Learning Journals is a tool provided by us for use by nurseries and schools. We promise to uphold the commitments we make in our terms and conditions but there are also considerations to be made by staff and parents about how they responsibly use the system. You may want to create additional policies before implementing Learning Journals in your establishment. You are of course free to create your own policies and usage guidelines for your school or nursery but we consider points below to be the minimum requirements for responsible use of Learning Journals.


You are responsible for keeping your login details secure. You are the only one who knows your password and PIN combination and it is best practice to adhere to the following:

  • Choose a password that is unique to your Learning Journals account. (i.e. do not use the same password for multiple sites)
  • When creating a password try to ensure that it is not something easily guessed. Add numbers and symbols to make it more secure. Ideally use a password management service (e.g. Last Pass)
  • Do not tell others your password or PIN
  • Do not write down your password or PIN
  • If you access your Learning Journals account from a public computer or device then ensure you have logged out at the end of your session, especially if you are on a computer that is not your own, to make sure your account cannot be accessed by anyone else
  • Ensure you keep your nursery or school up to date with any changes in your email address
  • Check with your nursery or school on their policy but it is advisable not to share any information or images from your Learning Journals profile with others including through social media

Schools and Nurseries

You are a data controller for all content entered into Learning Journals. You have responsibility for data entered into your account and maintaining that it is correct and up to date. We recommend that you follow the best practices below or create additional policies that have the same or more stringent effects on data handling.

  • Do not enter content that is unsuitable for use in Learning Journals
    • The definition of unsuitable is something that must be defined either by each individual nursery or school or, if applicable, by local authority. E.g. in group observations, an owner or manager may consider that other children’s names should not appear in other children’s profiles. Another owner or manager may consider that this is perfectly acceptable. As data controllers,  Managers should follow their own data protection and information security policies when deciding what is appropriate content.
  • Ensure that child names are spelled correctly
  • Ensure that parent names, and email addresses are spelled correctly
  • Ensure that the correct child profile is linked to the correct parent
  • Ensure that staff accounts are de-activated when they leave so they cannot gain access
  • Ensure that parent accounts are de-activated once their child leaves you
  • Ensure that you do not retain child, staff and parent information in your archive for longer than you need it for

Information for everyone:


We follow industry best practices with regards to storing user passwords in our database. We also require users to create a PIN as part of the login process. We encrypt passwords and PINs using cryptographic functions. Even developers with access to the Learning Journals database could not determine a users password or PIN. Passwords and PINs are never emailed to a user, whether a user is logging in for the first time or resetting their existing password they do this via the SSL Secured website. Ultimately the only people who know a user’s password or PIN are the user themselves.

In the event the user forgets their password we do not send a reminder. They are asked to reset it by using a 1-time activation link, which also has a time limited expiry.

Auto Logout

Users are automatically logged out of the website after 30 minutes of inactivity.

Hosting of Data

Microsoft Azure are our website hosting suppliers. As one of the largest software companies in the world Microsoft takes security very seriously and have all the relevant certifications and Accreditation. Specifically in the UK they have been awarded Impact Level 2 (IL2) accreditation:

“The IL2 rating will benefit a broad range of UK public sector organizations, including local and regional government, National Health Service (NHS) trusts and some central government bodies, who require ‘protect’ level of security for data processing, storage and transmission.”

From http://azure.microsoft.com/en-us/support/trust-center/compliance/

Here are further details on their security practices – http://azure.microsoft.com/en-us/support/trust-center/security/.


The Learning Journals application is built using the Microsoft .NET framework. The .NET framework has many inbuilt security features, which by default help secure against common web attacks like Cross-site scripting, SQL injection and Session hijacking. The .NET framework is a mature development ecosystem used by financial institutions, Governments and blue chip companies around the world.

AWS (Amazon Web Services)

We use AWS to host our domain name server. This essentially points users who type in our domain name to our azure hosting. No data is held within AWS but like Azure, Amazon take security seriously – http://aws.amazon.com/security/

Storage and retention of data

As mentioned, all data is stored securely with Microsoft Azure. The servers are located in the Netherlands and Amsterdam. This arrangement is in complete compliance with guidelines set out by the information commissioner’s office on data storage best practices. From the ICO Guide To Data Protection:

“You may transfer personal data to countries within the

European Economic Area on the same basis as you may transfer

it within the UK.” – ICO guide to data protection

Backups are made so that the system can be restored in the event of a system wide failure. Backups are retained for 30 days. This is also in compliance with ICO Guidelines:

“The Act does not set out any specific minimum or

maximum periods for retaining personal data. Instead, it says that:

Personal data processed for any purpose or purposes

shall not be kept for longer than is necessary for that

purpose or those purposes.” – ICO guidleines