Questions to ask your childcare centre about data and privacy

Resources for Parents
Written By Niels Wouters

Childcare is a time of trust; trust in the educators caring for your child, and trust in the systems that hold your family’s information. With most centres now using childcare management apps, it’s perfectly reasonable to want clarity on how your child’s photos, documents and personal data are being stored and protected.

You don’t need a background in technology or privacy to ask good questions. These simple questions will help you understand whether the centre (and the software they use) takes your child’s digital safety seriously.

 

How is my child’s data stored and secured?

This is the single most important question you can ask. You want to know:

  • Where is the data stored? Ideally, in secure cloud environments such as Google Cloud, AWS or Microsoft Azure. A red flag is when vendors use their own servers, which rarely match the security standards of major cloud providers.

  • How is it secured? While a vendor shouldn’t give you exact technical details, you want to hear terms like encrypted storage, time-limited and signed URLs, role-based access control, and independent security assessments (e.g. PCI DSS Level 1).

  • Have they ever had a data exposure? Ask directly: “Has your centre or vendor ever experienced a data leak or breach? What happened, what was the volume of data affected, and what changed afterwards?”

Vague or defensive answers are worth noting. Openness is a good sign.

 

How long do you keep my child’s data?

Different types of data have different rules, and some must be kept by law. But not everything needs to live forever. Ask:

  • How long are photos, videos and learning documents kept?

  • How long are identity documents kept (e.g., birth certificates)?

  • Is data automatically reviewed or deleted at certain intervals?

  • Do retention policies change after your child leaves?

Some records, like attendance records and invoicing information, must be kept for up to 7 years. But photos and daily updates don’t need to be kept that long. Many platforms never delete anything unless asked, so it’s important to understand their approach.

 

Is data deleted when we leave, or just deactivated?

It may not be top of mind when you’ve just enrolled at a centre, but it’s prudent to look ahead. You want to know what happens when your child leaves the centre. And it’s crucial to understand that deletion and deactivation aren’t the same.

  • Deactivation. Your profile is turned off so you can no longer log in. But your child’s data may still sit on servers unchanged. As we’ve documented ourselves in the past, direct links to old photos still work long after a family leaves.

  • Deletion. The data is removed from primary databases, backups, cloud storage, and archives. This is the ideal scenario that should be the standard across the industry.

Ask your centre explicitly: “Do you fully delete my child’s data when we leave, and does this include backups?” If a centre or vendor cannot guarantee full deletion, that’s worth knowing before you sign up. You might still enrol at that centre, but it may influence what app use cases you consent to.

 

What exactly am I consenting to?

A consent form is used to tell the centre or vendor what you’re agreeing to and what you’re not. But in practice, these forms often bundle multiple permissions together, use vague wording, or are rushed through during enrolment. Before signing, ask your centre to explain exactly what each permission covers. Ask:

  • Which parts of this consent are required, and which are optional?

  • Can I opt out of photos? Or just close-up photos?

  • Can I ask that my child is never shown in other families’ portfolios?

  • Can I limit how widely photos are shared within the app?

  • What third parties receive my child’s data, and for what purpose?

Some consent forms include a marketing or “promotional use” clause, often hidden within broader permissions. These clauses can allow centres or vendors to use your child’s photos, learning stories or personal information in advertising materials, social media posts, brochures or conference presentations. This is not necessary for childcare operations, and you are entirely within your rights to decline it. In fact, we recommend you always decline any such clauses. Always read these sections carefully and cross them out. Your child’s image should never be used for marketing without your explicit, informed consent.

We advise similar caution for clauses that allow centres to use photos for internal training. While the intention behind internal training may be positive, these clauses can still allow photos of your child to be shared in staff onboarding, professional development sessions or internal presentations. The images can be seen by people who do not work directly with your child, may be stored or copied in uncontrolled ways (such as in a PowerPoint presentation that is later sent via email to staff), and may be shown outside the context in which the photo was originally taken. It also extends your child’s digital exposure far beyond what is necessary for their care.

 

Who can access my child’s information?

Access should always be intentional and limited. Ask your centre:

  • Which staff roles can view photos and documents?

  • Can educators from other rooms access my child’s profile?

  • Can other parents see photos containing my child?

  • Do casual, agency or relief educators get temporary access?

  • Does the vendor have access to parent/child data internally?

A good system uses role-based access control, meaning only the right people see the right information at the right time. If the centre can’t confidently explain this, the vendor may not have implemented it well.

 

What happens if there’s a data breach?

No system is perfect. While they shouldn’t happen, breaches do occur. What matters is how quickly and transparently a centre responds. Ask your centre:

  • How will you notify me?

  • Who leads the response — the centre or the vendor?

  • What steps are taken to secure the account and stop further access?

  • Do you have a breach response plan?

  • Has this happened before?

Under Australia’s Notifiable Data Breaches (NDB) scheme, families must be informed when there’s a likely risk of serious harm. We argue that a breach containing photos of children represents a likelihood of serious harm. Some vendors and centres have been slow or reluctant to acknowledge breaches, so clear expectations up front help.

 

Why these questions matter

You shouldn’t need to be a cybersecurity expert to keep your child safe. These five questions alone can reveal whether your centre and its software provider take digital safety seriously.

If answers feel vague, rushed, or overly technical, that’s a sign to dig deeper.

Your child’s digital footprint begins the moment a photo is taken or a form is uploaded. By asking thoughtful questions early, you help ensure that the footprint stays as small, secure and respectful as possible.

Niels Wouters
Previous

How children’s digital footprint is shaped from day one
Next

What childcare software really does (and why it matters)