GDPR for nurseries: an expert's view

Children's data, security and the law for nurseries, with Steve McConnell, NDNA Director of Technology.

Over the past 12 months we have been running a series of data security (GDPR) workshops to address the recent changes in legislation. Understandably there are still continuing questions regards data security across the sector. 

To help I have listed the key points which should be considered, on a monthly basis, by your management teams. This does not need to be an onerous task but needs to be a regular reminder of where you are.


  • Children and parents need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.
  • Think about the needs of children and parents from the outset and design your systems and processes with this in mind.
  • Compliance with the data protection principles and in particular fairness should be central to all your processing of personal data.
  • You need to have a lawful basis for holding and processing personal data. Consent is one possible lawful basis for processing, but it is not the only option. As mentioned in our training courses, Nurseries have a legal obligation to collect and process children’s data for their own use and on behalf of other external parties for example local authorities, Ofsted and HMRC. The legal obligation to process children’s data in most circumstances overrides many of the data protection principles. 
  • You need to get consent from whoever holds parental responsibility for the child, retain this consent and track any modifications.
  • Children merit specific protection when you use their personal data for marketing purposes for example using photographs of children for extended periods of time.
  • You should write clear privacy notices for parents so that they are able to understand what will happen to their and their children’s personal data, and what rights they have. Your processes should complement these notices.
  • Children have the same rights as adults over their personal data and could request data access later in life. For example they may want to see what personal data you hold; request rectification; object to processing and have their personal data erased. Again your processes should cater for all of these requirements.
  • An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child.

See a quick checklist to check where you are ​​with GDPR at your nursery here.

Remember, you can still access NDNA's full FAQs from nurseries here, including a free data audit download and other resources. 

nursery practitioners on laptop


GDPR data audit for nurseries

GDPR Privacy Notice for nurseries:
FREE GDPR Privacy Notice for nursery members here
View headings to use in your own Privacy Notice here

GDPR record retention for nurseries:
FREE Record Retention Policy for members in England, Scotland and Wales
FREE Record Keeping and Retention factsheet for members in England and Data Retention factsheet for Scotland

GDPR factsheets for nurseries:
GDPR factsheet for England, Scotland and Wales 

GDPR training and support visits:
GDPR Training, the only face to face GDPR training specifically for nurseries.
NDNA support visits to review your data protection processes