The Protection of Personal Information Act (POPIA) came into full effect in July 2021. Every organisation in South Africa that collects and processes personal information — including daycare centres and ECD facilities — must comply. Non-compliance can result in fines of up to R10 million and criminal penalties. More importantly, compliance is about genuinely protecting the families you serve.
What Personal Information Does a Daycare Collect?
You likely collect far more personal information than you realise. This includes:
- Children's full names, dates of birth, photos, and ID numbers
- Medical information: allergies, chronic conditions, medication, vaccination records
- Parent and guardian names, ID numbers, contact details, employment information
- Financial information: bank account details, payment history
- Emergency contact information
- Incident reports and behavioural notes
All of this data falls under POPIA and must be handled in accordance with the Act's eight conditions for lawful processing.
The Eight Conditions of POPIA
- Accountability: Your centre is responsible for all personal information in its possession. Appoint an Information Officer (usually the owner or principal).
- Processing limitation: Collect only the information you actually need.
- Purpose specification: Be clear about why you are collecting information and don't use it for other purposes.
- Further processing limitation: Don't share information with third parties without a lawful basis.
- Information quality: Keep records accurate and up to date.
- Openness: Tell parents what information you hold and why.
- Security safeguards: Protect information from unauthorised access, loss, or destruction.
- Data subject participation: Allow parents to access, correct, or request deletion of their data.
Practical Steps for Daycare Compliance
1. Appoint an Information Officer
Register your Information Officer with the Information Regulator at inforeg.org.za. This is a legal requirement. For most small centres, this will be the owner or principal.
2. Conduct a personal information audit
Map every type of personal information you collect, where it is stored (paper files, WhatsApp, spreadsheets, software), and who has access to it.
3. Obtain informed consent
Your enrollment forms should clearly explain what information you collect and how it is used. Include a consent clause covering photo sharing, data storage, and communication. Keep signed consent forms on file.
4. Secure your systems
Paper files should be locked when not in use. Digital systems should have user-level access controls so that only authorised staff can see sensitive records. Avoid storing personal information in WhatsApp groups or unprotected spreadsheets.
5. Have a data breach response plan
POPIA requires you to notify the Information Regulator and affected individuals if a data breach occurs. Know what you would do if a device containing child records was stolen or if a system was compromised.
Photos: A Special Category
Photos of children are particularly sensitive under POPIA. You must have explicit written consent from parents before taking and sharing photos of their children. Your consent form should distinguish between: photos used internally for learning records, photos shared with the child's parents only, and photos used in marketing materials. Do not assume consent — document it clearly.
Kindi stores all child and family data on secure South African servers. Access controls ensure that only authorised staff can view sensitive records, and our consent-based photo sharing means parents control who sees images of their child.