One Number, Many Doors: The SUI Lands in Schools

The 60-second Briefing

• The Children's Wellbeing and Schools Act passed into law on April 29. It introduces a Single Unique Identifier (SUI) for children, currently being piloted in Wigan using the NHS number.
• Designated persons must use the SUI when processing information about a child for safeguarding and welfare purposes.
• The Children's Commissioner has welcomed the SUI but argues it should be extended to all children, not just those in contact with social care.
• Some provisions of the Act take effect from September 2026. The SUI is on staged commencement, but readiness work needs to start now.
• For independent schools specifically, the implementation questions are concrete, largely unanswered, and entirely yours to navigate.

On April 29 2026, the Children's Wellbeing and Schools Act passed quietly into law. It arrived in a week dominated by cost-of-living headlines about free school meals and uniform price caps. Most of the public coverage focused on the families who would save £1,000 a year. That is real and important, but it is not the most consequential thing in the Act. Buried inside is a piece of national data infrastructure that will reshape how pupil records work in this country for a generation. It is time to look at it properly.

The headline change is the introduction of a Single Unique Identifier for every child. The Government is currently piloting the NHS number as the SUI, starting with Wigan local authority. Designated persons, which will include school safeguarding leads, must use the SUI when processing information about a child for safeguarding and welfare purposes. In effect, every child in England will have a single key that follows them across schools, GPs, social care, police, and any other service designated under the regulations.

I want to make the point upfront that this Act exists for serious reasons. The case for the SUI rests on cases like Sara Sharif's, where multiple agencies held fragments of information about a child at risk, but none of them held the whole picture. The Children's Commissioner has welcomed the Act on those grounds and has argued the SUI should go further – extended to every child, not just those already in contact with social care. Anyone who has worked in a school, or had to make a safeguarding referral and watched the seams between services swallow it, knows the logic of the proposal has weight. This is not a frivolous piece of legislation, and the case for it is not made by silly people.

But a single number is a tool, and every tool has a wrong end. The same identifier that lets a social worker spot a child at risk also creates a backbone that links health, social care and education records under one key. Defend Digital Me has documented 2,385 separate distributions of national pupil data in the past year alone. The appetite for sharing pupil data is already industrial; the SUI gives it horsepower. The Schools Minister has told the Commons that, while the initial scope is "safeguarding and welfare", there is no in-principle reason the SUI could not be extended to additional purposes if those extensions deliver benefits. Scope creep, in other words, is not feared. It is anticipated.

This is the part where IT directors should be paying very close attention, and it links directly to what I wrote in The 73% Problem. A consistent identifier is only as safe as the weakest system holding it. The Cyber Security Breaches Survey just told us, in painful detail, where those systems are: schools, colleges, and the supply chains feeding them. Up to now, a breach at a school exposed that school's data. Once the SUI is in widespread use, a breach exposes a key that an attacker can use to cross-reference across other systems. The threat model has just changed shape, and not for the better.

There is a timing pressure here that nobody is talking about clearly. The Act is now law, but its provisions come into force in stages. Some school-facing duties, like uniform compliance, breakfast clubs and expanded free school meals, take effect from September 2026. The SUI itself is on staged commencement, but the DfE has signalled to local authorities that it expects social care teams to start accessing NHS numbers during 2026, with wider rollout to follow incrementally. Governing bodies are being told to focus on readiness rather than wait for a single "go-live" date. Translation: by the time you can point to a definite implementation deadline, you will already be late.

For independent schools the position is awkward. Why? We sit in a hybrid space. We have pupils who move between state and independent sectors, often with safeguarding flags or SEND status that travels with them. We may well end up holding the SUI on those records, particularly for pupils with SEND involvement under the digital ISP framework I covered in The Digital ISP, where joined-up data is the entire point. But we are not part of the same statutory architecture as state schools, and we do not have the DfE Risk Protection Arrangement backstopping us when something goes wrong. Holding the SUI brings the benefit of being seen as a serious safeguarding partner. It also brings the liability of holding national-level identifiers under commercial cyber cover. Most independent school boards have not had this conversation yet. They need to.

The practical IT questions are the easy bit, and they are still mostly unanswered. How does the SUI land in your MIS? When will iSAMS, SIMS, Arbor, Bromcom and Engage have schemas that accept it? Who has write access to it, and who has read? Is access audited at the user level? What is your retention policy when a pupil leaves your roll, and how long does the SUI remain associated with their archived record? Has your Data Protection Impact Assessment been updated to reflect a special-category identifier? Has anyone had a conversation with your MIS account manager about the supplier's roadmap? These are the questions that need to be on next term's SLT agenda, not next year's.

The connection to a couple of other recent posts is worth drawing briefly. The DUAA: More Carrot, Less Stick covered the soft opt-in regime that has just made fundraising audiences easier to engage. The SUI is a different beast – statutory, narrower purpose limitation, no consent route in safeguarding cases – but the two share a backbone. Schools are now holding increasingly differentiated tranches of pupil data under increasingly differentiated legal frameworks. Whoever runs your data protection function needs a current map of all of them, and most schools do not yet have one.

The £200,000 DfE Director General role I wrote about recently lists the SUI explicitly within its remit. The person who takes that job will spend the next three years deciding what implementation looks like in practice – the technical architecture, the access controls, the regulations on scope creep, the retention periods, the audit standards. Schools that engage with the consultation process and the emerging implementation guidance will have more influence on the final shape than schools that wait to be told. The window is open now. It will not be open indefinitely.

There is a bitter irony in the SUI design that has also been bothering me ever since I read the Royal College of Paediatrics and Child Health's position statement on it. The College welcomes the SUI in principle but flags, among other implementation barriers, that some "missing" children may not have an NHS number at all – migrant children, home-schooled children who have never engaged with the NHS, children whose parents have actively removed them from registers, children of families who do not interact with state services for cultural or status reasons. The safeguarding case for the SUI rests on children who fell through the gaps between services. The design of the SUI quietly assumes that the children we are looking for are already in at least one of the systems it links. The cohort the legislation is most rhetorically aimed at is, in some cases, the cohort it cannot see.

Two things are true at once. The first is that the SUI could genuinely prevent the next Sara Sharif, and anyone who reads the published reviews of those cases knows that joined-up information would have made a real difference. The second is that the SUI is the single biggest structural expansion of pupil data sharing in a generation, with insufficient public debate so far about the trade-offs, the cyber implications, or the children it will still fail to see. Both are true. Schools have to live in the messy middle between them. Refusing to engage with either reality – pretending the safeguarding case is overblown or pretending the privacy concerns are paranoia – is not a defensible position for anyone with responsibility for children's data.

For IT directors specifically, the call to action is simple. Read the Act. Read the Children's Commissioner's response. Read the Defend Digital Me critique. Talk to your MIS supplier. Update your DPIA. Brief your SLT. Then engage with the consultation process while there is still a chance to influence how this lands in practice.

The SUI is coming. Our job is to make sure it lands well.

See you in the digital staffroom.