Info Gov

Schools across the UK are being urged to review or remove identifiable photographs of pupils from their websites and social media accounts, following warnings that criminals are using artificial intelligence tools to manipulate those images into child sexual abuse material (CSAM) and then threaten to release it unless a ransom is paid.

The guidance, issued by the UK Online Harms Early Warning Working Group (EWWG), follows a confirmed incident in which an unnamed secondary school was targeted by blackmailers who sourced photographs from the school's own online presence and used AI tools to generate sexually explicit imagery of pupils. Internet Watch Foundation (IWF) analysts assessed approximately 150 images connected to the incident as confirmed CSAM. The images were then converted into digital fingerprints and added to a blocking list shared with technology platforms.

The EWWG - whose members include the National Crime Agency (NCA), the NSPCC, the IWF, Education Scotland, the Welsh Government, the Safeguarding Board for Northern Ireland, and the Lucy Faithfull Foundation - has cautioned that while such incidents are not yet widespread, it considers it "only a matter of time" before more schools are targeted.

Schools are advised that paying a ransom demand may in certain circumstances be unlawful, and are told they should contact police immediately if targeted, preserve any criminal material as evidence, and remove the original images from public view. The IWF can assist by hashing images so that major platforms are prevented from hosting them.

The new guidance suggests that the routine publication of identifiable photographs of pupils on school websites may carry material safeguarding risk that needs to be weighed in any data protection impact assessment.

The EWWG recommends that schools avoid publishing face-on, identifiable images of pupils; consider replacing them with distance shots, blurred images or back-of-head photographs; regularly audit all pupil images published online; and renew image consent agreements with parents and guardians on a frequent basis. Names should not be paired with photographs, and privacy settings should be used to restrict viewing where images are shared. The guidance also notes that adult staff and pupils over 18 are equally vulnerable to being targeted in this way.

Jess Phillips, Minister for Safeguarding and Violence Against Women and Girls, described the threat as "deeply worrying," and confirmed that the government intends to legislate to ban AI tools designed to generate CSAM and to criminalise the sharing of guidance on how to create it.

She indicated the government would "not hesitate to go further if necessary" to keep legislation current with emerging threats.

The EWWG's published checklist for education settings covers the following key actions:

• Review all pupil images currently published on websites and social media
• Consider whether face-on, identifiable images are necessary and replace where possible
• Ensure image consent agreements are current and regularly reviewed
• Do not pair pupils' names with their images
• Apply appropriate privacy settings to any published images
• Establish a clear internal process for responding to blackmail attempts, including immediate police contact and evidence preservation
• Contact the IWF if images need to be blocked from online distribution

The full guidance is published at www.saferinternet.org.uk/guide-and-resource/image-guidance-for-education-settings.

Also in this section

Jul 13, 2026

ICO refreshes law enforcement subject access guidance following DUAA 2025

The Information Commissioner's Office has updated its detailed guidance on the right of access under part 3 of the Data Protection Act 2018, incorporating the changes made by the Data (Use and Access) Act 2025 to how competent authorities handle subject access requests for law enforcement processing.
Jul 07, 2026

Section 166 application dismissed after ICO opens fresh investigations into school, council and diocese data sharing

The First-tier Tribunal (General Regulatory Chamber) has dismissed an application under section 166(2) of the Data Protection Act 2018 against the Information Commissioner, despite finding that the regulator's original response to a school employee's data sharing complaint was not an outcome to the Applicant's complaints, because a series of further investigations and outcome letters issued after…

InfoGov Masthead Newsletter 800