Cyber Security for UK Nurseries and Early Years Settings
Why nurseries and childcare providers are increasingly targeted, what Ofsted and the ICO expect, and how to protect the sensitive data of children and families in your care.
Why nurseries hold some of the most sensitive data there is
The personal data held by a nursery or early years setting is among the most sensitive that any small business handles. Children's records, family contact details, medical information, dietary requirements, allergy data, safeguarding notes, financial details — all of this sits in your systems, often in a mix of paper files, spreadsheets, and management software.
Children's data attracts the highest level of protection under UK GDPR. The ICO treats any breach involving children's personal information particularly seriously — and parents rightly expect the settings they trust with their children to take data security seriously too.
Yet many nurseries and childcare providers have never done a structured security assessment. If that's you, you're not alone — but the risk is real and the consequences of getting it wrong are serious.
What data nurseries typically hold
Children's personal data
Full names, dates of birth, home addresses, photographs, developmental records, and attendance data.
Sensitive personal data
Medical conditions, allergies, dietary requirements, disabilities, and safeguarding information — all classified as special category data under UK GDPR.
Family data
Parent and carer contact details, emergency contacts, employment information, and financial details including direct debit mandates.
Staff data
Employee records, DBS check information, qualifications, payroll data, and HR records.
Financial data
Invoicing, payment records, government funding claims, and banking details.
Regulatory and compliance requirements
Ofsted
Ofsted's inspection framework includes leadership and management of data. Inspectors may ask how you protect children's personal information and whether staff understand their data protection responsibilities. A documented approach to security strengthens your position.
UK GDPR and the Data Protection Act 2018
As a data controller, you must implement appropriate technical and organisational measures to protect the personal data you hold. Children's data and special category data (medical, safeguarding) attract the highest level of protection. A data breach involving children's records must be reported to the ICO within 72 hours if it poses a risk to individuals.
Early Years Foundation Stage (EYFS)
The EYFS statutory framework requires settings to keep records securely and to have clear policies on information sharing and data protection. Security controls are part of meeting this requirement.
ICO
The Information Commissioner's Office takes children's data breaches particularly seriously. Several early years settings have received enforcement action following preventable breaches.
The most common threats for nurseries
Phishing emails targeting nursery managers
Nursery managers receive emails from many sources — local authorities, HMRC, suppliers, parents, and Ofsted. Attackers exploit this by sending convincing fake emails. A link to a fake government funding portal or a spoofed email from 'Ofsted' can be very convincing.
Ransomware encrypting children's records
A ransomware attack that encrypts your nursery management software, children's records, and financial data could be devastating — especially at a critical time like funding renewal or inspection.
Unauthorised access to children's photographs
Many nurseries use apps or cloud storage to share photos of children with parents. If these are not properly secured, they can be accessed by unauthorised individuals — a serious safeguarding concern as well as a data breach.
Staff data breaches
Shared logins, staff accessing records they shouldn't, or former employees retaining access after leaving are common issues in small settings with limited IT oversight.
Invoice fraud
Attackers impersonating suppliers or local authority contacts to redirect payments. Nurseries often make regular payments to multiple parties, making them vulnerable to this type of fraud.
Special considerations for children's data
Because nurseries handle children's personal data and special category data, there are specific additional obligations:
- Children's data must be stored securely and access limited to those who need it for their role
- Photographs of children must be stored and shared only through secure, approved channels — not personal WhatsApp groups or personal email accounts
- Safeguarding records require particularly strict access controls — only designated safeguarding leads should have routine access
- Data should not be retained longer than necessary — clear retention policies and regular deletion of old records reduces your risk
- Any sharing of children's data with third parties — including local authorities, health visitors, or other professionals — must be documented and lawful
Important: WhatsApp groups and personal devices
Using personal WhatsApp groups to share photos of children, or staff using personal phones to photograph children, creates significant safeguarding and data protection risks. The ICO has taken action against settings for exactly this. If you use a parent communication app, ensure it is a properly secured, purpose-built platform — not a consumer messaging service.
Priority actions for nurseries and early years settings
Enable MFA on all systems
Your nursery management software, email, local authority portals, and any cloud services should all require two-step verification. This is the single most effective control.
Individual logins for all staff
Every member of staff should have their own login to nursery management software and any other systems. No shared passwords. Access should be removed immediately when staff leave.
Secure children's photographs
Use a purpose-built, properly secured parent communication platform. Ensure staff understand they must not photograph children on personal devices or share via personal messaging apps.
Separate backups of children's records
Regular backups of all children's records, stored separately from your main system. If your nursery management software is cloud-based, check what backup options it provides.
Review access controls for safeguarding records
Safeguarding information should only be accessible to your designated safeguarding lead and deputy. Review who has access to what in your nursery management system.
Brief staff on phishing
A short regular reminder about suspicious emails — particularly anything claiming to be from Ofsted, HMRC, or local authority funding teams.
Document your security position
A structured assessment and documented report demonstrates to Ofsted and the ICO that you have taken a systematic approach to data security.
What to do if you have a data breach
If personal data about children or families is lost, stolen, or accessed without authorisation, you must:
- Contain the breach immediately — change passwords, disconnect affected devices
- Assess the risk to individuals — is there a risk to children's safety or families' rights?
- Report to the ICO within 72 hours if the breach poses a risk to individuals
- Notify affected families if the breach poses a high risk to them
- Consider whether you need to inform Ofsted — serious incidents affecting children's welfare or safeguarding should be reported
- Document everything — what happened, when, what you did, and why
See our full incident response guide for step-by-step guidance on the first 24 hours after a cyber incident.
Our 10-minute security assessment covers all five Cyber Essentials control areas and produces a professional report you can use to document your security position for Ofsted, the ICO, and parents who ask about how you protect their children's data.
Find out where your business stands
Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials.
Start Your Free Assessment →£49 for the full report · No account required