ClassNest
Log in

Checklist

POPIA Compliance Checklist for Daycares

Updated 22 Apr 202612 min read

Ten practical steps covering data collection, consent, storage, sharing, retention, parent rights, and breach response. Written for daycare and pre-school operators, not lawyers.

POPIA Compliance Checklist for Daycares

POPIA is the South African law that tells every organisation how to look after personal information. It has been fully in force since 1 July 2021. It applies to your centre whether you are a small home daycare or a 200-child preschool. If you collect a parent's ID number, a child's medical history, or a photo of a birthday party, POPIA applies.

The fines for non-compliance go up to R10 million, but the bigger risk for most centres is reputational: a single lost file of enrolment documents can become a complaint to the Information Regulator and a very public headache. The good news is that most of what POPIA asks for is common sense done consistently. This checklist walks through it in the order most centres should tackle it.

Before you start. POPIA is national law, but how strict your centre needs to be depends on what data you hold and how much. Ten ways a small home daycare and a large multi-site centre handle this are the same; the other two are where it gets specific. Treat this as the shape of compliance. For complex situations (running a franchise, sharing data with a parent portal provider, operating across provinces), get specific advice.

1. Appoint an Information Officer

Every organisation under POPIA must have an Information Officer. By default this is the owner of the business or the CEO. At a home daycare it's you. At a larger centre you can delegate it in writing to the principal or operations manager.

  • The Information Officer must be registered with the Information Regulator before they start performing duties. Registration is free, done online at inforegulator.org.za.
  • Appoint a Deputy Information Officer too, so there is someone able to handle a request while the primary is on leave.
  • Put the appointment in writing. One page, signed and dated. Keep it in your admin folder.

Most compliance work eventually tracks back through this role, so naming a real person (not a vague "management") is the first step.

2. Know what data you hold

You cannot protect data you haven't listed. Walk through your centre and write down every category of personal information you have and where it lives. A typical SA daycare holds:

  • From parents: ID numbers, addresses, cellphone numbers, email, employment and income information (if subsidy applies), bank details.
  • From children: birth certificates, medical history, allergies, emergency contacts, photos, incident records, attendance.
  • From staff: ID, qualifications, criminal record clearances, banking details, medical records.
  • From suppliers and the state: invoices with contact information, DBE and SASSA correspondence.

For each category, note where it lives: paper file, filing cabinet, laptop, cloud service (Google Drive, WhatsApp), phone photos. If you cannot say where a piece of data lives, you cannot protect it.

3. Know why you're allowed to have the information

POPIA says you can hold someone's personal information only if you have a solid reason. For daycares, the reasons that cover almost everything are:

  • You have a contract with the parent. You need the child's name, date of birth, and parent contact details to actually run the enrolment. This covers the core of what you hold.
  • The law requires it. ID copies and income proofs for the DBE subsidy, tax numbers for SARS, CSG references for SASSA. You're not asking because you want to; government policy requires it.
  • Emergencies. Medical history and allergies, so you can respond if a child gets hurt or has a medical episode.
  • The parent said yes to it. Everything else — photos on your Facebook page, marketing emails to past parents, sharing a child's name with an insurer, adding a parent to a WhatsApp group. Written consent.

If you cannot match a piece of data you hold to one of these four reasons, you should not have it.

Most parents are happy to sign a consent form — they just need to see it. The problem is centres that bundle everything into a single "I agree to the terms" tick box. POPIA wants specific, separate, informed consent for each different use.

At a minimum your enrolment pack should include a Protection of Personal Information Consent Form with explicit ticks for:

  • Photos and videos of my child may be used on the centre's social media.
  • Photos and videos of my child may be used in marketing materials.
  • My contact details may be shared with other parents for carpool or class communication.
  • I consent to the centre sharing my subsidy documents with the provincial DBE.
  • I consent to the centre storing my information digitally and on paper.

Each should be a separate tick, not one umbrella agreement. Parents should be able to say yes to some and no to others.

Consent can be withdrawn at any time. If a parent later asks you to take their child's photos off your Facebook page, you need to comply.

5. Store data securely

This is the step most centres skip until something goes wrong.

Paper records. In a locked cabinet. Not in a drawer anyone can open. Not stacked on the reception counter. Only accessible to the Information Officer, principal, and anyone formally responsible for that data.

Digital records. On a password-protected laptop, so if the laptop is lost the password is the first line of defence. Cloud services (Google Drive, Dropbox) with two-factor authentication on the account. Do not share enrolment documents via personal WhatsApp or personal email. WhatsApp group chats with parents are not a secure place for ID copies. Phone photos of paperwork are fine for a short-term purpose, but delete them as soon as you have moved the document to its proper location.

Access. Limit who can see what — the cook does not need access to parents' ID copies. When a staff member leaves, revoke their access to your digital systems the same day.

6. Share data only where you should

Third parties you share data with need to be listed and accounted for. For a typical daycare:

  • Department of Basic Education — subsidy applications, registration.
  • SARS — tax returns.
  • SASSA — Child Support Grant verifications.
  • Your bookkeeper or accountant — invoices, bank details.
  • Your insurer — claim information.
  • Any software you use — billing platform, attendance app, communication app.

For each third party, make sure the legal reason for sharing is clear (usually a legal obligation or a contract). Software providers should have their own POPIA compliance statement you can point to if asked.

Avoid casual sharing — sending a parent's cellphone number to another parent because they asked "what's Jane's mum's number" is a POPIA issue, even if it feels harmless.

7. Keep data only as long as you need it

POPIA says records should not be kept longer than necessary. The exact period depends on the type of record:

  • Current enrolment files: keep while the child is enrolled.
  • After a child leaves: most centres keep core records (enrolment, incident history) for around 5 years, which aligns with general SA tax and legal records retention.
  • Financial records (invoices, payment records): 5 years minimum under SARS rules.
  • Staff records: 3 years after employment ends (Basic Conditions of Employment Act).
  • Incident and accident records: keep longer, often permanently, for safeguarding reasons.

Write down your retention periods once, then stick to them. At the end of each year, destroy what you no longer need — shred paper, permanently delete digital files. Don't leave old enrolment files in a cupboard indefinitely.

8. Respect parent rights

Parents have rights over their own and their child's information. Under POPIA they can:

  • Request access to everything you hold about them or their child.
  • Request corrections if something is wrong.
  • Withdraw consent they previously gave (e.g. for photos).
  • Opt out of marketing emails at any time.
  • Complain to the Information Regulator if they believe you have mishandled their data.

You have 30 days to respond to an access or correction request. A parent does not have to give a reason. Prepare a template response and a checklist of where to look for their records so that if a request comes in you can handle it in an afternoon, not a week.

9. Prepare for a data breach

A breach is any unauthorised access to personal information — a stolen laptop, a filing cabinet broken into, an enrolment file emailed to the wrong address, a WhatsApp message with ID copies sent to the wrong parent group.

POPIA requires you to notify two groups as soon as reasonably possible once a breach is discovered:

  1. The Information Regulator.
  2. The affected parents or staff.

The Regulator's guidance expects notification within 72 hours as best practice, so plan for that timeframe.

Have a simple breach procedure written down:

  • Who is told first (usually the Information Officer).
  • What information to gather: what happened, what data was exposed, how many people are affected, what you are doing about it.
  • Templates for notifying parents and the Regulator.

You don't need a 20-page policy — a one-page procedure that anyone on duty can follow is more useful.

10. The practical action list

If this is your first POPIA pass, do these in order over the next month:

  1. Appoint yourself (or a delegate) as Information Officer. Register at inforegulator.org.za.
  2. List all the personal data you hold and where it lives.
  3. Update your enrolment forms to include a proper consent section with separate ticks.
  4. Lock down sensitive data. Move paper enrolment files into a locked cabinet, and turn on two-factor authentication for any cloud service that holds parent data.
  5. Stop sharing enrolment documents via personal WhatsApp or email. Use a proper work email or a secure platform.
  6. Write a one-page breach procedure and keep it with your emergency procedures.
  7. Set retention periods for each type of record and put a reminder in your calendar to review annually.
  8. Train staff on the basics: don't share parent information casually, don't leave files open, report anything that looks like a breach immediately.
  9. Revisit once a year. POPIA compliance is not a one-off exercise.

Where tooling helps

Once your centre is running, the main place personal data accumulates is billing and communication: invoices with banking details, statements with payment history, bulk parent comms, attendance records. Spreadsheets and WhatsApp work early on, but both leak data easily.

ClassNest centralises parent and child records with password-protected access, sends invoices and statements via authenticated email (no personal addresses involved), and keeps a log of every communication for the kind of audit trail POPIA expects. Free 30-day trial; no credit card.

POPIA is not about legalese, it's about keeping parents' and children's information out of places it shouldn't be. Work through this list once, build the habits into your monthly admin, and you will be well ahead of most SA centres.

Related resources

Checklist

Emergency Preparedness Checklist for SA Daycares

Read

Guide

Complete Guide to Registering an ECD Centre in South Africa (2026)

Read

Opening a centre soon?

ClassNest handles billing, attendance, and parent communication from day one. Free 30-day trial, no card required.