How a school approaches image use matters beyond the regulatory question. It is, after all, a part of safeguarding kids in a tech environment that’s changing fast, and that deserves proactive engagement from inside the school: leadership, educators, communicators.
I want to share three lenses I’ve been using to think about it, both in my consulting conversations with schools and in the development of OurNewsletter, a school storytelling tool the team and I are building.
A few caveats. I write from Australia, so the regulators and cases below are local, though versions of this conversation are happening in school systems well beyond these shores. I’m not a lawyer, and nothing here is legal advice; on the compliance side, seek your own counsel. Everything that follows is spoken as someone who has worked in school marketing and communications for years, run many, many school photoshoots.
One problem, or three?
I’ve come to see three main aspects to this conversation. Three spaces, each needing its own thinking and its own investment. Conflate them and it’s easy to end up buying an IT solution to a behavioural problem, or writing a consent form and calling it a safety policy.
1. Privacy & Security: Where images live.
The infrastructure question: how images of students get captured, stored, filed, and surfaced. Whose device takes the photo, and where does it sync? Where do images live outside your student system, who has access, and what about the random copies (the shared Drive folder, the export sitting in a newsletter tool)? And the question I’d put to any leadership team: if a family revokes consent today, can you find every image of their child? I suspect in plenty of schools the honest answer is no, which makes revocation a promise the school can’t keep.
Privacy is the most IT-shaped bucket, and the most black and white. Clear best practice exists; it’s mostly a matter of deciding to do it. The regulators are moving here too. Australia’s early childhood sector banned personal devices for photographing children outright this year, and NSW guidance requires deletion from personal devices including cloud backups. Schools sit in a grey zone that is visibly closing.
We can break privacy and security down a little further into the following:
Capture
Whose device is taking the photo? If it’s a teacher’s personal phone, where does it sync? Even on a school device, does the photo stay stuck on the iPad after it’s been shared to the Drive folder? The early childhood sector has just banned personal devices for capturing images of children outright (in force Feb 2026), and NSW DoE guidance requires deletion from personal devices including cloud backups. Schools sit in a grey zone the regulators are closing.\
There should really be a structural solution to this for every school (something geosnapshot could solve, so could ournewsletter, but also other options available too).
Storage
Where do images live outside the SIS, how are they secured, who has access, and what about the random copies: the shared Drive folder, the export sitting in a newsletter tool?
Filing
If a family revokes consent today, can we actually find every image of their child? If the filing is scattered, revocation either extremely time-consuming or impossible.
Surfacing
Who can pull images out, in what situations, and is there a record of access? Who gets to the archive when something goes wrong?
2. eSafety: How images get misused.
This is where AI has been raising its ugly head. The challenge here is behavioural. Misuse can come from a few directions. An offender may be a stranger to the student. Family – like an estranged parent – accessing photos they shouldn’t. And thirdly, peers being opportunistic. The high-profile Australian cases have mostly involved the third.
In the school deepfake cases we know about, the perpetrator was almost always a student of the school. Reports to our Australian eSafety Commissioner of AI-altered intimate images of under-18s more than doubled in 18 months. Research finds perpetrators are typically known to the victim, low-sophistication, and often unaware they’re breaking the law.
The case for friction
That changes the solution set in this space. Impulsive or opportunistic misuse responds to friction and the perceived certainty of being identified. Think break-ins: leave the car unlocked at night and you’re more likely to get broken into, because the opportunist is walking the street checking handles. Put a camera on the front of the house and they pick the other house. Criminologists call this situational crime prevention. In one field study, a symbolic, fully bypassable “we’re watching” sign cut bike theft by 62%.
I don’t think eSafety risk can be done away with completely; there will always be some. So the conversation in a school context is what’s acceptable risk, what mitigation have we taken, and how honestly we’ve communicated that posture to parents, staff and students.
The social media problem
Which brings me to social media, because many schools use it as their de facto storytelling platform, and I’d gently suggest it’s not performing that job well. You can’t guarantee reach; the algorithm decides who sees a post, and it’s usually a small slice of the people you hoped.
Only a fraction of your community is on the platform anyway, and that fraction is shrinking as people drift to Instagram, TikTok, or away from social media altogether. The engagement data I’ve seen skews heavily female, which makes it a poor way to reach dads in particular.
Anyone can see a public post, so you have no control over the audience; make the page private and you’ve bought yourself approval queues and comment moderation without fixing the reach problem. And you don’t own the result. Try exporting your stories from Meta sometime, with the images and videos attached, and see how far you get. Social media still has a place for schools. But as the storytelling home, it feels good because it ticks a box, and underneath the box-tick it is both risky and ineffective.
There’s a newer problem too. Australia’s under-16 social media ban commenced in December 2025, and other countries are moving in similar directions. Which surfaces a slightly strange ethical quandry: a school posting stories about a Year 7 student on a platform that student is now legally barred from seeing. Something about that doesn’t sit right with me, especially while we’re simultaneously talking about prioritising student-centred learning and student co-creation.
The missing middle layer – and a potential solution?
My sense is parent sentiment will eventually force the question. And when it does, the harder problem appears: what replaces it? As far as I can tell, schools have nothing in between gated-internal platforms (visible only to authorised parents and carers) and fully public channels. Communication that is community-visible but risk-mitigated barely exists as a category. This gap is one of the product philosophies behind our new storytelling newsletter platform, OurNewsletter – we’re imagining a world where schools aren’t forced to use social media if they don’t want to. Where a school doesn’t have to pick between internal-only communication and fully public storytelling, but holds a set of layers in between, and with them the ability to take practical, quick, decisive action on exactly these issues.
3: Consent: Who said yes, to what, and when.
I think this is the most underdeveloped of the three. Common practice, in my experience, is one signature, at enrolment, covering everything, for 13+ years, with no real opportunity to change your mind. Privacy lawyers are saying plainly that this doesn’t hold up. A yes given in Kindergarten says nothing about Year 9.
“Can we publish your child” means a million different things to a million different parents. The mostly-private newsletter, the public website, social media, a billboard: different risk profiles, and parents reasonably feel differently about each. Same with context. Plenty of parents would be comfortable in a storytelling setting and not in an advertising one. The guidance is heading toward consent by context, with a live mechanism for parents to view and change their settings over time.
The student’s own assent
Then there’s the layer schools rarely talk about: the student’s own assent. Two Australian states already hold this as policy. Victoria says that where possible, children should give informed consent. Queensland collects consent from both parent and student where the student has “sufficient maturity and intelligence to understand what is proposed.” In practice, I suspect this is cultural more than procedural: teachers and photographers who ask in the moment (“can I take your photo right now?”), who can read the younger kids who can’t grasp the legal side but know exactly what they’re comfortable with, and who treat a “no” as an answer.
Three questions for your next leadership meeting
Privacy: if a family revoked consent this afternoon, how long would it take to find every image of their child?
eSafety: what’s our acceptable risk on public images, and have we ever said it out loud to parents?
Consent: what does a Year 5 student’s unsuredness about being part of a school photoshoot mean?
None of this needs to feel like throwing everything out at once. My hunch is that the schools who handle this well won’t be the ones with the longest policy, but the ones taking small, decisive steps, early.
Sources and further reading
- eSafety Commissioner (2025, June 27). eSafety urges schools to report deepfakes as numbers double. esafety.gov.au
- eSafety Commissioner. Toolkit for Schools (including the guide to responding to image-based abuse involving AI deepfakes). esafety.gov.au
- Moores (2024, November 8). Schools: Do you actually have consent to publish student photographs? moores.com.au
- Victorian Department of Education. Photographing, Filming and Recording Students (policy). Queensland Department of Education. Obtaining and managing student and individual consent (procedure).
- ACECQA (2024). Guidelines for the National Model Code: taking images and videos in early childhood services.
- Nettle, D., Nott, K., & Bateson, M. (2012). “Cycle thieves, we are watching you.” PLOS ONE.
- National Institute of Justice. Five Things About Deterrence.
About the author
Jacob Shultz
Founder, Bolsta Education
Jacob is a specialist in experience strategy for schools. His focus is on improving the lived experience of schools — through story, systems and the small moments that shape how families feel.
