Online safety begins with values, not filters. The desired end is pupils who choose to be kind, honest and responsible in digital spaces. Class norms should make that visible: pupils challenge unkind pile-ons in group chats, avoid sharing without consent, and help peers when something goes wrong. Rules still matter, but norms shape behaviour when adults are not present. Mentors can look for trainees who make values explicit, rehearse language for challenge, and return to those norms across the term.

Behaviour change frameworks help move beyond warnings. EAST and related nudges give a planning lens: make safer choices easy, attractive, social and timely. Defaults should work in pupils’ favour, such as privacy settings that start high. Reporting should be low-friction and well signposted. Social proof matters: peer exemplars, visible praise for upstanders, and routines where pupils practise “see it, say it”. Mentors can ask to see how lesson tasks make the safe action the path of least resistance and how the trainee brings norms and messengers into the room.

Scenario work is central. Realistic chat transcripts and case studies help pupils spot what is inappropriate, why it is harmful, and how to respond. The teaching focus shifts from lists of banned actions to conflict resolution and repair: how to apologise, how to support someone targeted, how to escalate when harm persists. Trainees should model calm, depersonalised language and provide sentence stems that pupils can use the next time tension rises.

Systems knowledge underpins safeguarding. Trainees should understand the purpose and limits of filtering and monitoring, what certificate prompts mean on the school network, and how safeguarding platforms route concerns. They should be clear about age-gating and the “likely to be accessed by children” test, and they should address honesty and social norms, not only the legal line. Good lessons explain the why behind controls and connect classroom practice to the school’s routes for recording and response.

Media literacy needs depth. Pupils should be able to distinguish misinformation from disinformation, but the more important habit is judging sources, evidence and motives. Tasks should ask where a claim could be checked, why that place is trusted, and what would count as sufficient evidence. Pupils should produce short justifications for their trust decisions rather than memorise definitions. Mentors might look for enquiry-led activities that result in written or spoken justification.

Cybersecurity sits alongside online safety as part of the duty of care. Schools hold sensitive personal data and face real operational risk from incidents. Trainees should know the basics of the Data Protection Act in a school context, recognise common attack routes, and see themselves as part of the human firewall. Departments benefit when classroom messages align with the work of technicians and the school’s policies on access, backup and incident response.

Social engineering remains the biggest threat. Pupils and staff need to recognise the cues of phishing, smishing and voice-phishing, and they need to report attempts, not just spot them. Strong tasks ask learners to craft believable phishing messages and then deconstruct them, surfacing tactics like urgency, authority and curiosity. The goal is a habit: “pause, check, report”. Mentors can probe for clear reporting pathways in lessons and for practice that builds automaticity.

Authentication and modelling go hand in hand. Trainees should model safe login behaviour at the board: avoid projecting passwords, use non-echoed input, and explain the idea of hashing without getting lost in mathematics. Pupils should see the trade-offs between remembered passwords, password managers and written records kept within a secure physical system. The message is practical security, not purity tests, with attention to how small slips in front of a class normalise poor habits.

Network hygiene deserves explicit teaching. Pupils should understand the mechanisms behind public Wi-Fi risk, including spoofed hotspots and man-in-the-middle interception, and should learn to verify networks before joining. QR code “sticker-over-sticker” scams are a useful, tangible example. VPNs can be discussed in terms of threat models and trust: what a VPN can protect, what it cannot, and why “free” services often come with trade-offs. Trainees should favour demonstrations that reveal mechanisms, then guide pupils to reason about choices.

Ransomware and business-continuity planning illustrate why policy matters. Discussion should cover backups, restoration, and the ethical and practical questions around payment. The message for pupils is resilience and preparation; the message for staff is alignment with policy. Where policy creates friction, shadow practices grow, such as forwarding school work to personal email to bypass a screenshot block. Trainees should learn to notice these patterns, understand the underlying need, and route suggestions back into policy, rather than normalise unsafe workarounds.

Curriculum links are clear and progressive. At Key Stage 3, privacy, consent and respectful behaviour online sit alongside basic data security. At Key Stage 4, “new ways” to protect privacy and identity invite discussion of VPNs, multi-factor authentication and reducing digital footprint. At A level, encryption can move from story to practice: substitution ciphers, key exchange exercises, and short investigations that show how simple attacks work in the open, for example by inspecting form submissions and cookies with developer tools. Assessment tasks should favour reasoning and explanation over rote recall.

For mentoring, the through-line is character and craft. Character is the ethos of kindness, honesty and mutual care that makes safer behaviour normal. Craft is the set of techniques that make the right choice easy and expected: nudges built into lesson design, routines for spotting and reporting suspicious messages, clear links between classroom talk and school systems, and technical explanations pitched at the right level for the age group. In observation, look for precise modelling, well-chosen scenarios, and tasks that change what pupils do tomorrow, not only what they can define today. In coaching, prompt trainees to plan with EAST, to coordinate with IT and safeguarding colleagues, and to teach the mechanism behind each rule so pupils can apply judgement when rules are not visible.

If mentors hold trainees to that blend of values, mechanisms and habits, pupils will leave with both the will and the tools to keep themselves and others safe, and schools will be better protected against the threats that now come with running a digital community.

Notes for mentors, based on the 7th Roehampton PGCE Computing lecture