Record-Keeping and Data Protection for Childcare Providers

Mandatory records

EYFS requires you to maintain the following records at all times:

Official guidance

Mandatory Record-Keeping for Childcare Providers

Attendance registers: Record daily attendance including arrival and departure times for each child. Must also record names of children's key person and who collected the child
Accident and incident records: Record all accidents, injuries, and incidents including date, time, description, treatment given, witnesses, and notification to parents. Retain for 21 years and 3 months (until child turns 24)
Medication records: Written parental consent before administering any medication. Record medication name, dose, time, who administered, and any reactions. Prescription medication only (no non-prescription unless specific written consent)
Safeguarding records: Chronological concern records with dates, observations, actions taken, and referral outcomes. Store securely and separately from children's learning records. Retain for 25 years or until child reaches age 25
Staff records: DBS certificate details (not copies), qualifications, training log, references, employment history, right to work evidence, disqualification declaration, supervision and appraisal records
Risk assessments: Written risk assessments for premises, activities, and outings. Daily premises check records. Review and update at least annually
Complaints log: Written record of all complaints received, investigation actions, outcomes, and timescales. Retain for 3 years from date of complaint
Fire drill log: Record all fire drills including date, time, number of children, evacuation time, and any issues identified
Food safety records: HACCP records, daily temperature checks for fridges/freezers, allergen information for each child, food hygiene certificates
Retention summary: Accident records — 21 years 3 months. Safeguarding — 25 years. Staff records — 6 years after leaving. Complaints — 3 years. Financial — 6 years. Attendance registers — 3 years

Data protection

You process sensitive personal data about children and families, which requires careful compliance with UK GDPR:

Official guidance

Data Protection for Childcare Settings

Lawful basis for processing: Legal obligation (EYFS record-keeping requirements) and legitimate interests (safeguarding children). Consent is NOT the appropriate lawful basis for mandatory records
Privacy notices for parents: Provide a privacy notice explaining what personal data you collect, why, how long you keep it, who you share it with, and parents' rights. Issue at registration
Photograph consent: Obtain specific written consent for photographs of children. Separate consent for learning journals, marketing/website, social media. Parents can withdraw consent at any time
Sharing information with schools: Share EYFS Profile and learning records with receiving school at transition. Lawful basis is legal obligation under EYFS. Parents should be informed but consent is not required
Sharing with local authorities: Share information with local authority early years teams for moderation, funding claims, and safeguarding. Lawful basis is legal obligation
ICO registration: Most childcare providers must pay the ICO data protection fee. Tier 1 fee is GBP 40 per year for micro-organisations (turnover under GBP 632,000 and fewer than 10 staff)
ICO exemption: Some very small providers processing only personal data for staff administration and accounts (not marketing or complex processing) may be exempt. Check ICO self-assessment tool
Data retention: Only keep personal data as long as necessary. Delete or anonymise when retention period expires. See record-keeping requirements for specific retention periods
Data breaches: Report notifiable breaches to the ICO within 72 hours. Inform affected individuals without undue delay if there is a high risk to their rights

Complaints and significant events

You must have clear procedures for handling complaints and notifying Ofsted of significant events:

Official guidance

Complaints Procedures for Childcare Providers

Written complaints policy: EYFS requires all providers to have a written complaints procedure. The procedure must be shared with parents and available on request
Investigation timescale: Investigate and respond to complaints within 28 days. Keep the complainant informed of progress throughout
Complaints record: Record all complaints including date received, nature of complaint, investigation actions, outcome, and any changes made. Records must be available to Ofsted
Notify Ofsted — complaints: Notify Ofsted of any complaint that alleges the provider is not meeting EYFS requirements, or that relates to the safety or welfare of a child
Notify Ofsted — significant events: Notify Ofsted within 14 days of any significant event including serious injury, food poisoning affecting 2+ children, allegations against staff, or any incident requiring police or social services involvement
Parents' right to complain to Ofsted: Parents have the right to complain directly to Ofsted at any time. Display Ofsted contact details (0300 123 4666) and advise parents of this right in your complaints policy
Retention period: Retain complaints records for at least 3 years from the date of the complaint
Annual summary: Make available to Ofsted on request a summary of complaints made in the past 12 months, including outcomes and any actions taken

Record-Keeping and Data Protection for Childcare Providers

Mandatory records

Data protection

Complaints and significant events

Prepare for an Ofsted Inspection

Tech Sector Compliance Overview

Tech Sector Licensing and Authorisations

Cryptoasset Business Regulation

Privacy and Electronic Communications Regulations

Mandatory records

Data protection

Complaints and significant events

Related guides in Data Protection