Clear, regularly reviewed privacy policies were key to supporting staff to know and meet their privacy responsibilities. While most services had some staff who knew about privacy responsibilities, services would benefit from making sure that all staff knew what they had to do to keep children’s information private.

In general, service staff took their privacy responsibilities seriously. They were especially careful when it came to protecting children’s privacy in a digital environment. Passwords were only given to those who needed them and were not shared between staff. Staff who used digital records were familiar with the privacy guidelines for the programme they were using.

Most services had a privacy officer, either at service or association/umbrella organisation level. Staff needed to know who the privacy officer was for their service, and how and when they should contact the privacy officer. This was especially important when the privacy officer was not on site.

Privacy officers supported staff to know how to act in accordance with the privacy principles and service policies. The next step for privacy officers is to regularly monitor whether staff practice aligns with stated intentions, and to ensure that privacy policies continue to be relevant to the technology used.

Keeping up-to-date with the privacy principles is vital to ensuring staff meet their obligations for managing information about children.


ERO recommends that services:

  • review their privacy policies and ensure the agreed practices are understood by all staff and are implemented in practice
  • ensure staff know who the privacy officer is and what their role is
  • use this resource and the links provided to find out more about their privacy responsibilities.