts purely on the instructions of the educational institution, you conclude a data processing agreement. If it turns out that the supplier also determines the purposes of processing and how the learning tools are deployed, a cooperation agreement or data-sharing agreement is more appropriate.
Further, it is also important to map out how your institution handles personal data. You do this by determining and documenting which personal data you use specifically, why you need them and whether you could achieve the same purpose with less personal data. You should also check whether the personal data remain within Europe or are transferred to parties outside Europe.
Finally, you assess whether deploying the digital learning tool introduces additional privacy risks. This may be the case when you process large volumes of student data or track student behaviour. In such situations, you carry out a thorough risk analysis (a Data Protection Impact Assessment, or DPIA) beforehand.
Contractual arrangements with suppliers
Another important consideration is the contractual setup for digital learning tools. If the supplier acts as a processor, you conclude a data processing agreement. This agreement covers matters such as security, sub-processors, audits and data breaches. When the supplier (also) acts as a controller, parties typically conclude a cooperation agreement or data-sharing agreement rather than a data processing agreement. In addition, service-related agreements are necessary, such as a licence agreement, contractual arrangements on intellectual property or a service level agreement.
To underline this matter, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) recently made an appeal to schools and school boards to make clear arrangements with suppliers when procuring digital learning tools, particularly regarding the use of personal data for the supplier's own purposes, such as profiling or product improvement. Open-ended standards or vague provisions are not sufficient.
Assess the security of the digital learning tool
As data controllers, educational institutions bear responsibility for ensuring an appropriate level of security for digital learning tools. Therefore, always assess whether suppliers have their security in order. When procuring, ask about relevant certifications, audits that have been conducted, and the supplier's information security policy.
Educational institutions should also map out where personal data is stored, and which other parties have access to it. Make agreements with the supplier about data availability and control. This ensures you can retrieve personal data in a usable format, or have it deleted when the service ends. In doing so, you avoid unnecessary dependence on a single supplier.
Accessibility of digital learning tools
Under the European Accessibility Act, digital learning tools must be accessible to students with disabilities. When procuring, assess whether learning tools meet accessibility standards and whether alternative provisions are available. Also make clear agreements about availability and support. Involve teachers, IT staff, and the Data Protection Officer from the outset, and pilot any new learning tool on a small scale before rolling it out organisation wide. This way, you ensure that a digital learning tool not only works well in the classroom but also remains secure, lawful, and manageable.
Inform, inform, inform!
One of the pillars of personal data protection, especially when it comes to processing in connection with digital learning tools, is transparency and the duty to inform data subjects. Always inform students, their parents, or legal representatives about which personal data is processed through the digital learning tool, for what purposes, and what rights they have in relation to this processing. This can be done through privacy statements, learning portals, or specific communications when introducing new digital learning tools.
The IBP framework in education
Finally, the IBP framework (Information Security and Privacy) provides educational institutions with practical guidance for setting up privacy and information security policies. The framework helps institutions identify risks, implement appropriate measures, and thereby demonstrate compliance with the law. The IBP framework aims to achieve a uniform and mature level of data protection across the education sector. We recently published a factsheet (in Dutch) to help educational institutions and organisations get started with the framework.
Want to learn more about how to apply the IBP framework? Read our blog.
Conclusion
Procuring digital learning tools requires an integrated approach centred on privacy, security, accessibility, and transparency. Educational institutions must carefully determine what personal data their digital learning tools process, on what legal basis, and with what safeguards. Make clear contractual arrangements with suppliers, critically assess security measures, and pay attention to the accessibility of digital learning tools. Above all, do not forget to inform data subjects about the processing of their data before deploying any digital learning tool. The IBP framework offers a valuable structure for embedding and demonstrating compliance with these obligations.
In collaboration with the IBP platform, we are organising an event for educational institutions on Tuesday 2 June 2026: 'IBP in Primary and Secondary Education'. During this event, the IBP platform will discuss governance and practical requirements, and how to translate these into a feasible plan. Would you like to attend the event? Please register here!
