Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. KCSIE 2025: Data Protection, AI, and Cyber Security
A young girl with a happy expression rests her chin in her hands, looking at the camera. She has long brown hair and is wearing a dark top. To the right of the image, a dark blue box contains white text and three orange star icons. The text reads "KEEPING CHILDREN SAFE IN EDUCATION" at the top, followed by "September 2025 Update". Below that, the orange stars precede the lines "Data Protection," "DfE Digital Standards," and "Records Management." The background is a solid bright blue, with small white sparkles scattered around the text box. The "DATA PROTECTION EDUCATION" logo is in the bottom left corner.
Best Practice Updates

KCSIE 2025: Data Protection, AI, and Cyber Security

The latest release of the "Keeping Children Safe in Education" guidance brings important updates for schools and colleges, including points relating to the rapidly evolving digital landscape.  Most of the changes in this year's guidance are technical.

Data Protection Act 2018 and the UK GDPR

A reminder that governing bodies and proprietors have an obligation to process personal information fairly and lawfully to keep the information they hold safe and secure.

There is a reminder to see the DfE Data Protection guidance for schools which will help staff to comply wit data protection law, help organisations understand what data to keep and follow good practices for preventing personal data breaches.

Information Sharing

It is important that governing bodies and proprietors are aware that among other obligations, the Data Protection Act 2018, and the UK General Data Protection Regulation (UK GDPR) place duties on organisations and individuals to
process personal information fairly and lawfully and to keep the information they hold safe and secure.

Governing bodies and proprietors should ensure relevant staff have due regard to the relevant data protection principles, which allow them to share (and withhold) personal information, as provided for in the Data Protection Act 2018 and
the UK GDPR.

Where children leave the school or college, the designated safeguarding lead should ensure their child protection file is transferred to the new school or college as soon as possible, and within 5 days for an in-year transfer or within the first 5 days of the start of a new term to allow the new school or college to have support in place for when the child arrives. The designated safeguarding lead should ensure secure transit, and confirmation of receipt should be obtained. For schools, this should be transferred separately from the main pupil file. Receiving schools and colleges should ensure key staff such as designated safeguarding leads and special educational needs co-ordinators (SENCOs) or the named persons with oversight for special educational needs and disabilities (SEND) in a college, are aware as required.

Filtering and Monitoring

The Department for Education’s filtering and monitoring standards set out that schools and colleges should:


   • identify and assign roles and responsibilities to manage filtering and monitoring systems.
   • review filtering and monitoring provision at least annually.
   • block harmful and inappropriate content without unreasonably impacting teaching and learning.
   • have effective monitoring strategies in place that meet their safeguarding needs.
   • schools can use the department’s ‘plan technology for your school service’ to self assess against the filtering and monitoring standards and receive personalised recommendations on how to meet them. 

Governing bodies and proprietors should review the standards and discuss with IT staff and service providers what more needs to be done to support schools and colleges in meeting this standard. The report refers schools to the DfE Generative AI guidance in the use of generative AI when apply to filtering and monitoring in education.

Information Security & Access Management

Education settings are directly responsible for ensuring they have the appropriate level of security protection procedures in place in order to safeguard their systems, staff and learners and review the effectiveness of these procedures periodically to keep up with evolving cyber-crime technologies. In addition, schools and colleges should consider taking appropriate action to meet the Cyber security standards for schools and colleges which were developed to help them improve their resilience against cyber-attacks.

Retention of Documents

Copies of documents used to verify the successful candidate’s identity, right to work and required qualifications should be kept on their personnel file.

Copies of DBS certificates and records of criminal information disclosed by the candidate are covered by UK GDPR/DPA 2018 Article 10. To help schools and colleges comply with the requirements of the Data Protection Act 2018, when a
school or college chooses to retain a copy, there should be a valid reason for doing so and it should not be kept for longer than six months. When the information is destroyed a school or college may keep a record of the fact that vetting was carried out, the result and the recruitment decision taken if they choose to.
Schools and colleges do not have to keep copies of DBS certificates, in order to fulfil the duty of maintaining the single central record. Further information on handling DBS information can be found on GOV.UK. 

Record Keeping

Details of allegations following an investigation that are found to have been malicious or false should be removed from personnel records unless the individual gives their consent for retention of the information. However, for all other allegations, i.e. substantiated, unfounded and unsubstantiated it is important that the following information is kept on the file of the person accused:

  •  a clear and comprehensive summary of the allegation.
  •  details of how the allegation was followed up and resolved.
  •  a note of any action taken, decisions reached and the outcome i.e. substantiated, unfounded or unsubstantiated
  •  a copy provided to the person concerned, where agreed by local authority children’s social care or the police, and
  •  a declaration on whether the information will be referred to in any future reference.

The purpose of the record is to enable accurate information to be given in response to any future request for a reference. It will provide clarification in cases where future DBS checks reveal information from the police about an allegation that did not result in a criminal conviction and it will help to prevent unnecessary reinvestigation if, as sometimes happens, an allegation re-surfaces after a period of time.

All other records should be retained at least until the accused has reached normal pension age or for a period of 10 years from the date of the allegation if that is longer.

In conclusion, the new KCSIE makes several references to the DfE Digital Standards, six of which are now considered statutory, with a view to taking appropriate action to keep children safe online by meeting the cyber security standards.

Review our other KCSIE articles:

KCSIE: Filtering, Monitoring and Privacy

How KCSIE is linked to Cyber Strategy

Schools, multi-academy trusts and colleges should look to the DfE Digital Standards for more guidance about cyber security and backing up data.

If you’d like to learn more about the DfE Digital Standards—what needs to be done, who’s responsible, and the timelines—join one of our free webinars 👉 https://digitalstandardstracker.co.uk/

We offer a range of resources, support, guidance and tracking tools to help you monitor your progress and report effectively. Documenting and tracking compliance is essential - it can demonstrate your cyber resilience in the aftermath of a cyber attack!

Contact us today for some more information 📧 This email address is being protected from spambots. You need JavaScript enabled to view it.
©2025 Data Protection Education Ltd.

Search