The DSL’s Guide to Filtering and Monitoring

The Keeping Children Safe in Education (KCSIE) document obliges schools and colleges in England to “ensure appropriate filters and appropriate monitoring systems are in place and regularly review their effectiveness”. This responsibility is now a standard, no just a technical tick box, but a core leadership and safeguarding function.

 

Leadership and DSL Responsibilities

One of the key points from the guidance is that DSLs and Senior Leadership Teams now have a responsibility for "understanding the filtering and monitoring systems and processes in place".  :

• Procurement: DSLs should be actively involved in procurement to ensure the system meets the specific safeguarding needs of the pupils.
• Implementation: the DSL should lead on decision -making behind the alerts the system generates; the DSL is the person best placed in understanding pupil needs in special circumstances and ongoing situations.
• Collaboration: IT technicians act as the enabler. They will install, set up and configure the system and may provide reports, but the DSL should decide if an alert is a safeguarding concern requiring escalation.
• Oversight: Governors and trustees should do regular check-ins to ensure the systems are in place and working effectively through evidence.

Data Protection and Large-Scale Monitoring: Due Diligence

• Supplier Due Diligence: there should be a thorough risk assessment of the provider.  If the system links to a third party safeguarding platform, such as CPOMS, you should map how that data is shared. DPE Customers: should review: Supplier Due Diligence Best Practice Area, and complete the  document Supplier Due Diligence Form(51 KB) and send off to the third party supplier, once returned we can help you assess any risks.
• DPIA: you should complete a DPIA as 'special category data' is more than likely captured.
• Lawful Monitoring: Refer to the ICO: Guide to Monitoring Lawfully in the Workplace. Monitoring must be necessary and proportionate. You must inform all users (staff and students) of the purpose and extent of the monitoring via updated Privacy Notices and Acceptable Use Policies (AUP). You must inform workers of the purpose of any monitoring. If you are considering monitoring emails and messages, you must complete a DPIA. This is because it poses a high risk to workers’ data protection rights and freedoms and is likely to capture special category data.  DPE Customers: should review: Transparency Best Practice Area.

Data Minimisation and Retention

• Minimisation: Under the principle of Data Minimisation, if an alert is escalated to a dedicated safeguarding system, the original alert in the monitoring software should ideally be removed so that sensitive data is not duplicated across multiple platforms.

• Subject Access Requests (SARs): Be aware that alerts containing a child’s or staff member's name are discoverable under a SAR. Ensure your system allows for easy retrieval or redaction.

Other policies in the organisation may also need to be updated to reflect use of a filtering and monitoring system.

Further support and guidance about KCSIE and filtering and monitoring:
SWGFL Filtering and Monitoring

DfE Filtering and Monitoring Standards

The Department for Education (DfE) Filtering and Monitoring Standards are designed to ensure that schools and colleges implement effective measures to safeguard students and staff online. Here’s a summary of the key standards:

1. Roles and Responsibilities:
   • Strategic Responsibility: The governing bodies and proprietors hold overall responsibility for ensuring that appropriate filtering and monitoring systems are in place. This includes overseeing compliance with these standards.
   • Senior Leadership Team (SLT) and Governor: A member of the SLT and a designated governor must be assigned to oversee the implementation and effectiveness of these standards. They ensure that the organisation's policies and systems are robust and up-to-date.
   • Designated Safeguarding Lead (DSL): The DSL plays a crucial role in this framework. They are responsible for safeguarding students and ensuring that filtering and monitoring measures align with the organisation's overall child protection policies. The DSL must be informed of any potential risks or incidents identified through monitoring.
2. Annual Review:
   • The filtering and monitoring systems must undergo an annual review to ensure they remain effective and up-to-date with current threats and technological changes. This review should involve assessing the effectiveness of the systems in place, identifying any gaps, and making necessary improvements. The review process ensures that the school’s digital environment continues to protect students and staff. The DSL is responsible for making sure there is an annual review.
3. Filtering System Used:
   • Schools must implement a robust filtering system to block access to harmful or inappropriate content online. This system should be tailored to the age group of the students and the educational context. It should prevent access to known harmful websites and content categories while allowing necessary educational resources. The filtering system must be regularly updated to adapt to new threats. The DSL is responsible for the filtering and monitoring system procurement.
4. Monitoring Strategies:
   • Schools need to have effective monitoring strategies in place to track online activity and detect potential risks. This includes monitoring internet usage for signs of inappropriate behaviour, cyberbullying, or exposure to harmful content. The strategies should balance safeguarding with privacy and should be transparent to students, staff, and parents. Monitoring must be conducted in a way that aligns with the school's safeguarding policies and data protection regulations. The DSL is responsible for what is monitored.

Generative AI and Filtering: What the 2026 Update Requires

Generative AI and Filtering: What the 2026 Update Requires

The DfE updated its Filtering and Monitoring Core Standard on 10 June 2026 to address the growing use of generative AI tools in schools and colleges. The changes are modest in length but significant in scope, and schools should act on them now.

AI-generated content is now explicitly within filtering scope

The definition of filtering has been updated to include AI-generated content alongside text, images, audio and video. This means filtering solutions should be capable of identifying and blocking harmful AI-generated content, not just static web content. Schools should check with their filtering provider whether this capability is in place.

You must assess whether your current solution can handle AI content

The updated standard requires schools and colleges introducing generative AI tools to consider whether their filtering and monitoring solution can handle real-time, dynamic, personalised and AI-generated content. This should be assessed as part of your annual review, or sooner if you have already deployed an AI tool.

Questions to put to your filtering provider:

•        Does your solution filter AI-generated content, including content produced via generative AI tools accessible on school devices?

•        Can the system monitor and alert on real-time and dynamic content, including AI chat interactions?

•        Are there any gaps in coverage for AI tools accessed via apps or mobile technologies?

Introducing an AI tool now triggers an out-of-cycle review

Schools and colleges are no longer required to wait for their annual review to assess AI risks. The updated standard explicitly lists the introduction of a new generative AI tool as a trigger for a review of filtering and monitoring provision outside the usual annual cycle. This sits alongside other existing triggers such as a safeguarding risk being identified, a change in working practice, or major software updates.

Refer to the DfE Generative AI Product Safety Standards

When assessing the risks of generative AI tools, the DfE directs schools to its Generative AI: product safety standards. These standards set out what responsible AI product design looks like for educational settings and can help schools frame their risk assessment and procurement questions.

Data protection implications

The introduction of any generative AI tool in school, or a change in how filtering and monitoring handles AI-generated content, is likely to require a DPIA update. Schools should:

•        Review and update their DPIA for any relevant monitoring system to reflect AI-generated content within scope

•        Update Privacy Notices and Acceptable Use Policies (AUPs) to inform users that AI-generated content and AI tool use may be captured by monitoring systems

•        Complete a DPIA for any newly deployed AI tool: DPE customers can use our AI DPIA template.

 

These standards emphasize the importance of strategic oversight, regular reviews, and the implementation of appropriate technical solutions to ensure a safe and secure online environment in educational settings.

 

The DfE’s Data Protection in Schools guidance (updated 17 June 2026) also addresses filtering and monitoring directly. It confirms three things schools must have in place:

•        Lawful, proportionate and transparent use of AI in monitoring systems. Where filtering or monitoring systems use automated tools including AI, schools must ensure use is lawful, proportionate and transparent.

•        A DPIA before introducing or significantly changing a filtering or monitoring system. This is an explicit DfE requirement, not just ICO best practice.

•        Privacy notice coverage of filtering and monitoring activities. Privacy notices must explain what is monitored, why, who can access alerts or reports, and how long the information is retained. Schools should also review the privacy notices of any third-party filtering and monitoring providers.

 

For a technical overview of filtering and monitoring tools, including email filtering, DNS filtering, firewalls, SIEM, and endpoint detection: see our cybersecurity article: Filtering and Monitoring: a Cybersecurity Perspective