10 min read
Mark Orchison
:
June 3, 2026
In May 2025, we became aware of a deeply concerning emerging threat affecting schools: the use of publicly available student images to create AI-generated deepfake material for extortion, humiliation and harm.
At the time, we made a deliberate decision not to publish extensively about the issue.
That was not because we thought the risk was small. Quite the opposite. We thought the risk was significant enough that public amplification could make the situation worse. The last thing we wanted to do was provide a playbook for malicious actors or draw more attention to a method of attack that schools were not yet ready to manage.
Instead, we focused on responsible disclosure, sector education and practical support. Over the months that followed, we delivered training webinars and briefings with a range of UK-based, international and US education not-for-profit organisations and accreditation commissions. Our aim was to raise awareness among school leaders, safeguarding teams, privacy leads, IT teams and communications staff without fuelling the problem.
The issue is now too important for schools to ignore.
AI image generation and manipulation tools are now simple, fast, cheap and widely accessible. What once required technical skill can now be done by someone with very little expertise. This changes the risk profile for every school that publishes identifiable student images online.
The question is not whether schools should stop celebrating school life.
They should not.
The question is whether schools should continue placing large volumes of identifiable student imagery on the open internet in the same way they did before AI changed what those images can be used for.
I do not think they should.
Schools have always published photographs of students.
Photos are part of how schools tell their story. They celebrate achievement. They build community. They help prospective families understand the culture of the school. They capture performances, sports fixtures, trips, classroom activity, service learning, graduations and moments of pride.
Digital media matters. It helps schools communicate who they are.
But AI has changed the risk attached to those images.
An ordinary photo of a child on a school website can now become source material for manipulation. A headshot, sports photo, classroom image or social media post can be scraped, copied, enhanced, edited, combined with other material and turned into something deeply harmful.
This can include sexualised deepfake imagery, fake scenarios, malicious memes, impersonation, bullying, blackmail, reputational attacks or fabricated narratives involving students or staff.
The harm does not disappear because the image is fake.
For a child, the emotional and psychological impact can be real. For parents, the fear can be real. For staff, the reputational risk can be real. For schools, the safeguarding, privacy, legal and communications consequences can be immediate and severe.
Once manipulated content spreads through messaging apps, forums or social media, containment becomes extremely difficult. Even when something is proven to be AI-generated, the damage may already have been done.
This is why schools need to treat student images as part of their safeguarding and technology governance framework, not simply as a marketing asset.
Before the internet, schools did not publish student images to a global audience by default.
Photos were displayed on noticeboards inside the school. They appeared in yearbooks. They were used in prospectuses, brochures or marketing materials in a relatively controlled way. The audience was known. The distribution was limited. The context was clearer.
A photo of a student in a school corridor display was not available to anyone in the world with a browser, a scraper, a search engine, an AI tool and malicious intent.
That older principle still matters.
Not because schools should return to paper-only communication. They should not.
But because schools should ask whether the open internet is always the right place for identifiable images of children.
The principle should be this: student images should be shared with the people who have a legitimate need or reason to see them, in a way that is controlled, secure and respectful of the child.
Parents should be able to see moments involving their children. Students should be able to celebrate their achievements. Teachers should be able to use images to support learning and community. Schools should be able to tell their story.
But not everyone on the internet needs access.
That is the shift schools now need to make.
The question is no longer simply, “Do we have consent to publish this image?”
The better question is, “Where should this image live, who should be able to access it, for how long, and what risk does publication create for the child?”
Many schools have historically relied on parental consent forms for student images.
Consent remains important in many contexts, particularly where images are used for marketing, website publication, named portraits, social media or external campaigns.
But consent does not solve the whole problem.
Under data protection law, photographs, videos and audio recordings where a child is identifiable are personal data. Schools need a lawful basis for processing, and they need to distinguish between different purposes: capturing an image, storing it, using it internally, sharing it with parents, publishing it publicly, using it for marketing, or retaining it for archive.
Those are not all the same activity.
A school may use different lawful bases for different purposes. It may rely on consent for higher-risk publication, legitimate interests for lower-risk internal or community use, and historical or archival grounds for some records. What matters is that the decision is deliberate, documented and appropriate to the risk.
Consent also has practical limitations.
It must be informed, freely given, granular and easy to withdraw. Families need to understand how images will be used. They should be able to choose between different uses. Withdrawal needs to be manageable. Historic social media posts and cached website images can be difficult to remove completely. Images copied by others may be outside the school’s control.
Legitimate interests may be appropriate in some lower-risk contexts, but it also requires a documented assessment. The school must show a clear purpose, that the processing is necessary, and that the school’s interests do not override the rights, freedoms, privacy, wellbeing and safety of the child.
In the age of AI manipulation, that balancing test has changed.
A school that previously felt comfortable publishing large volumes of identifiable student images publicly should revisit that decision. The foreseeable risk has increased.
There is another point schools should not overlook.
Image consent is often treated as something between the school and the parent. But the child is the person whose image is being captured, stored, shared and published.
Students should have a voice.
This does not mean every young child has full decision-making authority over every image. Age and maturity matter. Legal and parental responsibilities matter. But schools should recognise that children have a legitimate interest in how their identity is represented.
Should students be told how a photo or video will be used at the time it is taken?
Should they be able to decline being photographed, even if prior parental consent exists?
Should older students have a greater say over whether their image appears on public channels?
Can students review images before they are used?
How does the school avoid embarrassing or isolating students who cannot be photographed?
How does the school teach students about their own image rights, digital identity and AI-related risks?
These are not only legal questions. They are ethical questions.
Respecting student voice helps build trust. It tells students they are not simply content for the school’s marketing. They are members of a community whose dignity, autonomy and safety matter.
This issue cannot be solved by one sentence in a privacy notice.
Schools need an image governance model.
That model should cover policy, lawful basis, consent, student voice, technical controls, publication routes, retention, incident response, training and accountability.
At a practical level, schools should start by mapping how images are currently used.
Where are student images captured?
Who takes them?
Where are they stored?
Who approves them?
Which platforms are they uploaded to?
Are names, classes or other identifying details used?
Are images indexed by search engines?
Are high-resolution images publicly available?
Are images retained longer than necessary?
Can the school quickly remove images when consent is withdrawn?
Does the school know which images have been published externally?
Has the school assessed the risk of AI scraping and manipulation?
These questions often reveal that image use is fragmented. Marketing may publish to social media. Teachers may use classroom apps. Sports teams may share images through newsletters. Boarding staff may post updates. Alumni teams may retain archives. Parents may repost. External photographers may hold copies. The school website may contain years of legacy images.
Without governance, nobody has the full picture.
The aim is not to stop schools using photos. The aim is to reduce avoidable exposure and put stronger controls around higher-risk use.
Schools should consider the following actions.
First, reduce public exposure. Open-internet publication should be reserved for images that are necessary, proportionate and low-risk. Schools should use more group shots, over-the-shoulder images, hands-on-work photos, silhouettes, distance shots, blurred backgrounds, creative framing and images focused on learning outputs rather than identifiable faces.
Second, avoid unnecessary identification. Do not routinely pair children’s full names with images. Avoid captions that reveal class, age, location, routine or other contextual information that increases risk.
Third, reduce image quality where public publication is necessary. High-resolution images are easier to manipulate. Schools should consider lower-resolution public images, appropriate compression, watermarks and other technical protections. These measures will not eliminate risk, but they can reduce the ease and quality of misuse.
Fourth, control where images are shared. Sensitive, celebratory or community content should increasingly move to gated platforms, parent portals or secure media libraries rather than open websites and public social media channels.
Fifth, audit historic content. Schools should review old website pages, newsletters, news posts, social media accounts and public albums. Remove outdated images, images of students who have left, high-resolution portraits, named images and content that no longer has a clear purpose.
Sixth, update privacy notices and consent forms. Parents and students should be told how images are captured, stored, used, shared and protected. Notices should explain the risks of online publication in an age of AI manipulation and the steps the school takes to reduce those risks.
Seventh, complete or refresh DPIAs and risk assessments. Image publication is no longer a low-risk communications activity in all contexts. Schools should assess the privacy, safeguarding, reputational and wellbeing risks of their image practices.
Eighth, train staff. Marketing teams, teachers, sports staff, trip leaders, boarding staff, safeguarding teams and senior leaders all need to understand the new risk environment. Staff should know what can be captured, where it can be uploaded, what must be avoided and how to escalate concerns.
Ninth, prepare for an incident. Schools should run tabletop exercises for deepfake extortion or image misuse. They should know who is in the incident room, how the matter is classified, when police or safeguarding authorities are contacted, how parents are informed, what evidence must be preserved, and how takedown attempts will be managed.
One of the most practical shifts schools can make is to move away from default public publication and towards controlled media environments.
There are products designed to support this model.
Platforms such as Vidigami and Pixevety allow schools to manage student images in more secure, structured and controlled ways. Both are part of the 9ine Certified Vendor Programme.
The benefit of this type of approach is that images can be held in a managed library rather than scattered across public channels. Access can be restricted to appropriate audiences. Parents can see relevant images. Schools can manage permissions, visibility, retention and removal more effectively. Workflows can be created for approval before publication. Consent or “no external use” flags can be better integrated into the process.
This does not remove all risk.
Any platform holding large volumes of student images must itself be carefully assessed. Some tools may use AI or facial-recognition-style tagging, which can introduce additional privacy or biometric considerations. Schools still need vendor due diligence, DPIAs, configuration review and clear internal ownership.
But the direction of travel is right.
The future should not be unlimited public distribution of student images. It should be controlled, purposeful sharing with the people who need access.
That is closer to the pre-internet principle: photos were shared within the school community, not exposed to the world by default.
If a school receives a threat involving AI-generated images of students or staff, the first response matters.
Do not delete communications or attached material. They may be evidence. Store them securely and restrict access.
Escalate immediately to the Designated Safeguarding Lead, senior leadership, IT, privacy and communications leads. This is likely to be both a safeguarding and technology governance incident.
Do not engage with ransom demands. Do not pay. Schools should seek advice from law enforcement and relevant authorities.
Remove the original public images where appropriate to prevent further scraping, while preserving evidence of what was published and where.
Consider whether the incident triggers data protection, safeguarding, cyber, legal or regulatory reporting obligations.
Prepare communications for parents, students, staff and, if necessary, the media. The tone should be calm, factual, protective and transparent where possible.
Use appropriate reporting and takedown routes, including mechanisms designed to help prevent distribution of intimate images.
Most importantly, support the children and staff affected. The material may be fake, but the harm can still be real.
This is exactly the type of issue that shows why schools need cross-functional governance.
Student image misuse is not only a marketing problem.
It is a safeguarding issue because children may be harmed, coerced, humiliated or targeted.
It is a privacy issue because identifiable images are personal data, and children merit particular protection.
It is a technology issue because publication channels, access controls, metadata, media libraries, website configuration and monitoring all matter.
It is a communications issue because schools need to tell their story while protecting students.
It is a leadership issue because governors, boards and senior teams need assurance that the school is managing a foreseeable risk.
The Diamond Formation gives schools a way to bring those perspectives together: academic, safeguarding, technology and privacy working with leadership and communications to make balanced decisions.
The aim is not to paralyse schools. The aim is to help them make better decisions.
Our position is straightforward.
Schools should continue to celebrate students and school life, but they should stop treating public image publication as harmless by default.
They should revisit their image-use policies.
They should refresh consent and lawful basis assessments.
They should give students more meaningful voice.
They should reduce identifiable public exposure.
They should move more content into secure, gated environments.
They should review historic content.
They should assess vendors that manage image libraries.
They should complete DPIAs or PIAs.
They should prepare incident response plans.
They should train staff and brief parents.
They should give leadership clear reporting on the risks, controls and actions.
This is not about fear. It is about proportionality.
Schools do not need to remove every photo from every platform. They do need to recognise that the risk environment has changed.
A photograph of a child is no longer just a photograph when it is placed on the open internet. It can become a data source, a training input, a manipulation target, an impersonation asset or an extortion trigger.
That does not mean schools should stop telling their story.
It means they should tell it with more care.
The old world of school photography was more controlled by default. Images were displayed in corridors, printed in brochures, included in yearbooks or shared within known communities.
The digital world removed many of those boundaries.
AI has now made the absence of those boundaries more dangerous.
Schools should not respond by hiding school life. They should respond by rebuilding sensible boundaries for the digital age.
Share images with parents, students and staff where there is a real purpose. Use secure platforms. Apply access controls. Reduce unnecessary identifiability. Keep public content proportionate. Respect student voice. Review risks regularly. Prepare for incidents.
Not everyone on the internet needs access to children’s images.
That principle is simple. It is also becoming essential.
This is not a challenge that schools need to tackle alone.
At 9ine, we work with schools around the world to help them navigate the intersection of safeguarding, privacy, technology and governance. The risks associated with student images, AI-generated deepfakes and online publication sit squarely within that space.
We can support schools by:
Most importantly, we help schools take a balanced approach. Schools should be able to celebrate their students, showcase learning and build community without exposing children to unnecessary risk.
The goal is not to stop sharing school life. The goal is to share it responsibly, proportionately and with the safeguards that today's technology landscape demands.
If your school would like support reviewing its approach to student images, AI-related risks or broader safeguarding, privacy and technology governance, the 9ine team would be happy to help.
.jpg)
1 min read
9ine : Feb 23, 2026 11:54:25 AM
KCSIE has been edging towards “technology-first safeguarding” for years, but the KCSIE 2026 draft for consultation (12 February 2026) makes the...
.png)
1 min read
9ine : Feb 27, 2026 6:26:25 AM
Closing the session at the St. Regis Downtown, Mark Orchison, CEO of 9ine, took the stage to address the room of school leaders. Following...
.png)
1 min read
9ine : Feb 27, 2026 6:00:00 AM
Insights from the 2025 AI & Cyber Security Forum, Dubai
