+44 (0) 1273 386849Protecting Children's Privacy Online: Why ICO’s Guidance Applies to School Library Catalogues
Protecting children’s privacy online is a shared responsibility across schools, libraries, and other service providers. In December 2025, the Information Commissioner’s Office (ICO) published a progress update linked to its Children’s Code strategy, reinforcing expectations around how children’s personal data is handled across digital platforms used in education.
This December update does not introduce a new law. Instead, it acts as a timely reminder of existing duties. It offers a helpful opportunity for schools and libraries to pause, reflect, and reassure themselves (and families) that children’s privacy remains a priority.
What was announced by the ICO in December 2025?
The December 2025 publication from the ICO does not introduce new legislation or new statutory duties. The Children’s Code (also known as the Age Appropriate Design Code) remains fully in force, and organisations are already expected to be working in line with it.
This is a strategy progress update, setting out how the ICO is continuing to embed the Children’s Code in practice, what it is seeing across sectors, and where it expects organisations to strengthen their approach.
The update reinforces a consistent and deliberate message: children’s privacy online requires additional care, and responsibility for that protection sits with organisations by design, not with children or families through settings, choices, or consent fatigue.
The ICO is clear that compliance is not just about having policies in place. It is about how systems are configured, maintained, and reviewed over time. In particular, the update reiterates that digital services used by children should:
be designed with the best interests of the child as a primary consideration
default to privacy-protective settings, rather than relying on users to opt out
collect only data that is necessary for the service being provided
retain information for defined periods, rather than indefinitely “just in case”
Importantly for schools and libraries, the ICO explicitly signals that its focus is not limited to high-profile social media or gaming platforms. It is increasingly concerned with everyday systems that process children’s data quietly and continuously – systems that may feel routine, familiar, or low-risk, but which can hold detailed information about children over long periods.
The tone of the update is measured rather than punitive. The emphasis is not on sudden enforcement action, but on raising standards through good governance, encouraging organisations to revisit older systems, refresh DPIAs where platforms have evolved, and ensure that default settings still reflect current expectations around children’s privacy.
In short, the December update is a reminder rather than a reset — but it is a pointed one. It signals that the ICO expects children’s privacy to be actively maintained, not passively assumed, across all digital services used in education, including those that have been in place for many years.
Does It Apply to Online School Library Catalogues?
For schools, the ICO’s December update is best understood as a prompt to look again at the full range of digital systems in everyday use, rather than focusing only on the most obvious or high-risk platforms.
The guidance applies wherever children’s personal data is processed. That includes management information systems, safeguarding platforms, learning technologies — and school library management systems.
Library systems routinely process pupil data such as names, age, year groups, and borrowing histories. This information is held for positive educational purposes, but it is still personal data and falls within the scope of the Children’s Code and wider UK GDPR expectations. The fact that a system feels familiar, low-risk, or has been in place for many years does not place it outside those expectations.
In practice, the ICO is encouraging schools to be confident that:
they are clear why pupil data is held within each system,
only the data genuinely needed to deliver the service is collected,
retention periods are defined and applied in reality, not just in policy,
older systems have not drifted into holding data indefinitely by default.
Library systems can sometimes be missed in whole-school data reviews, particularly where they are managed separately or were procured historically. The December update is a useful reminder that library catalogues and reading systems should be part of the same conversation about children’s privacy as any other school platform.
This is not about removing functionality or discouraging reading for pleasure. It is about ensuring that library services continue to operate in a way that is proportionate, transparent, and aligned with current expectations around protecting data and children’s privacy online
For many schools and library services, this will be a matter of reassurance rather than change – confirming that existing practice still stands up, and that systems are configured with children’s best interests in mind.
A Reminder About Children's Privacy Online for Teachers and School Librarians
Children rarely think in terms of “data rights”, but that does not reduce our responsibility to protect them. In fact, research commissioned by the Information Commissioner’s Office consistently shows that while children may care about privacy in practice, they often struggle to understand how their data is used, where it goes, or how long it is kept.
The ICO’s work highlights a crucial point: children experience safety and trust relationally, not legally. They place confidence in spaces and services that feel familiar, supportive, and well-governed — and they assume that adults have made careful decisions on their behalf. When systems quietly collect or retain data without clear purpose, that implicit trust can be undermined, even if no harm is intended.
Libraries occupy a particularly important position in this landscape. They are widely understood by children, parents, and schools as safe, supportive, and non-judgemental spaces — places to explore interests, develop independence, and engage with information without pressure or surveillance. That sense of safety is not created by rules alone, but by consistent, thoughtful practice behind the scenes.
Handling children’s data carefully is part of sustaining that trust. It signals that reading choices are respected, that curiosity is not monitored unnecessarily, and that participation in library services does not come with hidden or long-lasting digital footprints. This aligns closely with the Children’s Code principle that services should act in the best interests of the child by default, rather than relying on children to navigate complex settings or understand abstract data risks.
Seen in this way, data protection in libraries is not a technical or administrative concern. It is part of the safeguarding culture that reassures families, supports professional integrity, and ensures that library services remain places where children can learn and read freely – confident that their privacy is being quietly and competently protected.
Looking Ahead: Future Children's Privacy Functionality From SLLS
As expectations around age-appropriate design continue to develop, SLLS is exploring future functionality around age-restricted borrowing and related settings, in line with the principles of the Children’s Code.
More information will follow in due course – watch this space.
Library Glossary for School Librarians
As a school librarian, understanding key library terms is essential. Our comprehensive library glossary provides clear definitions to help you navigate the world of library science with confidence.
Download your free glossary here:
Invest in your new library with a new catalogue
Don’t just take our word for it, see what you can achieve with a new school library catalogue.
We’re offering a Free One-Month Trial, with no obligations or credit card requirements, so you can experience the new SLLS for yourself – simple, powerful, and built for real libraries.
