NSW Digital Hub puts children’s data security back in the spotlight for ECEC services

A New South Wales Government digital portal designed to streamline funding and reporting for early childhood education and care (ECEC) services has prompted fresh concerns about how children’s personal information is stored, accessed and protected. 

The ABC reported that community and mobile preschools are the first services being onboarded, with a broader rollout expected to reach 6,000 preschools and long day care services across the state. 

The New South Wales Department of Education describes the Digital Hub as a centralised system for collecting data, reporting and administering program funding. The department says it will eventually become the primary platform for interactions between services and the department, and will replace the existing Early Childhood Contract Management System over time. 

The department positions the change as a reduction in duplication and manual reporting, with service data flowing electronically from systems such as child care management software and the National Quality Agenda IT System. 

A department data guide for the ECEC Digital Hub states that transfers from CCMS systems occur weekly, and outlines categories including child information (such as name, date of birth and address), enrolment details, attendance information (including log in and log out times), service information and fee details. 

While much of this information already sits inside service software systems, centralising it into a state-run platform changes the scale of aggregation and raises new questions about access controls, oversight and data minimisation. 

The ABC report included concerns from Nimbin Community Preschool staff about who can access children’s data once it sits within, and moves through, private software systems supporting the government portal. 

A key sticking point raised by the preschool was the absence of a requirement for CCMS company employees to hold Working With Children Checks, despite the sensitivity of the information involved. 

The report also highlighted the administrative reality for small community providers: while use of a particular CCMS may not be mandated, services described the compliance and reporting environment as increasingly difficult to manage without a digital platform, particularly with limited staffing capacity. 

University of Melbourne privacy researcher Dr Niels Wouters, who said he could still access a service’s platform months after his child left, and later discovered his child’s birth certificate was accessible via a public URL. Dr Wouters said he notified the service and software company, but the data remained accessible via that link at the time of reporting. 

The report also quoted software developer Phillip Hamilton, who argued that the risk profile is similar to other password-protected online services, while noting that development stages can be a particularly vulnerable point because developers may access production data unless strong safeguards exist. 

Regardless of whether data sits in paper files, a CCMS, or a government portal, approved providers must treat children’s information as sensitive and confidential.

National Regulations include requirements around confidentiality of records kept by approved providers (regulation 181) and the safe and secure storage of records and documents (regulation 183). 

These requirements sit alongside broader governance expectations in Quality Area 7, where effective systems support risk management and protect children’s wellbeing, including through secure record-keeping and information handling practices. 

This issue is not only about cybersecurity. It also goes to consent, transparency and trust.

Actions that can strengthen digital governance immediately include:

• Map what personal information is held, where it sits, and who can access it across CCMS platforms, linked portals and internal devices.
• Review contracts and policies with software vendors to clarify access permissions, audit trails, breach notification processes, and data retention and deletion pathways.
• Tighten access controls inside the service, role-based permissions, least-privilege access, removal of accounts when staff exit, and multi-factor authentication where available.
• Update family communication and consent processes so privacy notices clearly explain what information is collected, where it is stored, and who it may be shared with through connected systems. 
• Refresh incident response planning, including clear internal escalation pathways and decision-making about when to notify families and regulators.

Where a service falls under the Privacy Act 1988, the Notifiable Data Breaches scheme may also apply. The Office of the Australian Information Commissioner states that entities covered by the Privacy Act must notify affected individuals and the OAIC when a data breach is likely to result in serious harm. 

The Federal Department of Education has also warned that data breaches can create serious risks for families and service providers, including identity theft and fraud, reinforcing the need for preventative controls. 

The New South Wales Department of Education states that digital data storage in ECEC is not new, that centres can opt out of the service, and that CCMS companies are subject to federal and state privacy laws. 

For the sector, the key question is not whether digital systems belong in ECEC, but whether governance, procurement and accountability arrangements have kept pace with the sensitivity of the information being handled at scale.

References

• NSW Department of Education, The Digital Hub
• Office of the Australian Information Commissioner, About the Notifiable Data Breaches scheme and Part 4: Notifiable Data Breach (NDB) scheme.
• Australian Government Department of Education, Privacy and Child Care Subsidy.