A few weeks ago, the news broke that a UK secondary school was blackmailed after criminals downloaded publicly available photographs of pupils from the school's website and social media channels. Using artificial intelligence, they created sexually explicit images of the children and demanded payment to prevent their publication.

According to the Internet Watch Foundation (IWF), around 150 of the generated images could be classified as child sexual abuse material under UK law. In response, child protection organisations and law enforcement agencies have urged schools to reconsider how and why they publish identifiable photographs of children online. (UK schools should remove pupils' online photos as AI blackmail threat grows, say experts, Dan Milmol, The Guardian, 8th May 2026)

The story struck me because it perfectly illustrates how quickly our understanding of risk can change.

Years ago, many schools, clubs and youth organisations published photographs of children online without a second thought. The intention was positive: celebrating achievements, sharing activities, promoting projects and creating a sense of community.

Then came the discussions around privacy and data protection, and people complaining about it.

Then came GDPR. The complaining grew stronger.

Yet many organisations adapted their procedures, introduced consent forms, updated their privacy notices and considered themselves compliant.

But compliance was never the end of the conversation. The real question is whether the risk calculation has changed.

I remember a case I became familiar with many years ago. A school directory containing children's names, photographs and home addresses was distributed to families and eventually found its way online. The intention was entirely positive: helping parents connect, organise activities and strengthen the school community.

At the time, concerns were raised that such information could be misused by someone actively looking for a child. Those concerns were largely dismissed as unlikely, and reluctantly, the practice was stopped.

Artificial intelligence has fundamentally changed the equation.

A photograph is no longer just a photograph. It can be copied, scraped, analysed, manipulated and transformed into something entirely different from what was originally intended. A picture taken to celebrate a school project or a sporting achievement can become raw material for abuse, harassment, extortion or exploitation.

For years, discussions around children's photographs online have focused on consent and legal compliance.

• Do we have parental permission?
• Have we informed everyone properly?
• Are we GDPR compliant?

These questions matter.

But they may no longer be sufficient.

A school can have every consent form signed. A sports club can have the approval of every parent. A municipality can fully comply with every legal requirement.

And yet a more important question remains:

Is publishing these images still in the best interests of the children concerned?

The recent UK case demonstrates why this distinction matters. The school may have had every right to publish the photographs. The parents may have been perfectly comfortable with them appearing online.

None of that prevented criminals from downloading those images and turning them into something harmful. Legality did not protect the children. Consent did not protect the children.

What protects children is a continuous willingness by adults to reassess risks as the world changes. The discussion is no longer simply about data protection. It is about safeguarding.

As educators, youth workers, coaches, parents, public authorities and organisations working with young people, we often ask ourselves: "Are we allowed to do this?"

Perhaps we should increasingly ask: "Should we do this?"

The first question concerns compliance. The second concerns responsibility.

If I were responsible for a school, municipality, sports club or youth organisation today, I would immediately:

• Review all publicly accessible galleries containing identifiable children.
• Avoid publishing names together with photographs.
• Limit the use of close-up portraits where possible.
• Regularly audit older content that remains online.
• Treat children's images as sensitive information, even when consent has been obtained.
• Consider whether a publication genuinely serves the child's interests before publishing it.

None of this means we should stop celebrating children's achievements, projects or successes.

But perhaps the question is no longer whether we are allowed to publish a child's photograph. Perhaps the question is whether, knowing what we know today, we still should.