A summary of the data protection changes in the new KCSIE guidance, including the Data (Use and Access) Act 2025, information sharing and child protection file transfers.
The 2026 draft of Keeping Children Safe in Education, due to take effect from 1 September 2026, brings an increased emphasis on data protection and information sharing than previous editions. Before we get into the finer details, the core message remains the same: data protection law is not a barrier to safeguarding. The guidance is clear that a fear of sharing information should never stand in the way of protecting a child. The draft reinforces this and gives further guidance for staff to ensure they have more confidence to act.
What counts as “data protection laws”?
A crucial change in relation to data protection is that the definition of “data protection laws” used throughout the guidance has been updated to include the Data (Use and Access) Act 2025, alongside the Data Protection Act 2018 and the UK GDPR. All references to “data protection laws” will now include the three pieces of legislation.
Retaining a child's personal information
When the serious harm test applies, schools are required to withhold a child’s personal information. Children staying in a refuge and children in emergency accommodation are used as a real-life example in the guidance, and that data should not be shared in that instance. The guidance goes on to say that if there is any doubt then staff should seek independent legal advice. In 2025 the guidance was more generalised.
Sharing sensitive information rules
Details have been given to allow staff to be more confident of the processing conditions for storing and sharing data, which should be treated as ‘special category personal data'. Information can be shared without consent (where there is a good reason to do so). Staff may not be able to gain consent, or gaining consent could place the child at risk. The new “Information Sharing Duty” guidance is expected in due course following consultation.
Transfer of child protection files.
If a child moves in-year or at the start of a new term, the guidance is more specific about time expectations. The file must be transferred within 5 days and also should be sent separately from the main pupil record. The designated safeguarding lead (DSL) should send the file securely and receive confirmation of receipt.
The DSL should also consider if there is any further information that should be shared to the new setting that would support the child, for example, if there is risk to themselves or others.
Cyber Security is a Safeguarding Issue
The guidance directs schools to the government's Cyber Security Standards for schools and colleges as part of protecting children's personal information. Data breaches are now treated as posing an immediate risk to a child's safety and wellbeing, not just a compliance or failure to log and report. In 2025 it was expected that an annual review of filtering and monitoring took place, now this should be evidenced. This hasn’t created a new DPIA requirement as that already exists; it just ties data security more explicitly to safeguarding duty.
Cybercrime is flagged as one of the fastest-growing safeguarding threats to young people in the UK, and resources have been added on AI generated sexual abuse material and financially motivated sexual extortion.
Immediate Actions
Although the guidance is still on draft until the final version is published, it’s worth planning ahead for September now.
-
Update your data protection policy to reference the Data (Use and Access) Act 2025
-
Check your process meets the 5 day timescale and DSLs consider what information should also be relayed.
-
Review how your filtering and monitoring checks are documented, as this should now be evidenced.
-
Ensure your DSLs understand the serious harm test and what information should be withheld.
Review our other articles:
What the Data (Use and Access) Act Means for Schools
Guidance of the Transfer of Child Protection and Safeguarding Information
