DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR for Childcare Providers and Nurseries: How to Handle Children's Data Compliantly

#gdpr #education #privacy #childcare

GDPR for Childcare Providers and Nurseries: How to Handle Children's Data Compliantly

Childcare providers — nurseries, childminders, preschools, and after-school clubs — sit at an unusual intersection of data protection obligations. You hold children's personal data (which attracts the highest level of protection under GDPR), health and medical information (special category data), and parental data. You share records with Ofsted, safeguarding authorities, and third-party apps. You may operate CCTV on your premises and maintain development journals online.

Getting this right is not optional. The ICO actively monitors childcare settings, and the consequences of a data breach involving a child's records are serious — both legally and reputationally. This guide walks through every major data protection obligation for childcare providers in plain terms, with a compliance checklist at the end.

Why Children's Data Requires Extra Care

Article 8 of GDPR gives children's data special status. Children are less able to understand the implications of providing personal data and are less equipped to exercise their rights. GDPR therefore imposes stricter requirements when children are the data subjects:

  • Consent from children under 13 (in the UK) is not valid — parental or guardian consent is required
  • Privacy notices must be written in clear, age-appropriate language when children are the audience
  • Marketing to children based on profiling their personal data is prohibited
  • Data minimisation obligations are heightened — collect only what you genuinely need

In a childcare context, you are almost always processing data about children rather than from them directly. But the heightened protection still applies. Every piece of information you hold about a child in your care — their name, their allergies, their development progress, their behaviour incidents — is personal data subject to GDPR's full protections.

What Data You Collect and Must Disclose

Most childcare providers collect a substantial range of personal data. Your privacy notice must accurately describe every category:

Child data:

  • Full name, date of birth, address
  • Medical conditions, allergies, dietary requirements
  • Medications administered on-site
  • Development assessments and progress records
  • Incident reports and accident records
  • Behaviour records
  • Images and video footage (from CCTV or learning journals)
  • Attendance records
  • Funding status and nursery education entitlement details

Parental/guardian data:

  • Full name, address, contact details
  • Employment information (for childcare voucher or Tax-Free Childcare purposes)
  • Financial information (payment records, direct debit details)
  • Relationship to child

Emergency contact data:

  • Names and contact details of authorised collection persons
  • Relationship to child

Staff data:

  • DBS certificates and check dates
  • Employment records, qualifications, references
  • Training completion records

Your privacy notice must list each category, the lawful basis for processing it, how long you retain it, and who you share it with. Vague language like "we collect information to provide our services" does not meet the GDPR transparency requirement.

Lawful Basis for Processing

Childcare providers typically rely on two main lawful bases:

Contract with Parents

The childcare agreement you enter into with parents is a contract. Processing data necessary to perform that contract — the child's name, health needs, dietary requirements, attendance records, billing information — relies on Article 6(1)(b): processing necessary for the performance of a contract.

This is a solid, appropriate basis for core operational data. You do not need to ask for separate consent every time you record that a child has a peanut allergy or update their attendance log.

Legal Obligation

Several categories of data must be processed to comply with legal obligations:

  • Safeguarding records under the Children Act 1989 and Working Together to Safeguard Children
  • Accident and incident records under the Health and Safety at Work Act
  • DBS data under the Safeguarding Vulnerable Groups Act 2006
  • Ofsted registration requirements under the Childcare Act 2006

Article 6(1)(c) — legal obligation — is the appropriate basis here. You do not need parental consent to maintain safeguarding records; indeed, seeking consent would be inappropriate and could compromise safeguarding.

Consent

Consent should be used sparingly and only where neither contract nor legal obligation applies. Typical consent-based processing might include:

  • Using photographs of children on your website or social media
  • Sharing a child's development journal with a family member who is not the primary contact
  • Sending marketing communications to parents

Remember: consent must be freely given, specific, informed, and unambiguous. It must be as easy to withdraw as to give. And given that parents have limited practical ability to refuse consent when you hold their child's place, be cautious about relying on consent for anything that could be characterised as a condition of service.

Special Category Data

Health data, including medical conditions, allergies, and dietary requirements that have a medical basis, is special category data under Article 9. In addition to a lawful basis under Article 6, you need a condition under Article 9(2). For childcare settings, the most relevant conditions are:

  • Article 9(2)(b): Processing necessary for employment, social security, or social protection purposes (covers statutory requirements)
  • Article 9(2)(h): Processing for health or social care purposes (covers medical needs management)
  • Article 9(2)(g): Substantial public interest — relevant for safeguarding processing

You should document which Article 9 condition you rely on for each type of special category data in your Records of Processing Activities (ROPA).

CCTV in Childcare Settings

CCTV in nurseries and childcare settings is common — parents often expect it as a safety measure. But operating CCTV creates significant data protection obligations.

What GDPR requires for CCTV:

  • A clear, visible notice informing anyone entering the premises that CCTV is in operation, why it is used, and how to request footage
  • A documented lawful basis — for childcare settings this is typically legitimate interests (security, child safety) under Article 6(1)(f), supported by a Legitimate Interests Assessment
  • A defined retention period — the ICO recommends 31 days in most cases; longer retention requires justification
  • Secure storage with access controls limiting who can view footage
  • A process for responding to Subject Access Requests for footage
  • If parents request footage featuring their child, you must be able to provide it — but you must also consider whether the footage includes other children (whose parents have not consented to sharing)

Parental consent for CCTV: You do not need parental consent to operate CCTV for security purposes — legitimate interests is the appropriate basis. However, if you plan to use footage for other purposes (training materials, marketing), you do need explicit consent.

Live-streaming to parents: Some nurseries offer parent-facing webcam feeds. This is a separate processing activity with additional risks — ensure you have explicit parental consent, that feeds are access-controlled (password-protected, individual logins), and that footage is not retained beyond the live session without consent.

Safeguarding Records and Special Retention Rules

Safeguarding records are an area where data protection law and safeguarding law can appear to conflict. The key principle is that safeguarding obligations take precedence: you must not delete safeguarding records simply because a data subject has exercised their right to erasure or because a standard retention period has expired.

The guidance from Working Together to Safeguard Children and sector-specific guidance from the NSPCC and local safeguarding partnerships should inform your retention schedule:

  • Child protection records: typically retained until the child turns 25 (or 35 if records relate to serious harm)
  • Accident and incident records: minimum 3 years from the date of the incident (21 years if the child was under 18 at the time)
  • Medication administration records: minimum 2 years
  • General childcare records: typically 3 years after the child leaves your setting
  • Staff DBS records: 6 months after the DBS check is completed (you retain the certificate number and date, not a copy of the certificate itself)

Document these retention periods in your ROPA and implement a process to securely delete or anonymise records when the retention period expires.

Sharing Data with Ofsted and Regulatory Authorities

Sharing data with Ofsted and local authority regulators is a legal obligation. Article 6(1)(c) covers this processing, and it does not require parental consent.

During an Ofsted inspection, you may be required to provide:

  • Children's records and development assessments
  • Accident and incident logs
  • Medication records
  • Staff DBS information and training records
  • Safeguarding records (to the Designated Safeguarding Lead or inspectors)

You should inform parents in your privacy notice that you share data with Ofsted, local authorities, and safeguarding partners as required by law. You do not need to seek consent for this sharing.

Local authorities may also request data in connection with the Early Years Pupil Premium, two-year-old funding, and the childcare entitlement for working parents. This is again a legal obligation basis.

Online Learning Journals and Development Apps

Many childcare providers use digital platforms — Tapestry, Evidence Me, Famly, or similar — to document children's development, share observations with parents, and store assessments.

These platforms are data processors under GDPR. As the childcare provider, you remain the data controller — responsible for how children's data is used on the platform, even though a third party is processing it on your behalf.

What this means in practice:

  • You must have a Data Processing Agreement (DPA) in place with every platform you use. Reputable providers like Tapestry and Evidence Me provide these; ensure you have signed and retained a copy.
  • Check where the platform stores data. Platforms that store data outside the UK/EU require appropriate transfer safeguards (adequacy decisions, Standard Contractual Clauses).
  • You must be able to extract and delete data from the platform when parents exercise their data subject rights.
  • Your privacy notice must name these platforms as data processors.
  • Ensure parents are informed that their child's images and observations are stored on the platform — this should form part of your initial registration information pack.

When you stop using a platform, ensure you export all records and request deletion of your data from the provider's systems.

Staff DBS Data Handling

Disclosure and Barring Service (DBS) checks are mandatory for childcare staff. DBS data is sensitive and subject to specific handling rules under the Rehabilitation of Offenders Act and the DBS Code of Practice:

  • You may not retain a copy of a DBS certificate beyond 6 months from the date of issue
  • You may retain a record that a check was completed, the date, the level of check, and the disclosure reference number
  • DBS information must be stored securely — paper copies in locked cabinets, digital records with access controls
  • Only authorised personnel (typically the manager or Designated Safeguarding Lead) should have access
  • Overseas checks for staff who have lived abroad must be handled separately and documented

If a DBS check reveals relevant information, you must follow your organisation's safer recruitment policy. Do not retain details of disclosed convictions beyond what is necessary to make an employment decision.

Social Media and Photographs of Children

This is one of the most common GDPR compliance failures in childcare settings. Sharing photographs of children on social media — even your own nursery's private Facebook page — without explicit parental consent is a breach.

Best practice for photographs:

  • Obtain written consent from parents before taking any photographs of their child for any purpose other than the child's development record
  • Use a specific, granular consent form: separate consent for internal use (learning journals), for display on your website, for your social media, for local press
  • Make it easy for parents to change their mind — withdrawal of consent should not affect the child's place
  • Never share photographs of a child with another parent without the photographed child's parent's consent
  • Apply a photo policy that prohibits staff from taking photographs on personal devices

Group photographs: If a group photograph includes multiple children, you need consent from all parents before sharing it externally. Where a parent has not consented, either exclude the child from the photograph or do not share it.

Tagging: Never tag photographs with children's names or the nursery's location in publicly accessible posts.

Parental Access to Records (DSARs)

Parents have the right to request access to the personal data you hold about themselves and their child. Under GDPR, you must respond to a Subject Access Request (SAR) within one calendar month.

What must be provided:

  • A copy of the personal data you hold
  • Information about the purposes of processing, recipients, and retention periods
  • Any automated decision-making involved

Practical considerations for childcare settings:

  • Safeguarding records may be withheld if providing them would prejudice a safeguarding investigation or put the child at risk — take legal advice in these situations
  • Where parents are separated, each parent may submit a SAR independently; you must respond to each, but be careful not to inadvertently disclose one parent's data to the other
  • Non-parent legal guardians have the same rights as parents in respect of the child's data
  • You have one month to respond — do not wait until the deadline; acknowledge immediately and process promptly

Keep a log of all DSARs received, the date, what was provided, and when — this demonstrates accountability.

Compliance Checklist for Childcare Providers

Documentation

  • [ ] Privacy notice updated to cover all data categories, lawful bases, retention periods, and third-party sharing
  • [ ] Records of Processing Activities (ROPA) completed and current
  • [ ] Data Processing Agreements in place with all third-party platforms (Tapestry, Evidence Me, nursery management software)
  • [ ] Data Retention Policy documented and implemented
  • [ ] CCTV policy and signage in place

Consent and Lawful Basis

  • [ ] Photograph and social media consent forms used at registration
  • [ ] Consent forms are granular (separate consents for different uses)
  • [ ] Parents can withdraw consent easily without penalty
  • [ ] Lawful basis documented for each processing activity in ROPA

Safeguarding and Records

  • [ ] Safeguarding records retention schedule follows Working Together guidance
  • [ ] Accident and incident records retained for appropriate periods
  • [ ] Medication records retained for minimum 2 years
  • [ ] Staff DBS records: reference numbers retained, certificates not kept beyond 6 months

Staff and Security

  • [ ] All staff trained on data protection obligations (annually)
  • [ ] Designated Data Protection Lead identified (may be the setting manager)
  • [ ] Staff photograph policy implemented (no personal devices for child photographs)
  • [ ] Digital records password-protected; paper records in locked storage
  • [ ] Data breach response procedure documented and tested

Subject Access Requests

  • [ ] SAR response process documented (acknowledge within days, respond within 1 month)
  • [ ] SAR log maintained
  • [ ] Staff know how to recognise and escalate a SAR

CCTV

  • [ ] Visible CCTV signage at all entry points
  • [ ] Retention period documented (typically 31 days)
  • [ ] Access to footage limited to authorised personnel
  • [ ] Legitimate Interests Assessment completed and documented

Stay Compliant Without the Complexity

Managing data protection obligations across registration forms, development journals, CCTV, safeguarding records, and staff files is a significant administrative burden. Custodia helps childcare providers get a clear picture of their compliance posture and generate the documentation they need.

Run a free scan of your setting's digital footprint — no signup required. You'll get an instant report on cookies, trackers, and third-party data processors active on your website, with plain-English compliance guidance.

This post provides general information about GDPR compliance for childcare providers. It does not constitute legal advice. Requirements vary depending on your specific circumstances and the regulatory framework applicable to your setting. For advice tailored to your organisation, consult a qualified data protection professional or your local authority's data protection team.

Top comments (0)