When hackers deleted photos and personal details from a UK nursery chain, it reminded everyone how fragile children’s data can be. This isn’t about naming and shaming — it’s about recognising that a children’s data breach can happen to anyone.
Updated 2026: Since this article was first published, many children’s activity providers have introduced AI-enabled software, remote admin support and additional cloud platforms into their businesses. That means children’s data is often moving between more systems, suppliers and devices than providers originally expected. Understanding where that information goes — and who can access it — is becoming an essential part of safeguarding and data protection. You may also want to read:
Children’s Data and AI: What UK Activity Providers Need to Check in 2026
In September 2025, a hacker group called Radiant stole photos and personal information from the Kido nursery chain, affecting around 8,000 children.
After public outrage, they claimed to have deleted the stolen data and apologised — but the damage was already done.
(BBC News report)
Whether you run a nursery, children’s club, or after-school activity, (or support someone who does) you’re still responsible for protecting the personal data you collect. If you haven’t reviewed your setup recently, now’s the time.
1. Know who holds your children’s data
Start by listing every system that stores children’s names, contact details, medical notes, or photos — including:
- Booking or payment apps
- AI-enabled software and automated admin tools
- Shared drives and cloud folders
- Messaging or photo-sharing platforms
If you can’t say where all that information lives, you can’t protect it.
And if a system was hacked tomorrow, and you suddenly had a children’s data breach, would you know exactly what was at risk?
2. Check your supplier contracts and data processing agreements
If you use any online platforms our share data with freelancers or suppliers, check that each one is covered by a proper Data Processing Agreement (DPA). Without it, you could be jointly responsible if your supplier is involved in a children’s data breach.
Every KoffeeKlatch contract already includes DPA terms that require your suppliers to handle data securely and tell you quickly if something goes wrong.
3. Review what you keep — and delete safely
Ask yourself:
- Do I still need this information?
- Who can access it?
- What would happen if it were lost or leaked online?
If the answer makes you uncomfortable, that’s your cue to act.
Keep only what you need, secure it properly, and dispose of it safely when it’s no longer required.
All of this should be done in line with your data retention and data deletion policies and processes. Don’t just panic and start randomly deleting stuff. Data destruction is just as important as any other stage of children’s data management. Remember what happened to Birthright? Read our blog on this here .
Need help checking your children’s data setup?
We can support you at two levels:
GDPR Online Programme
Ideal for smaller nurseries and children’s-activity providers.
Includes video-guided templates, privacy-policy samples (covering consent and children’s data), and group support — so you can get compliant without expensive consultancy. Ideal if you have the time for DIY. £150 +VAT for a year’s access and training.
GDPR Health Check
If you manage larger databases or multiple systems, our data-audit process maps what you collect, where it goes, and what risks to fix first. You’ll receive a clear, practical report — no jargon, just next steps. Starting at just £650 plus VAT .
Book a quick chat to see whether a data audit or our GDPR Online Programme is the right fit for you.
Because prevention costs less than recovery
Kido’s experience shows how fast a children’s data breach can unfold — and how impossible it is to undo once the data is gone.
Even when no ransom is paid, the cost of forensics, notifications, and reputational repair can far exceed the price of prevention.
Insurers are also paying close attention.
More and more, they’re asking small businesses to prove they have data protection and privacy processes in place before offering — or renewing — cyber or professional indemnity cover.
If you can show that your contracts, privacy policies, and risk assessments are already in order, you’re not just protecting your clients — you’re protecting your business from being uninsurable.
A few hours spent now on tightening your data practices could save you months of stress later — and make you a far safer bet for your customers and your insurer.
