Legal
The 2026 Mandate: Navigating the Children’s Wellbeing and Schools Act.
What is this? A new law that came into force on 29 April 2026. It changes how schools, councils, health services and police work together to keep children safe. Several parts of it directly affect how schools handle children's information. Data Protection is now embedded within Safeguarding practice.
1. Sharing Information About Children - It's Now Clearer When You Can
One of the biggest changes is about information sharing. In the past, staff sometimes worried about whether they were allowed to share information about a child with other agencies. For example, telling a social worker something a child had said, or passing details to a GP.
The Act now creates a clear legal right to share information about a child when you believe it will help keep them safe or support their welfare. You do not need the parent's or child's consent to do this if the reason is safeguarding.
What this means for you: If you have a concern about a child's safety or welfare, you can share relevant information with other agencies (social care, police, health) without worrying that you're breaking data protection rules. The law now explicitly supports this. Your school's safeguarding policy should be updated to reflect this. This strengthens the 'public task' and safeguarding lawful bases under UK GDPR, but requires DSL to justify proportionality.
2. A Single ID Number for Every Child - Coming Soon
The Act introduces what is called a Single Unique Identifier (SUI) - essentially one ID number that follows a child across all the services they use: school, GP, social care, and so on. The NHS number is the most likely candidate.
At the moment, different agencies hold information about the same child under different reference numbers, which means things can get missed. The SUI will make it much easier to join up information about vulnerable children.
What this means for you: This won't change your day-to-day work immediately. The specific number to be used will be confirmed in further regulations. When it is, your school's systems will need to be updated to include it.
3. Multi-Agency Child Protection Teams - More Joined-Up Working
Every local authority must now set up at least one Multi-Agency Child Protection Team (MACPT). These are teams made up of social workers, police, health professionals and education staff working together in one place on child protection cases.
The target for these teams to be up and running in 2027.
What this means for you: Schools will be more formally involved in child protection decisions than before. Education staff will sit alongside other professionals when decisions are made about children at risk. Your DSL will be your main point of contact for this.
4. Register of Children Not in School
Local authorities must now keep a register of every child who is being home educated in their area. If an LA decides that the home education isn't good enough, they can require the child to return to school.
What this means for you: If a parent tells you they are withdrawing their child to home educate, you need to inform your local authority. This is not new practice, but it is now backed by stronger legal duties on councils.
5. Online Safety - New Powers Coming
This is a significant addition that wasn't in the original Bill. The Act gives ministers new powers to bring in regulations controlling how social media and other online platforms work for children. For example, limiting the hours children can use them, stopping strangers contacting children, or restricting certain features.
A full ban on social media for under-16s was debated heavily but was not included in the Act. However, a government consultation on this closes in May 2026, and some form of age or access restrictions for children under 16 is expected to follow, likely by early 2027.
Government consultation: Growing up in the online world: a national consultation
What this means for you: Schools already have duties around online safety education and acceptable use policies. This Act strengthens the pressure on platforms themselves, but schools should continue to teach children about staying safe online and review their own mobile phone and device policies. The Act also includes a statutory basis for restricting smartphone use in schools.
Top Data Protection Takeaways:
1. Safeguarding vs consent You no longer need a parent's or child's consent to share information if the reason is safeguarding. The Act creates a clear legal basis for this. Data protection law does not block you, in fact, the Act explicitly says sharing for safeguarding purposes won't breach confidentiality rules either.
2. "I wasn't sure if I was allowed to" is no longer a valid reason not to share The whole point of the information sharing duty is to remove that hesitation. If you have a genuine concern about a child's safety, share it with the relevant agency. Document your decision and your reasons.
3. A child's data is about to be linked across every service they touch The Single Unique Identifier (SUI) will connect a child's records across schools, GPs, social care and police. This is now law. The specific number hasn't been confirmed yet, but when it is, your systems, data sharing agreements and privacy notices will all need updating. Start preparing now.
4. Your privacy notices probably need updating The new statutory information sharing duty is a legal basis for processing that didn't exist before. Your school's privacy notices (parent and pupils) should reflect this. Check with your DPO.
5. Record everything As more agencies share information about the same children, good record-keeping becomes even more important. If you share information, note what you shared, with whom, when, and why. If you decided not to share, note that too. DSLs must ensure robust GDPR compliance as part of safeguarding practice, not separate from it.
6. New registers mean new data obligations The Children Not in School register creates a formal data collection duty for local authorities on home-educated children. Schools need to notify their council when a child is withdrawn for home education. Make sure your process for doing this is consistent and documented.
7. Online platforms are about to face much stricter rules on children's data The Act gives ministers powers to regulate how platforms handle children's access and data: things like time limits, contact restrictions and location visibility. Regulations are expected by April 2027. If your school uses third-party platforms or apps that pupils access, keep an eye on whether those platforms will need to change how they operate.
8. More agencies involved means more data sharing agreements needed Multi-Agency Child Protection Teams will bring schools, social care, police and health together more formally than before. That means formal written agreements about how data flows between those agencies. Your DPO should be involved in reviewing or drafting these.
The single most important message: Data protection law is not a reason to stay silent about a child at risk. This Act makes that clearer than ever.
What You Should Do
You don't need to become a data protection expert. But there are a few simple things worth knowing:
-
- Talk to your DSL if you're unsure whether to share information about a child. The law now makes it clearer that safeguarding comes first.
- Don't let worries about data protection stop you raising a concern. The Act reinforces that sharing information to protect a child is the right thing to do.
- Keep records of concerns, conversations and decisions about children Good record-keeping supports the kind of joined-up working this Act is designed to create.
- Watch for updates from your DPO and DSL as further regulations come in over the next 12–18 months, especially around the SUI and online safety rules.
Additional help and resources:
The Children's Wellbeing and Schools Bill Summary
As always, please contact us if you have any queries or concerns: