SUBMIT A SUPPORT REQUEST
Parliament is debating what children can see online. Has anyone looked at what your school website is publishing?
The Children’s Wellbeing and Schools Bill has been bouncing between the Commons and the Lords for months. At the time of writing, it is in parliamentary ping-pong over a proposed amendment that would ban under-16s from social media platforms. The government has launched a national consultation open until 26 May 2026 asking whether the UK should follow Australia in restricting children’s access to social media, raise the digital age of consent, and place mobile phone guidance on a statutory footing for schools. Ofsted has already been asked to examine mobile phone policies during inspections, and further scrutiny is coming.
Most of the media coverage has focused on what tech platforms are doing, or not doing, to protect children. Relatively little attention has fallen on schools themselves. And yet schools publish content about children every week, photographs, names, achievements, event coverage, class pages, newsletters much of it publicly accessible, much of it never reviewed after it goes up. In the middle of a national conversation about children’s digital safety, that is a gap worth examining.
What the regulatory picture looks like right now
The NSPCC’s guidance on photographing and filming children is clear. Schools should avoid publishing personal information about individual children, remove location data and metadata from images before uploading, consider whether images of children could be replaced with illustrations or non-identifiable visuals, and conduct regular reviews of the photo and video content on their websites. The guidance also recommends reducing image resolution to limit the potential for repurposing.
Under UK GDPR, photographs of pupils are personal data. Schools need written consent for their use, and that consent should be opt-in rather than assumed. The ICO’s Children’s Code, which has been actively enforced since 2024 and is now being updated following the Data (Use and Access) Act 2025 sets out that organisations should default to high privacy settings and minimise data collection where children are concerned. Schools are not exempt from that principle simply because they are schools.
Ofsted’s updated inspection toolkit asks about online safety provision and how leaders ensure pupils understand and adhere to the school’s digital policies. The question of what a school publishes about its own pupils is a natural extension of that conversation. A school that teaches responsible digital behaviour while quietly maintaining a public-facing website full of unreviewed child photographs is sending a mixed message whether or not an inspector raises it explicitly.
Schools should conduct regular reviews of the photo and video content on their websites and assess whether images of children are necessary.
NSPCC Guidance on Photographing and Filming Children
The problem with school websites that grow without being reviewed
School websites tend to accumulate. A page goes up for a school trip in 2021. A class page is created when a new teacher joins. A news post goes out with photographs from sports day. None of these are unreasonable in isolation. But three or four years later, those pages are still there, the children in the photographs are now in secondary school, and nobody has checked whether the original consent still applies or whether the content is even identifiable.
This is not a theoretical risk. A parent can find their child’s photograph on a public school website without ever having been asked for consent for that specific use. A child’s full name can appear alongside a photograph in a news article that is indexed by search engines. A class page can contain enough detail, name, year group, teacher, school to identify a child to someone who should not have that information. Most schools have consent forms. Far fewer have a process for auditing what has actually been published against what was consented to.
What schools should be doing, practically
The starting point is a website content audit focused specifically on child data. This means working through every public-facing page and asking: does this contain images of identifiable children? Does it contain full names alongside photographs? Does it contain information markers such as class, year group, special educational need, achievement that could be considered personal data? Is there a record of consent that covers this specific use?
For most schools, that audit will surface content that was published in good faith but does not stand up to scrutiny under current guidance. The response to that is not panic. It is a structured process of review, remove where necessary, and updated policy for new content going forward. Photographs of school events do not need to disappear from school websites. They do need to be handled with the same care that schools are now asking social media platforms to apply.
Practically, that means first names only (never full names alongside photographs), no images of children who have opted out, no location metadata in uploaded images, no identifiable information about children with SEND or in care, and a regular review cycle, at minimum annually for all publicly published content involving pupils. It also means having a clear, accessible privacy notice that explains what the school publishes, why, and how parents can object.
What this means for how schools think about their websites
A school website is not just a communication tool. It is a publication. It has an audience that extends well beyond the school community, and it carries the school’s name and implicit endorsement against everything it contains. The same standards of care that schools apply to what they say to parents in a letter should apply to what they publish online with the added consideration that unlike a letter, a web page does not disappear when it has served its purpose.
As the national conversation about children’s digital safety intensifies, schools that take a proactive approach to their own digital hygiene are in a stronger position. They can speak to parents about online safety with credibility. They can demonstrate to Ofsted that safeguarding extends to their own published content. And they can be confident that their website reflects the same values they are trying to instil in their pupils.
At iTCHYROBOT, we build and maintain school websites. We see this issue directly with websites that have grown organically over years, with no consistent review process and content that predates current guidance. Our systems already protect your photo uploads by stripping any meta data such as names, location etc. Our tri-annual website refresh for our customers sees a content and media clean up giving you a fresh site from that point in time. If you are unsure what your school’s website currently contains, or whether it would stand up to scrutiny, a structured content audit is the right first step. It is less complicated than it sounds, and the alternative is considerably more uncomfortable. Simpler still, if you would like a new clean, fresh website you can find our pricing online and you might be surprise how cost effective it is to get a new website and have the confidence knowing all the photos are new and current.
