For several years, academy trusts have been responding to a growing collection of requirements covering safeguarding, online safety, data protection, cyber security, filtering and monitoring, artificial intelligence and technology governance.
Too often, these requirements have been treated separately.
Safeguarding has sat with the designated safeguarding lead. Cyber security has been left to IT. Data protection has been assigned to the DPO. Decisions about EdTech and AI have been made by academic or digital leaders. Risk has been reported through the finance or audit committee. Filtering and monitoring has sat somewhere between safeguarding, IT and an external provider.
The publication of Keeping Children Safe in Education 2026 and the Academy Trust Handbook 2026, alongside the updated DfE cyber-security and filtering and monitoring standards and the Data (Use and Access) Act 2025, means that this fragmented approach is becoming increasingly difficult to defend.
When these documents are read together, the direction of travel is clear:
Academy trusts are expected to operate a joined-up system through which technology, AI, online safety, cyber security, data protection and safeguarding risks are identified, owned, reviewed, acted upon and reported to the highest levels of trust leadership.
The individual pieces of the jigsaw have existed for some time. The 2026 framework now connects them.
The Academy Trust Handbook is not simply optional guidance. Compliance with its requirements is a condition of an academy trust’s funding agreement. Trustees, accounting officers and senior leaders are expected to understand and adhere to it. The Handbook distinguishes between requirements described as “must” and minimum good practice described as “should”, where a trust would need to demonstrate why a different approach better suits its circumstances.
The starting point is the board’s role.
Paragraph 1.10 states that the academy trust is the legal entity and that the board has collective accountability and responsibility for the trust. It must assure itself that regulatory, contractual and statutory requirements are being met. The board must provide strategic leadership, robust oversight and assurance across education, pupil welfare, funding and the operation of the trust.
Paragraph 1.13 then identifies safeguarding as one of the areas in which strong governance is a key priority, while paragraph 1.14 expressly requires academy trust boards to safeguard and promote the welfare of children and to have regard to statutory safeguarding guidance, including KCSIE.
This matters because the Handbook does not allow trusts to treat KCSIE as a school-level document that sits outside trust governance. The trust board itself is the proprietor for the academies within the trust and therefore carries the strategic safeguarding responsibility described in KCSIE.
Paragraph 1.21 of the Academy Trust Handbook says trusts should be working towards the six DfE digital and technology core standards by 2030. These include:
However, filtering and monitoring is treated differently from the other standards. The Handbook states:
“We expect trusts to already be meeting the filtering and monitoring standards as set out in the statutory guidance Keeping Children Safe in Education.”
This is not presented as a 2030 ambition. It is an existing expectation.
That distinction is significant. Trusts cannot simply place filtering and monitoring within a long-term digital transformation programme and defer meaningful action. They should already be able to show how the standards are being met across every academy.
The updated filtering and monitoring standard reinforces this point. It says schools and colleges should be meeting the standard now, and that governing bodies and proprietors carry overall strategic responsibility.
KCSIE 2026 contains a much more operational expectation than simply having a filtering product installed.
Paragraph 171 says governing bodies and proprietors should ensure appropriate filtering and monitoring systems are in place and that their effectiveness is reviewed at least once every academic year.
The review should:
The school must also consider pupil age, vulnerability, patterns of technology use and the proportionality of cost against safeguarding risk.
The DfE filtering and monitoring standard adds further detail. It says an SLT member and a governor should be assigned responsibility, while the SLT, DSL and IT support should work together across procurement, review, reporting, checks and response.
The annual review should consider:
The review should also be repeated when new technology or generative-AI tools are introduced, when working practices change, after major updates or when a new safeguarding risk is identified.
This moves filtering and monitoring well beyond a technical configuration exercise. It is now a recurring safeguarding, governance, curriculum and procurement process.
One of the most important changes in KCSIE 2026 is the express recognition of generative AI within online safety.
Paragraph 163 identifies four areas of online risk: content, contact, conduct and commerce. Within those categories, KCSIE now expressly recognises:
The filtering and monitoring standard similarly states that filtering should cover content in formats including text, images, audio, video and AI-generated content. It asks trusts to consider whether they need systems capable of handling real-time, dynamic, personalised and AI-generated material.
This creates a practical problem for many trusts.
Traditional web filtering was largely designed to block access to known websites or categories of content. AI systems may instead generate content dynamically within an approved application. A pupil may access a legitimate learning platform, but the material produced within it may depend on an individual prompt, ongoing conversation, uploaded image or vendor model update.
The risk may therefore sit inside an application that the school has already approved.
That is why trusts now need to connect filtering and monitoring to:
Installing a filter does not, by itself, demonstrate that these risks are being governed.
Paragraph 164 of KCSIE 2026 provides the central organising principle:
“Governing bodies and proprietors should ensure online safety is a running and interrelated theme whilst devising and implementing their whole school or college approach to safeguarding and related policies and procedures.”
It says online safety should be considered across:
This is reinforced by paragraph 117, which says safeguarding should underpin all relevant systems, processes and policy development, and by paragraph 154, which requires online-safety training to be integrated with the whole-school safeguarding approach, wider staff training and curriculum planning.
Paragraph 167 requires online safety and filtering and monitoring to be reflected in the child-protection policy. Paragraph 170 says communications with parents should explain online activity and the systems used to filter and monitor it.
The implication is clear: online safety is no longer a standalone policy or an annual presentation delivered to pupils. It must become an operating theme connecting academic practice, technology decisions, safeguarding, staff competence, parent communication and governance.
KCSIE 2026 says that all schools should be mobile-phone-free environments by default and that anything different should be by exception. It refers to the expectation that pupils should not have access to mobile phones during lessons, transitions, breaktimes or lunchtime.
This is relevant to AI and EdTech governance.
A phone-free approach may reduce uncontrolled access to personal AI accounts, messaging services, cameras, image-generation tools and mobile data during the school day. It can create a clearer distinction between:
However, restricting phones does not remove the risk. It transfers greater responsibility to the trust to ensure that its own devices, applications, networks and services are safe, appropriate and properly governed.
The trust therefore needs to know:
A phone policy cannot be separated from application governance, filtering, safeguarding, curriculum and parent communication.
KCSIE 2026 makes an important change in how cyber security is framed.
Paragraph 176 says governing bodies and proprietors should safeguard children by protecting personal information and ensuring appropriate cyber-security systems are in place. It expressly says this should be approached as part of the school or college’s wider safeguarding responsibilities.
Paragraph 177 says the DfE cyber-security standards are intended to:
This is more than a technical security statement. It connects cyber failure directly to child welfare.
The DfE cyber-security standard explains why. Cyber incidents can cause:
A ransomware attack may prevent a DSL from accessing a child-protection record. A compromised account may expose sensitive information about a vulnerable pupil. A failed backup may make it impossible to recover safeguarding or medical data. A breach at one academy may spread across the shared systems of an entire trust.
Cyber security is therefore not merely an infrastructure concern. It affects whether the trust can continue to protect children and operate safely.
The cyber-security standard requires an annual cyber-risk assessment, revisited every term and repeated following significant changes or an incident. It identifies an SLT digital lead as accountable for prioritising and coordinating the standard, with IT support responsible for implementing the technical controls.
The SLT digital lead is expected to work with:
Finance teams are expected to help budget for improvements, update the risk register and procure additional services. Trustees provide oversight and strategic risk management.
The standard also requires cyber risks to be captured, escalated and actioned through the trust’s risk-management process, incorporated into business-continuity planning and reported to governors or trustees.
This looks remarkably similar to the cross-functional structure required for filtering, online safety and AI governance.
That is not a coincidence.
The Academy Trust Handbook requires trusts to maintain sound internal control, risk-management and assurance processes.
Paragraph 2.6 requires a tiered control approach consisting of:
Paragraph 2.7 requires a risk register to be maintained and reviewed by the board, drawing on advice from the audit and risk committee. It also requires independent checking of controls, systems, transactions and risks.
Paragraph 2.43 goes further:
Paragraph 2.44 requires contingency and business-continuity planning.
The internal-scrutiny requirements then complete the assurance cycle. All trusts must have a programme of internal scrutiny covering financial and non-financial controls and risk-management procedures. The programme must be risk-based and should evaluate whether controls are suitable and operating effectively.
This means that AI, cyber, filtering, monitoring, privacy and online-safety risks should not sit in disconnected departmental documents. They should feed into the trust’s formal risk and assurance system.
The board should be able to see:
KCSIE 2026 now expressly defines “data protection laws” as including the Data Protection Act 2018, UK GDPR and the Data (Use and Access) Act 2025. Paragraphs 102–104 require governing bodies and proprietors to understand their responsibilities to process personal information fairly and lawfully and to keep it secure.
The DUAA is relevant because it reinforces the expectation that online services likely to be accessed by children must take account of children’s particular needs and vulnerabilities.
As discussed in our earlier analysis of the Act, this includes consideration of:
For academy trusts, this increases the importance of understanding not only what an application does educationally, but also:
The filtering and monitoring standard itself requires schools to undertake DPIAs where technical monitoring processes personal data and to review provider privacy notices.
The cyber-security standard requires the SLT digital lead and DPO to maintain records of processing for systems handling personal data, review access and permissions and consider supplier compliance.
Once again, the requirements converge.
None of these documents prescribes a specific job title that every trust must adopt.
KCSIE identifies the DSL’s lead responsibility for safeguarding and online safety. The digital standards identify an SLT digital lead. The DPO retains statutory independence and specialist responsibility for data protection advice. IT retains technical accountability for implementing systems. Trustees retain strategic oversight. Academic leaders retain responsibility for curriculum and teaching.
The answer is therefore not to transfer every obligation to one person.
The need is for a named senior leader with responsibility for coordinating the system.
This individual might be called:
The title matters less than the mandate.
The role should have authority to bring together:
The role would not replace these specialists. It would ensure their responsibilities form a coherent operating system.
A defensible mandate would include responsibility for coordinating:
Maintaining a joined-up register of AI, online-safety, cyber, privacy, filtering, monitoring and EdTech risks, with clear ownership, controls, actions, deadlines and escalation.
Ensuring new applications are assessed for educational value, safeguarding, AI product safety, privacy, cyber security, age appropriateness, contractual terms and filtering and monitoring implications before approval.
Reviewing material vendor changes, including newly introduced AI functionality, changes to subprocessors, privacy notices, product terms, moderation or data use.
Coordinating the annual review required by KCSIE, involving the SLT lead, DSL, IT support and responsible governor, ensuring checks are completed across all relevant devices, sites, users and services and that records are retained.
Ensuring annual cyber-risk assessment, termly review, incident readiness, business continuity, backup assurance, staff training and progress against the DfE cyber-security standard.
Ensuring online safety and AI risks are reflected in child-protection, acceptable-use, mobile-phone, staff behaviour, curriculum, procurement, data-protection and technology policies.
Coordinating role-appropriate training for trustees, leaders, teachers, support staff, IT teams and pupils so that each group understands its responsibilities.
Ensuring parents understand how technology and AI are used, what controls exist, what information is collected and how concerns can be raised.
Providing regular, evidence-based reporting to the executive, audit and risk committee and trust board.
The responsibilities described by KCSIE and the digital standards cannot be discharged by one professional discipline.
An academic leader can determine whether an AI tool supports teaching, but may not be able to assess its data-processing terms.
The DPO can advise on privacy, but may not determine whether the tool’s outputs are educationally appropriate.
IT can configure filtering, access and security controls, but may not be able to determine the safeguarding significance of a monitoring alert.
The DSL can assess harm to children, but may not have visibility of application contracts, cyber vulnerabilities or vendor changes.
The trust board can provide challenge, but only if the evidence from each function is brought together.
This is why we developed the Diamond Formation: academic, safeguarding, technology and leadership expertise working together, with data protection, finance and governance brought in as essential contributors.
The model reflects the framework now being established by the DfE:
The Diamond Formation is not an additional governance burden. It is a practical method of coordinating obligations that already exist.
The challenge for trusts is not simply understanding the documents. It is proving that the requirements are being implemented consistently across every academy.
The 9ine platform provides the operating system for that work.
The Governance module allows trusts to convert KCSIE, the Academy Trust Handbook and the DfE digital standards into projects, tasks, risks, controls, owners, deadlines and evidence.
Trust leaders can see progress across individual academies and at trust level, identify gaps and report to committees and trustees.
Vendor Management supports continuous due diligence across privacy, cyber security, safeguarding and AI.
It helps trusts understand whether the vendors behind their EdTech meet the required standards, what risks remain and what safeguards should be put in place.
Application Library provides a controlled inventory of approved EdTech and AI applications.
It allows trusts to manage requests, communicate approved use to staff, identify AI-enabled tools and connect educational applications to vendor, privacy and safeguarding assessments.
The Privacy platform supports records of processing, DPIAs, incidents, retention, policies and accountability.
It helps trusts connect the use of pupil and staff data to the applications, vendors and risks involved.
Trusts can maintain a single operational risk picture covering cyber, online safety, AI, vendor, privacy and technology.
Actions can be assigned, reviewed and evidenced, while dashboards provide senior leaders and trustees with an assurance view rather than disconnected departmental updates.
9ine Academy supports role-appropriate learning in AI, cyber security, privacy and technology governance.
This enables staff, leaders and trustees to understand the responsibilities they are being asked to discharge and to remain the necessary human in the loop.
For many trusts, the first challenge is not lack of activity. It is that work is dispersed across different teams, systems and policies.
The Diamond Sprint brings the relevant people together to establish:
The outcome is not another strategy document that sits on a shelf. It is an operational plan with agreed ownership, priorities and evidence.
The Academy Trust Handbook 2026 does not stand alone. Neither does KCSIE, the cyber-security standard, the filtering and monitoring standard or the DUAA.
Read together, they establish a connected framework:
Trusts retain discretion over exactly how they organise themselves. But discretion over structure should not be mistaken for discretion over the outcome.
The requirement is becoming clear: academy trusts need a joined-up, operational and evidenced system for governing technology, AI and online risk.
The pieces are no longer separate.
The jigsaw is complete.
Book a time to meet with one of our team to operationalise KCSIE, Academy Trust Handbook and GDPR requirements.