Chris Reid, founder and chief executive of Connect Childcare, shares his thoughts on the data security responsibilities of operators and software providers

The early years sector is facing increasing concerns about data and cybersecurity. The fact that settings collect, store and use sensitive information about young children and their families –including financial data – often makes them targets for cyberattacks. In recent years, there have been several reported incidents of data breaches in the early years sector too, resulting in the theft of personal details such as children’s names, addresses, birth dates and social security numbers.

This situation is further illustrated by a recent Information Commissioner’s Office security report which revealed the childcare and education sector as the second worst offender for data breaches in the UK – accounting for almost one in seven cases since 2019.

In a bid to help address these concerns, many early years settings are implementing stricter security measures, such as encrypted storage of sensitive information and regular security audits.

Many are also providing training and education to staff members on how to identify and prevent potential cyber threats – and this is a trend that’s likely to continue to grow in frequency and necessity, as we look ahead to a future driven by ever-evolving digital technologies.

Connect Childcare cybersecurity: Data security responsibilities

When it comes to looking after nursery data, what are the responsibilities of both the setting and the nursery management software provider?

Access controls

These refer to security measures that regulate access to sensitive information. Nursery management software should have robust permission settings and controls available so nursery managers can ensure that only authorised users can access sensitive data. Also, nurseries should make sure their passwords are complex and that they keep their staffing information up to date.

If someone leaves the nursery their access should be revoked immediately and any new personnel added.

Regular back-ups

Making frequent back-ups ensures that data is not lost in the event of a system failure, natural disaster or security breach. Having a disaster recovery plan in place is also vital, so that settings have a clear process to follow should one of these unplanned incidents occur.

Nursery management software should have a reliable, cloud-based back-up system in place to ensure that critical data is preserved – and can be restored in the event of such an emergency. However, settings should also make use of their technology and try not to revert to using paper – to keep all important information in one centralised system.

Frequent updates

Software updates are critical to ensuring the security of early years childcare settings’ sensitive data. Without them, this can create system weaknesses for online criminals to exploit. Nursery management software should receive regular security patches and updates to address any vulnerabilities.

These should be maintained and deployed by the software provider, but it is the responsibility of the operator to report any security incidents and take appropriate action to mitigate such incidents.

Data encryption

This is the process of converting sensitive information into a secure code to prevent unauthorised access. And data should be encrypted at rest and in transit. Nursery management software should use encryption algorithms to protect settings’ sensitive information, such as credit card numbers and customer names.

Regulatory compliance

Nursery management software should comply with relevant data protection regulations, such as the risk-based security standard, ISO 27001:2013. For nurseries, trust is put in the provider’s hands to keep data secure. That’s why it’s important to undertake some due diligence before signing any contract, to make sure the highest levels of security standards are in place.

Connect Childcare cybersecurity: What’s next?

With the sector’s increasing reliance on technology for day-to-day activities, there naturally comes a greater need for cybersecurity measures to protect sensitive data and systems from online threats.

While software providers have the overall responsibility to ensure their systems are secure and compliant with the relevant legislation, it’s important to recognise that there are two sides to this.

Settings also have a part to play in configuring software access controls and keeping them up to date. Looking ahead to the future of data security in the sector, there will likely be greater emphasis on good ‘cyber hygiene’. This means more cybersecurity awareness training for early years staff to help prevent human errors that may lead to data breaches.

Ultimately, it’s only when software providers and nursery managers work together that they have a greater chance of keeping data and systems safe. And this continued collaboration is key.