🧸 🚼As digital technology continues to increase in our educational settings, Early Years settings are increasingly integrating digital tools into their operations.  While this might enhance efficiency and communication, it also raises concerns and challenges about cyber security and data protection.
Managing sensitive information about children, families and staff necessitates robust security measures to comply with legal standards and maintain trust.

Early years settings handle a wide range of sensitive information, from personal details like names, addresses, and dates of birth to more specific data such as medical needs, safeguarding records, and family circumstances. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, these organisations are legally required to ensure that data is processed lawfully, securely, and transparently.

Generally speaking, Early Years settings can follow our advice set out for other schools, however, we do recognise that there may be some practical challenges associated with Early Years, such as:

🚼 Limited Budgets and Resources - this can result in outdated technology, limited IT support and inadequate funding for training or security tools.  We would advise utilising free resources such as the National Cyber Security Centre which has some practical guidance for Early Years.

🚼 Staff Awareness and Training - this can be difficult to fit into the day for smaller organisations.  However, is one of the more affordable options.  Providing training to all staff that have access to systems will go a long way to improving cyber resilience and can be free, other than time needed to do the training. The DfE Cyber Security Standards recommend annual training for all staff that have access to the network. 
Ensure that staff can recognise a phishing email and know what to do when they receive one.  Review our article about free Cyber Security Training ideas 👉 Free short cyber training for staff

Data Protection should be for all staff that have access to data and should be part of the onboarding process, so that staff understand what is classed as 'personal data'.  Given most staff might interact with a parent/carer, everyone should be able to recognise a subject access request and know what to do.

🚼 Data Sharing Practices - these should follow the UK GDPR and Data Protection Act 2018 as set out in the DfE Early Years Statutory Framework for group and school-based providers.  Providers must ensure that all staff understand the need to protect the privacy of the children in their care, as well as the legal requirements that exist to ensure that information relating to the child is handled in a way that ensures confidentiality.  Parents and/or carers must be given access to all records about their child, provided that no relevant exemptions apply.  If you are unsure about whether to disclose information then please contact us: This email address is being protected from spambots. You need JavaScript enabled to view it. We recommend documenting any data sharing agreements, and communicate with staff and parents any data shared through your privacy notices.  Consider secure methods for sharing.   A child may attend more than one setting, so there should be a way to share information between all professionals safely and efficiently.

🚼 Data Retention - the DfE Early Years Statutory Framework advises that records relating to individual children must be retained for a reasonable period of time after they have left the provision.  It states that individual providers should determine how long to retain records relating to individual children. Please note there is no requirement to pass the child's record onto the school, like there is for Primary to Secondary.

🚼 Systems and devices - systems for recording progress have mostly moved to the cloud, where handheld devices like tablets and iPads are used to record and share the information.  Mobile devices have a practical aspect to them, but are prone to getting mislaid. We would advise following the guidance in the DfE Laptop, Desktop and Tablet Standard to ensure the devices are as secure as possible with a strategy for lost devices and removing data, such as photos of the children.  This should be done more regularly than a mainstream school due to the number of photos taken due to the nature of the recording and because the children stay in the setting overall for much less time.  You should also review the DfE Wireless Networks Standards to ensure there is sufficient coverage for any devices used - for example, you are more likely to need to use the devices in an outside setting to record information.

Don't share passwords or put them on display.

🚼 Information - any information you keep about a family should be held in a secure way, where in a paper or digital format.  Due to space limitation paper files are likely to be kept offsite, so due diligence of any storage should be completed.  If data is onsite then it should be locked away and computers should be password or PIN protected.

🚼 CCTV Footage - we would recommend reviewing our CCTV Best Practice Area for advice and guidance about CCTV.  We can come out on site and review this with you as part of our Making the Rounds service.

🚼 Photos - consider sharing the children's progress using an app specifically for that purpose as it ensures security, only the person it is sent to can view it via a login, it is backed up and data retention can be applied.

Further guidance from the ICO about Data Protection tips for Early Years Settings 👉 Data Protection Tips for Early Years Settings and visit our 🚼 Early Years Settings Best Practice Area.