The Department for Education has published Keeping Children Safe in Education 2026, the first edition of the statutory safeguarding guidance to incorporate the Data (Use and Access) Act 2025 and to trail a forthcoming statutory information sharing duty, ahead of the guidance coming into force on 1 September 2026.
The new edition, published for information in July and replacing the September 2025 version, introduces a collective definition of "data protection laws" covering the Data Protection Act 2018, the UK GDPR and the DUAA 2025.
The guidance makes several changes with information governance implications:
- It includes an expanded information sharing section (paragraphs 138 to 150), including new criteria for deciding what to share and a reference to the forthcoming statutory Information Sharing Duty
- It introduces a new record quality standards for child protection files, requiring records to distinguish between observed concerns, professional opinion and historic information
- It adds a requirement for schools and colleges to record a child's biological sex accurately wherever it is recorded, alongside new documentation obligations around social transition decisions and alternative toilet and changing arrangements
- It now recommends annual effectiveness reviews of filtering and monitoring systems, led by the responsible senior leadership team member and supported by the designated safeguarding lead and IT support, with a record kept of checks
- It includes new references to generative AI, including the DfE's product safety expectations and the extension of the "contact" category of online risk to cover generative AI applications that simulate harmful interaction.
The expanded information sharing guidance states that when deciding what information to share, schools and colleges should consider its relevancy to the current safeguarding risk, what is necessary for the receiving setting to know, and whether it is clearly presented and appropriately contextualised. Professional judgement should ensure information shared is focused and proportionate, which may include summarising or omitting material not necessary for safeguarding purposes.
That approach is, the guidance says, further supported by the new information sharing duty, intended to give staff greater confidence to share information appropriately and in a timely way. Specific statutory guidance on the duty will be provided in due course following consultation. The department's summary of changes places the update in the context of changes to multi-agency working ahead of legislation in the Children's Wellbeing and Schools Bill, the recent Casey Audit and new content on violence against women and girls.
The existing legal architecture is generally maintained: "safeguarding of children and individuals at risk" remains a processing condition permitting practitioners to share special category personal data without consent where consent cannot be obtained, cannot reasonably be expected, or would place a child at risk. Schools must continue to withhold pupils' personal data where the serious harm test is met, for example where a child is in a refuge or other emergency accommodation, and the guidance repeats that data protection laws do not prevent the sharing of information for the purposes of keeping children safe.
The most practically significant new material in the guidance is in relation to records management. Safeguarding records should be clear, factual, and distinguish between observed concerns, professional opinion and historic information. When a child protection file is transferred, the exporting school or college should include a clear, structured summary identifying current safeguarding concerns, relevant context and ongoing support needs, taking particular care to separate current concerns from historic information.
The guidance notes that where a file contains extensive historical material, a concise summary of current risk is likely to support more effective safeguarding than the transfer of unstructured records alone. Receiving schools should ensure the file is reviewed by an appropriately trained member of staff, seek clarification where information is unclear or incomplete, and use safeguarding information to support, not disadvantage, the child. The five-day transfer timescale, secure transit and confirmation of receipt requirements are carried over from the 2025 edition.
Elsewhere, information security is framed squarely as a safeguarding function, with schools and colleges directed to the Cyber security standards for schools and colleges to strengthen resilience, prevent data breaches and mitigate safeguarding risks. The definitions section now expressly covers imagery that is digitally altered or wholly generated using artificial intelligence, including deepfakes.
The final version of KCSIE 2026 will be published on 1 September 2026.
Keeping Children Safe in Education 2026 is available on GOV.UK: https://assets.publishing.service.gov.uk/media/6a4cf903b7203c4c023fd2f3/Keeping_children_safe_in_education_2026_.pdf

