Childcare centres hold more sensitive personal data than most businesses their size. Medical conditions, allergy details, custody arrangements, Medicare numbers, emergency contacts, immunisation records. For every child enrolled, there is a file that contains information most businesses would never need to touch.
And in most centres, that data sits on a single computer in the office. The password has not been changed in two years. The backup, if there is one, has never been tested. The director is also the de facto IT manager, the HR manager, and the person dealing with a parent at the front desk.
This is not a criticism. It is the reality of running a childcare centre on tight margins with a hundred things to manage. But the data you hold creates obligations, and the risks of getting it wrong are real.
The Data You Are Sitting On
Most centre directors do not think of themselves as holding high-risk data. But consider what is in your systems right now.
Child records: Full names, dates of birth, medical conditions, allergies, immunisation status, developmental notes, photos. Under the National Quality Framework, you are required to keep these records. That same data, if exposed, is exactly what identity thieves look for.
Parent and guardian records: Home addresses, phone numbers, email addresses, Medicare numbers, emergency contacts, court orders related to custody. A custody arrangement is among the most sensitive pieces of information a family can have. If that leaks, the consequences go beyond financial.
Staff records: Tax file numbers, bank details, Working with Children Check numbers, first aid certifications. All of this is personally identifiable information (PII), data that can identify a specific individual.
Under the Australian Privacy Act, if your centre has an annual turnover of $3 million or more, you have mandatory obligations around how this data is stored, accessed, and protected. Even below that threshold, the National Quality Standard expects you to keep records secure. And if you experience a data breach that is likely to cause serious harm, you may be required to report it to the Office of the Australian Information Commissioner.
Where Childcare Centres Typically Have Gaps
After working with centres across Sydney, these are the patterns we see most often.
Shared passwords. The office computer has one login that every staff member uses. If someone leaves, the password does not change. There is no way to know who accessed what.
No backup, or an untested one. Some centres have an external hard drive plugged in. Some use a basic cloud sync. Very few have a proper 3-2-1 backup, that means three copies of your data, on two different types of storage, with one copy stored offsite. Even fewer have ever tested whether they could actually restore from that backup.
No patching. Patching means applying security updates to your operating system and software. When a vulnerability is discovered, the vendor releases a fix. If you do not apply it, that vulnerability stays open. Most centres are running systems that have not been updated in months.
No endpoint protection. Many centres have consumer-grade antivirus at best. None have EDR, endpoint detection and response, which monitors devices for suspicious behaviour and can isolate a compromised machine before an attack spreads.
No access controls. Every staff member can access every file. There is no separation between who can view child records, who can edit financial data, and who can install software.
What Basic IT Security Looks Like for a Centre
You do not need an enterprise IT setup. You need the basics done properly. Here is what that looks like in practice.
Unique logins for every staff member. Each person gets their own username and password. When someone leaves, their access is removed the same day. This is also an audit requirement under the National Quality Standard.
Multi-factor authentication (MFA). This means a second step when logging in, usually a code sent to your phone. It prevents someone who steals or guesses a password from getting into your systems. MFA should be on every account: email, cloud storage, your childcare management software.
A tested backup. Set up a proper backup that runs automatically, stores a copy offsite, and is tested regularly. “Tested” means someone has actually restored data from it to confirm it works. An untested backup is not a backup, it is a hope.
Regular patching. Your operating systems and applications need to be updated on a schedule. This is one of the eight controls in the Essential Eight, a set of security measures published by the Australian Cyber Security Centre (ACSC) that addresses the most common ways businesses get compromised.
Endpoint protection. Replace consumer antivirus with managed endpoint security. At a minimum, your devices should be monitored for suspicious activity, and someone should be watching the alerts.
The Cost of Getting This Right
The good news is that basic IT security for a childcare centre is not expensive. A managed IT service that covers monitoring, patching, backups, and support for a small centre can start from $500/month under CIO Tech Assured.
Compare that to the cost of a data breach. The average cyber incident costs an Australian small business over $46,000. For a childcare centre, add the reputational damage of telling parents their children’s medical records were exposed. That is not a cost you can put a number on.
You do not need to fix everything at once. You need to know where you stand and address the highest-risk gaps first.
Start with a Baseline
An IT Audit gives you a clear picture of your centre’s current IT setup, what is working, what is missing, and what to prioritise. It is a one-off engagement for $990, and it produces a report you can act on whether you work with us afterwards or not.
Or if you want a quick snapshot first, take the free IT Health Check. It takes three minutes and gives you an instant view of where your IT security stands.
Learn more about our IT support for childcare centres.
