When the Tool Becomes the Threat: What UNICEF's Data Governance Report Reveals About Digital Stewardship

Analysis
Written By Diana Woolis

In September 2025, UNICEF Innocenti — in partnership with UNESCO and the Global Privacy Assembly — released Data Governance for EdTech: Policy Recommendations, the result of a global consultation across five regions involving data protection authorities, civil society organizations, academics, and EdTech companies themselves. The report is comprehensive, carefully constructed, and politically careful. It is also, if you read it through the lens of Digital Stewardship, a field-level confirmation of what education systems have been navigating — often without adequate language or structural support — for years.

Digital Stewardship, as I define it in the Sustainable Learning Framework, is the responsible use and protection of digital environments through practices that promote safety, enhance functionality, and focus on learning. It rests on three strategies: providing secure learning spaces, promoting digital fluency, and using purpose-designed platforms. UNICEF's report, which is framed around children's rights, arrives at strikingly similar conclusions from a different direction. The convergence is not coincidental. It reflects a structural problem that practitioners have been signaling for a long time, and that global policy is only now beginning to name.

The problem is governance, not just technology

UNICEF's central argument is stated plainly: EdTech data governance is fundamentally a children's rights issue. When mismanaged, poor data governance undermines the very educational goals EdTech seeks to support.

This framing matters because it resists the instinct to treat data misuse as an aberration — the result of a bad actor, an unfortunate breach, a solvable technical problem. The report documents a more structural issue: schools and education ministries frequently lack the technical and legal expertise required to assess complex EdTech platforms or negotiate equitable data-sharing agreements. EdTech companies are rarely required to be transparent about how they use or share data, and public authorities often have limited access to this information. Coordination between stakeholders — regulators, educators, civil society, and children — is often weak or entirely absent.

What the report is describing, in other words, is a governance gap that has been allowed to widen precisely because the systems responsible for closing it — schools, ministries, regulatory bodies — have been under-resourced, under-capacitated, and positioned as consumers of technology rather than stewards of it.

"Free" is not neutral

One of the report's most pointed findings concerns the model through which EdTech reaches the schools least able to evaluate it. Business practices that offer EdTech products at no cost to lower-resourced schools raise important privacy considerations. In some cases, these free versions come with weaker data protections, potentially placing a greater burden on the children they claim to serve.

This is not a peripheral observation. It is a structural description of how the EdTech market operates at the intersection of scarcity and scale. The schools most likely to accept free tools without extensive vetting are the schools serving the most vulnerable students. The students most likely to be datafied without meaningful consent or oversight are those whose families have the least access to advocacy or legal recourse. The report draws this connection in the context of the Global South specifically, but the pattern holds wherever underfunded schools have been encouraged to solve access problems with no-cost vendor solutions.

Digital Stewardship asks a prior question before any tool is introduced: what are our educational goals, and how does data serve those goals? The UNICEF report uses nearly identical language, arguing that stakeholders must first define educational goals and determine how data can be used in service of those goals — rather than collecting data without a clear purpose. This is not a procurement checklist. It is an epistemological stance, and it requires educators and institutions to hold authority over the technology that enters their classrooms rather than inheriting the priorities embedded in vendor design.

Secure learning spaces require more than cybersecurity

The January 2025 cyberattack on PowerSchool — which compromised the personal information of students and staff across 80 school boards in Canada, as well as systems in the United States and other countries — is cited in the UNICEF report as a case illustration, not a turning point. The breach was not anomalous; it was diagnostic. Schools hold more data than at any previous moment in the history of education, and the infrastructure to protect that data lags significantly behind the pace of its collection.

But the report draws the security threat more broadly than most institutional cybersecurity frameworks do. The risk to students is not only external breach. Companies are using EdTech to surveil students beyond educational contexts, including sharing data with law enforcement agencies and exploiting educational data for commercial profiling. A 2025 study by the Center for Democracy and Technology found that students flagged by school monitoring software had been contacted by immigration enforcement directly — a data point that reframes "student safety" entirely. The secure learning space, in this context, is not simply one protected from hackers. It is one protected from the secondary uses of data that students and families never consented to and that actively compromise the conditions required for learning.

Providing secure learning spaces — as a strategy within Digital Stewardship — means privacy, security, and support operating together. Privacy protects what students share. Security protects the infrastructure through which they share it. Support ensures that when systems fail, or when students or educators need guidance navigating digital environments, someone is available and accountable. The UNICEF report recommends that decisions about the educational purposes for which data are processed be guided by educators and government authorities to ensure alignment with public interest goals. This is a governance design argument that positions educators not as technology users but as decision-makers with legitimate authority over the digital spaces in their care.

Digital fluency cannot be downloaded

The report acknowledges that children's perspectives are rarely included in EdTech design and governance, despite children being among the most directly affected parties. UNICEF Innocenti's global youth consultations — conducted with 41 young people across 22 countries — found that students have nuanced views on EdTech, can identify specific harms, and are motivated to propose solutions. What they lack is structured access to the decisions being made about the tools shaping their learning environments.

This gap highlights what digital fluency, as a pillar of Digital Stewardship, is specifically designed to address. Digital fluency is not tool literacy — the ability to operate a platform. It is the capacity to understand how digital technologies work, evaluate when their use is appropriate, and exercise judgment about what data means and what its collection enables. Digital principles sit at the center of this: being an ethical, respectful, and responsible digital citizen means understanding the conditions in which one operates, not just the mechanics.

When students — and teachers — lack this understanding, the governance gap the report documents at the institutional level reproduces itself at the individual level. Educators who cannot assess complex EdTech platforms cannot help students assess them either. The fluency deficit is not academic. It is structural. And it is one reason that the report's recommendation for meaningful participation by children and families in EdTech governance is not simply aspirational; it requires the kind of capacity-building that Digital Stewardship positions as prerequisite infrastructure, not optional enrichment.

Purpose-designed platforms are not the default

The UNICEF report's policy recommendations for governments center on procurement: requiring transparency from EdTech vendors, establishing certification schemes and regulatory sandboxes, implementing data protection and child rights impact assessments before deployment, and designing interoperability standards that prevent vendor lock-in and allow for genuine market accountability.

Each of these recommendations addresses a predictable failure mode. When schools adopt tools without assessing them against educational requirements — when the procurement logic is speed, price, or marketing rather than purpose, safety, and evidence of effectiveness — the tools that arrive in classrooms are rarely optimized for learning. They are optimized for adoption, engagement metrics, and data collection. The difference matters.

Using purpose-designed platforms as a Digital Stewardship strategy is not a preference for any particular vendor category. It is an argument about sequence: selection must follow intention, not precede it. A requirements checklist is a governance tool. Piloting before purchase is a quality assurance practice. Incentivizing open, platform-based learning solutions is a structural counter to the concentration that makes vendor lock-in possible in the first place. These are not technically complex recommendations. They require institutional will, coordinator capacity, and the organizational authority to say no to tools that do not meet stated requirements — even when those tools are free.

The UNICEF report notes that most data protection authorities worldwide are under-resourced, making regular oversight of EdTech companies difficult. Schools rarely have the resources to fund a dedicated data protection officer. This is precisely the capacity gap that Digital Stewardship, as a framework element, is designed to name. It is not enough to know that tools should be vetted. The people doing the vetting need time, authority, and expertise. The systems surrounding them need to prioritize that work rather than treat it as overhead.

The field already knows this

What makes the UNICEF Innocenti report significant is not that it introduces new ideas. It is that it represents global institutional consensus catching up to what educators and education systems analysts have been observing at ground level for years: that the digital transformation of education has been driven more by vendor capacity and market logic than by the educational interests of learners, and that the students who bear the greatest risk from this arrangement are those who were already most vulnerable before the first platform arrived.

Digital Stewardship is an anticipatory framework precisely because this trajectory was legible. The structural conditions — underfunded schools, under-resourced regulators, rapidly scaling vendor ecosystems, children with limited rights of recourse — were not hidden. What was missing was the institutional framing that would allow education systems to act on what they already knew.

The UNICEF report provides that framing at the policy level. The work now is translating it into the practice-level conditions — the educator capacity, the procurement discipline, the fluency infrastructure, the secure environments — that make governance meaningful for actual children in actual classrooms.

RESOURCES

Provide Secure Learning Spaces

Promote Digital Fluency

Use Purpose-Designed Platforms

 
 
 
Diana Woolis
Previous

Data Storytelling in a World of Knowledge Asymmetry
Next

Infrastructure, Not Emergency: When Rapid Response Becomes Core Capacity