Cyber Security for Childcare Providers: NQF Obligations, Digital Technology Policies, and Protecting Family Data

Childcare centres hold a distinctive combination of sensitive data: detailed information about children's health, development, and family circumstances; photographs and video recordings taken as part of routine care and documentation; family contact details and financial information; and, in many services, CCTV footage of the service environment itself.

The families who entrust their children to you have a reasonable expectation that all of this information will be handled with care — that photographs of their children will not be posted to unsecured platforms, that family financial details will not be exposed in a data breach, and that access to their child's records will be controlled. Recent changes to the National Quality Framework (NQF) have made that expectation regulatory, not just ethical.

For approved providers and nominated supervisors, the 2025 NQF amendments represent the most significant update to digital technology obligations in the sector's history. Understanding what they require — and how they connect to broader Privacy Act and cyber security obligations — is now a compliance priority.

What the 2025 NQF Changes Require

The Australian Government's review of child safety arrangements under the NQF, conducted by ACECQA and published in December 2023, found that the existing framework needed to be updated to address the specific risks of digital technology in early childhood education and care. The resulting reforms have been introduced in stages.

From 1 September 2025, changes to the Education and Care Services National Regulations require approved providers to have documented policies and procedures specifically addressing:

• The use of digital devices by children in the service — including what devices are permitted, how usage is supervised, and how content is controlled
• The use of organisation-owned digital devices by staff — including tablets, phones, cameras, and laptops used to document children's learning and development
• The taking, use, storage, and destruction of images and videos of children — including who may take images, on what devices, through what platforms, for what purposes, and how images are stored and eventually destroyed
• Obtaining permission and authorisation from parents and guardians to take, use, and store images and videos
• The use of optical surveillance devices (CCTV) — including where cameras are located, who has access to footage, how long it is retained, and under what circumstances it is reviewed or shared

From 1 January 2026, refinements to the National Quality Standard strengthen the focus on child safety in Quality Areas 2 (Children's Health and Safety) and 7 (Governance and Leadership), with assessors expected to look more closely at how services manage digital technology and information security as part of their overall child safety culture.

Your Broader Regulatory Obligations

The Data Profile: What Your Service Actually Holds

The NQF digital technology reforms focus attention on images and CCTV, but the full data held by a typical childcare service extends considerably further:

• Enrolment records — family contact details, emergency contacts, custody arrangements, and authorised pick-up persons; these have direct child safety implications
• Health and medical information — immunisation records, allergy information, health action plans, medication authorisations, and diagnoses disclosed for inclusion support purposes
• Developmental records and learning documentation — observations, assessments, and portfolios that document each child's development over time
• Images and videos of children — routine documentation, portfolio photographs, and potentially CCTV footage; this is the category most directly addressed by the 2025 NQF changes
• Family financial information — fee agreements, direct debit authorities, CCS subsidy information, and payment history
• Sensitive family circumstances — information about family violence, protection orders, custody disputes, or other circumstances that affect who can collect a child; this data has direct physical safety implications if disclosed
• Staff records — working with children checks, qualifications, and employment information

Images of Children: The Specific NQF Risk

The NQF's focus on images and videos reflects a genuine and well-documented risk in the early childhood sector. Practices that are common in many services — sharing portfolio photos through consumer apps, storing images on staff personal phones, posting children's photos to social media — create exposure that is difficult to manage and that can have serious consequences if images are misused.

The regulatory expectation, reflected in the ACECQA National Model Code, is that services should:

• Obtain specific, informed written consent from parents or guardians before taking, storing, or sharing images of a child
• Take images only on organisation-owned devices — not on staff personal phones or tablets
• Store images on secure, encrypted, service-controlled systems — not in personal cloud accounts (Google Photos, iCloud) or on personal devices
• Use purpose-built platforms with appropriate privacy settings for sharing learning documentation with families — not WhatsApp groups, Facebook Messenger, or similar consumer applications
• Maintain a documented image retention and destruction policy — how long images are kept, and how they are securely destroyed
• Control CCTV footage access — limiting who can view, download, or share footage; retaining footage only as long as necessary; and documenting the policy on CCTV disclosure

A service that has been sharing children's photographs through a staff WhatsApp group, or storing them in an educator's personal iCloud account, is not meeting this standard — regardless of whether any harm has resulted. The NQF assessment process from 2025 onwards will include specific questions about digital technology practices.

Baseline Controls for Childcare Services

Meeting the combined NQF, Privacy Act, and general cyber security obligations for a childcare service centres on a practical set of controls that most services can implement without significant investment:

• Document your digital technology policy — this is now a regulatory requirement; the policy must address all five elements specified in the National Regulations (device use by children, staff device use, images, consent, CCTV)
• MFA on all administrative systems — childcare management software (Kidsoft, Xplor, Storypark, etc.), email accounts, and any system holding family or child data should require multi-factor authentication
• Organisation-owned devices for documentation — phase out the use of personal phones for taking images of children; provide service-owned tablets or cameras for routine documentation
• Approved platforms for family communication — use purpose-built learning documentation platforms with appropriate privacy controls rather than consumer messaging apps for sharing images and updates with families
• Access controls on sensitive family information — custody, protection order, and family violence information should be accessible only to designated staff; not visible to all educators in the system
• CCTV policy and access log — document who has access to footage, under what circumstances it is reviewed, how long it is retained, and who it can be disclosed to; maintain an access log
• Image retention and destruction schedule — how long portfolio photographs are kept after a child leaves the service, and how they are securely deleted
• Staff cyber security training — annual training covering phishing recognition, password management, appropriate use of personal devices, and the service's digital technology policies
• Incident response plan — a documented process for responding to a breach involving child or family data, including OAIC notification obligations and communication with affected families

Bringing It Together: The NQF and Cyber Security

The 2025 NQF digital technology requirements and general cyber security obligations are not separate compliance streams — they address the same underlying risk from different angles. A service that has thought carefully about how to implement the NQF image policy requirements will already have addressed many of the cyber security controls most relevant to its data profile.

Services that also provide NDIS-funded inclusion supports face both sets of obligations simultaneously — the NDIS Commission's Practice Standards sit alongside NQF requirements for the same participant/child records. The ASD's Essential Eight framework provides a practical baseline for the technical controls that underpin both.

The practical starting point for most services is a gap assessment: mapping what data the service currently holds, how it is stored and who has access, what platforms are used for family communication and learning documentation, and how CCTV is managed. If a breach does occur, understanding the full response process — notification obligations, regulatory reporting, and the operational impact — helps services prepare rather than react. That assessment will surface most of the gaps that both the NQF requirements and a sound cyber security posture require you to close.