GDPR and childcare: what every family should know about their child's data
A practical guide to GDPR in childcare. Data minimisation, retention periods, and your rights as a family.
GDPR and Childcare: What Every Family Should Know About Their Child's Data
When you entrust your child to a Nanny, you are also entrusting information about your child — routines, health details, dietary requirements, developmental observations, and the daily rhythms of your family life. In an increasingly digital world, where childcare tools and platforms collect, store, and process this information, understanding your rights under GDPR is not optional. It is essential. The General Data Protection Regulation gives families powerful protections over their children's data, but only if you know what those protections are and how to exercise them. This guide explains GDPR in the context of childcare in plain, practical terms — no legal jargon, no unnecessary complexity. Just the information you need to make informed decisions about your child's data.
What Is GDPR and Why Does It Matter for Childcare?
GDPR is the European Union's data protection regulation, in effect since May 2018. It governs how organisations collect, process, store, and share personal data. For families, the most important aspect of GDPR is that it treats children's data as deserving of specific, enhanced protection.
Children's Data Is Special
GDPR explicitly recognises that children merit specific protection regarding their personal data, as they may be less aware of the risks, consequences, and safeguards involved. This is codified in Recital 38 and Article 8, which establish that children's data requires higher standards of protection than adult data. In the context of childcare, this means that any tool or platform handling information about your child must meet these elevated standards.
Personal Data in Childcare Is Broader Than You Think
When you think about your child's data in a childcare context, you might first think of names and dates of birth. But personal data in childcare extends much further. It includes dietary information, health conditions, allergy records, sleep patterns, developmental observations, behavioural notes, emergency contact details, and any other information that relates to an identified or identifiable child. All of this data falls under GDPR's protection.
Data Minimisation: Only What Is Necessary
One of GDPR's core principles is data minimisation — the idea that organisations should only collect and process the minimum amount of personal data necessary for a specific, stated purpose.
What This Means in Practice
A childcare platform needs to know your child's name, age, and relevant health information to provide its service. It does not need your home address unless there is a specific, justified reason. It does not need information about your household income, your work schedule beyond what is relevant to childcare logistics, or details about other family members who are not involved in the childcare relationship.
Questions to Ask
When evaluating any digital tool used in your child's care, ask: what data does this tool collect? Is all of it necessary for the service it provides? If a platform asks for information that seems unrelated to childcare, that is a red flag. A tool designed with data minimisation in mind will ask only for what it needs and nothing more.
The Photo Question
Photographs of children represent a particularly sensitive category of data. Many childcare apps encourage or facilitate the sharing of photos as part of daily updates. Under GDPR, photographs are personal data, and photographs of children are subject to enhanced protection. Families should ask clear questions about photo handling: where are photos stored? Who has access to them? How long are they retained? Can they be permanently deleted?
A data-minimisation approach to childcare documentation would question whether photos are necessary at all for the purpose of communicating about a child's day. Detailed written observations can convey the same information about activities, engagement, and development without creating a visual record that carries additional privacy risks.
Retention Periods: How Long Is Data Kept?
GDPR requires that personal data be kept only for as long as necessary to fulfil the purpose for which it was collected. This principle — storage limitation — is particularly important in childcare, where data accumulates rapidly.
The Problem with Indefinite Storage
Many digital platforms default to retaining data indefinitely. Your child's daily reports from three years ago may still be sitting on a server somewhere, accessible and potentially vulnerable. Under GDPR, this is not acceptable unless there is a legitimate, ongoing purpose for retaining that data.
What Reasonable Retention Looks Like
A well-designed childcare platform should have clear retention policies that are communicated to families. Data from a current childcare relationship should be accessible and up to date. Data from a concluded relationship should be retained only for a defined period — long enough to be useful for reference, short enough to respect the principle of storage limitation — and then securely deleted.
Your Right to Deletion
Under GDPR Article 17, you have the right to request the deletion of your child's personal data. This is sometimes called the "right to be forgotten." A childcare platform should be able to delete your child's data completely upon request, and the process for making that request should be straightforward and clearly documented.
Role-Based Access: Who Can See What?
Not everyone involved in your child's care needs access to the same information. GDPR's principles support the idea that access to personal data should be limited to those who need it for a specific purpose.
The Principle of Least Privilege
In a childcare context, role-based access means that your Nanny sees the information they need to do their job — the child's routine, dietary requirements, health information, and daily log. Administrative staff at an agency might see contact details and scheduling information but not detailed daily observations. And no one outside the direct care relationship should have access to any of it.
Questions to Ask About Access
When a childcare platform handles your child's data, you should understand exactly who has access. Can the platform's employees see your child's daily reports? Can other families on the platform see your information? Is access logged and auditable? These are not paranoid questions — they are the questions GDPR entitles and expects you to ask.
Third-Party Access
Be particularly attentive to whether a platform shares data with third parties. This includes analytics providers, advertising networks, cloud storage providers, and any other entity that might process your child's data. Under GDPR, any third-party processing must be disclosed to you, and each third party must provide adequate data protection.
Your Rights as a Family Under GDPR
GDPR grants you a comprehensive set of rights regarding your child's data. Understanding these rights is the first step to exercising them.
Right of Access
You have the right to request a copy of all personal data held about your child. The platform must provide this data in a commonly used, machine-readable format within one month of your request.
Right to Rectification
If any data held about your child is inaccurate or incomplete, you have the right to have it corrected.
Right to Erasure
As mentioned above, you can request the deletion of your child's data. This right is not absolute — there may be legal obligations that require certain data to be retained — but in most childcare contexts, it applies broadly.
Right to Restrict Processing
You can request that the processing of your child's data be restricted in certain circumstances — for example, while a dispute about data accuracy is being resolved.
Right to Data Portability
You have the right to receive your child's data in a structured, commonly used format and to transmit it to another platform. This is particularly relevant if you switch childcare providers or tools — your child's data should be able to move with you.
Right to Object
You can object to certain types of processing, particularly processing based on legitimate interests or processing for direct marketing purposes.
Practical Steps for Families
Understanding your rights is important, but putting them into practice is what matters. Here are concrete steps you can take.
Review Privacy Policies
Before committing to any childcare platform, read its privacy policy. Look for clear statements about data collection, processing purposes, retention periods, third-party sharing, and your rights. If the privacy policy is vague, excessively long, or written in impenetrable legal language, that is a warning sign. GDPR requires that privacy information be provided in clear, plain language.
Ask Your Nanny About Their Tools
If your Nanny uses a digital tool for daily documentation, ask about it. What data does it collect? Where is it stored? Who has access? What happens to the data when the childcare relationship ends? Your Nanny may not know all the answers, but the conversation itself is valuable — it raises awareness and establishes expectations.
Exercise Your Rights Proactively
Do not wait for a problem to arise before engaging with your data rights. Periodically request access to see what data is held. Review it for accuracy. If you notice data that seems unnecessary or excessive, question it. If a childcare relationship ends, request deletion of data that is no longer needed.
Choose Tools That Prioritise Privacy by Design
GDPR introduces the concept of "data protection by design and by default." This means that data protection should be built into the design of a system from the outset, not bolted on as an afterthought. When evaluating childcare tools, look for evidence that privacy was a design priority — not just a compliance checkbox.
How Gardspace Approaches Data Protection
Gardspace was built with GDPR compliance as a foundational design principle, not a retrofit. The platform collects only the data necessary for childcare documentation, applies role-based access controls so that each user sees only what is relevant to their role, and provides clear retention policies and deletion mechanisms. There are no third-party analytics trackers, no advertising integrations, and no secondary use of children's data. For families evaluating childcare tools through a GDPR lens, these architectural decisions reflect a commitment to data protection that goes beyond minimum compliance.
The Bigger Picture
GDPR is not a bureaucratic obstacle. For families, it is a powerful framework that ensures your child's data is treated with the respect and protection it deserves. In a childcare context, where the data involved is inherently sensitive and the data subjects are children, these protections are especially important.
The digital tools we use in childcare are evolving rapidly. As they become more capable, the amount of data they collect and process will only increase. Families who understand their GDPR rights today are better positioned to make informed choices about which tools to trust with their child's information — not just now, but as the landscape continues to change.
Your child's data is not a commodity. It is personal, sensitive, and deserving of the highest standard of protection. GDPR gives you the tools to demand that standard. Use them.
Learn more about how Gardspace approaches security and data protection in childcare documentation.