“I was concerned about moving everything to an online system but with Kids Club HQ we've saved hours on invoicing, creating registers and updating children's files. As an additional bonus, I don't need half the storage for all these things any more!”
Goodbye admin, hello digital efficiency.
See how your club could run smoothly with Kids Club HQ.
Disclaimer: The information provided in this article does not constitute advice and is not a comprehensive statement of GDPR obligations or ICO requirements on organisations. Any decisions you make must be based on the GDPR and guidance given by the ICO.
What data protection laws affect out-of-school clubs?
As defined by Gov.uk, data protection legislation regulates how an individual’s personal information is used by any organisation, including out-of-school clubs.
And here in the UK, data protection is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
GDPR for Kids’ Clubs in 2025
Since it came into force in 2018, GDPR has always evolved so that a) it stays relevant and b) can respond to common complaints or issues.
One area of interest for data protection enforcement groups in 2025 is the right to be forgotten or the right to erasure. According to the European Data Protection Board (EDPB), this is “one of the most frequently exercised GDPR rights and one about which Data Protection Authorities (DPAs) frequently receive complaints from individuals”.
The Board is doing some fact-finding this year, and they might follow up with new actions if they think it’s necessary. (Scroll to the bottom of this page for some useful links to help you stay up to date.)
No matter what the changes or updates are to these regulations, we can all continue to make sure we’re doing the right things, from making our devices more secure to minimising what we collect in the first place, and discarding data at the right time.
Data protection and GDPR compliance checklist
It’s your legal duty to keep your information secure, whether you store information digitally or on paper. If you don’t feel like you’re on top of things just now, don’t worry – here’s a handy compliance checklist to get you started.
General best practices for perfectly protected data
-
Lock up! This includes physical stuff like whole rooms and filing cabinets, plus laptops and other devices, especially if you know they’ll be left unattended. You can ensure these areas have limited entry and keep a record of who has access and when.
-
What’s the magic word? Passwords are crucial for keeping things watertight - the more difficult to remember, the better. Make sure every device or entry point to personal data has one. And it’s not just company devices - if your staff can access the system on their phones, it’s your job to make sure they keep them secure too. And of course, make sure your Kids’ Club HQ password is super strong! You can use a password manager to make things easier, like Bitwarden or LastPass.
-
Everything’s better with a regular refresh. Change your passwords regularly, and check that the information you have on file is still relevant (see below for timeframes for keeping information). Reduce the data you do collect, if possible, and hold to the minimum needed to provide your services whilst complying with Ofsted rules.
-
Don’t overlook being overlooked. Position your screens away from others when looking at sensitive information, and if you’re using a phone, consider taking it into a different room to access your data.
-
Keep it on a need-to-know basis. Not everyone needs to see everything you have on file. You can store some extra-sensitive information in a separate, secure folder or drive if some team members just don’t need to see it. The fewer eyes on the data, the better.
-
If you’re not sure, ask Kids Club HQ! We have regular Office Hours sessions for you to ask questions and put your mind at rest, or you can contact us anytime for support.
How Long to Keep Records
In UK childcare settings, different types of records need to be kept for varying lengths of time:
Child Records
-
Registration forms: until the child reaches 21 years (or 24 years for children with SEND)
-
Attendance registers: 3 years
-
Parental consent forms: until the child leaves the setting
Health and Safety Records
-
Accident forms/records: until the child reaches 21 years (or 24 years for children with SEND)
-
Staff Accident Records: At least 3 years from date of accident
-
Incident forms: 3 years after the date of the incident
-
Risk assessments: 3 years
-
Medication Records: 3 years after child leaves the setting
-
Child Protection Records: until the child reaches 25 year, if child sexual abuse retain until the child’s 75th birthday, looked after children should be retained for 75 years.
Staff Records
-
Personnel files: 6 years after employment ends
-
DBS/background checks: do not keep actual certificate; just record the certificate number, date, and result
-
Staff attendance: 3 years
Financial Records
-
Accounting records: 6 years from end of financial year
-
Funding documentation: 6 years from end of financial year
Other Important Records
-
Complaints: at least 3 years
-
Child protection concerns and referrals: until the youngest child (regarding the concern) in the setting reaches 25 years
-
CCTV footage: usually no more than 31 days unless needed for a specific reason
These timeframes are based on requirements from Ofsted, insurance providers, the Limitation Act 1980, and GDPR regulations. Specific requirements might vary based on local authority guidance or your insurance provider’s policies, so it’s always advisable to check with them directly.
Kids Club HQ Booking System Privacy
In the end, although by law, it’s always your responsibility to protect your data, our system and staff are here to help, and we hope our GDPR compliance checklist was a good starting point.
The important thing is not to panic: make sure to keep hold of some key reference points (see links below) and implement regular check-ups on your data and practices.
In 2018, we amended our system to support customers in being GDPR compliant. Our system includes protection over consent to provide information, sign-ups for newsletters, and the use of imagery.
But if you have any doubts or questions about our system, we are here to listen and help where possible.
Other handy references – because knowledge is power!
Out of School Alliance on Data Protection and GDPR
GDPR for Out of School Clubs Info Pack
Early Years Alliance Info on Records
Government School Details
European Data Protection Board
The Right to be Forgotten - 2025 Focus