GDPR covers all personal data including parents’ names, addresses and email details and children’s names and dates of birth etc. All early years providers including childminders collect and store this type of information to comply with, for example, the Early Years Foundation Stage (EYFS, 2017), the Childcare Register, Local Authority funding requirements and HMRC.
This guidance will help you identify what information you have and why, where it is stored, how it is used etc and enable you to consider any vulnerabilities and risks.
Please note - disclaimer - these are my 'starting points to GDPR' - they are not written by a GDPR expert. I have researched in detail and had many conversations with ICO and GDPR experts but that does not make me an expert on the subject. I am a childminder and an early years writer trying very hard to simplify GDPR for early years colleagues. If you believe I have got things wrong, please speak to the Information Commissioners Office or see their series of guidance blogs for more advice. Thank you.
Data subject rights
The importance of protecting children’s data is mentioned quite a few times in GDPR – it requires consent to be given by someone with parental responsibility over the child – usually up to the age of 16 but the age limit will vary.
**Note - we must make ‘reasonable efforts’ to ensure the adult signing does have parental responsibility.
GDPR gives ‘data subjects’ – parents and children (up to the age of 16) – more rights than they have under the current Data Protection Act. Data subjects have the right to –
- Be informed about what data is held about them.
- Access their data quickly in an easy to read format – you need to ensure they know about this right.
- Rectify their data – make corrections if data is incorrect.
- Erase their data – see notes to follow about the statutory requirements.
- Restrict processing – if, for example, they do not want you to share information.
- Data portability – the right to move, copy or transfer personal data easily from one IT environment to another securely and safely.
- Object to certain types of data processing.
GDPR states that data processing must be lawful, fair and transparent and…
- Collected for specified, explicit and legitimate purposes.
- Minimal - adequate, relevant and limited to those which are necessary.
- Accurate and kept up-to-date.
- Stored for no longer than necessary and kept secure.
Frequently asked questions about GDPR... answered…
What is personal data?
Personal data, in relation to early years providers, is any information collected about children and their families.
Do you collect and process personal data?
Yes – all early years providers collect and process personal data about children and their families.
Is the data you collect sensitive?
Yes – all providers collect and process sensitive personal data about children and their families.
Do you need a Data Protection Officer?
ICO state that childminders do not need to employ the services of a Data Protection Officer.
To clarify - Step 11 of the '12 steps to GDPR' guidance from ICO is to designate a Data Protection Officer - ICO confirm that childminders do not need to do this...
Do you have lawful grounds for processing personal data?
Yes – early years providers are required to collect information about children and their families to comply with the statutory requirements of, for example, the EYFS, HMRC, the Childcare Register, The Early Years Inspection handbook and Ofsted.
How is consent collected?
Consent is a tricky one - in some instances the questions we ask parents to answer are statutory - we cannot do our job without them, such as the child's full name, date of birth and address. Therefore, we have a legal reason for requesting the information and do not need consent.
In other instances the questions we ask parents are useful and allow us to do our jobs better - such as asking for information about children's siblings or their doctor's contact details, but they are not statutory (required by the EYFS or other statutory frameworks). ICO advise that we are likely to need consent to process this type of data.
GDPR states that consent must be explicit so, for this reason –
- Parents will be asked to tick a box on the Parent Permission Form to state they understand some non-statutory personal data is collected (pre-ticked boxes are not acceptable under GDPR).
- Parents will be asked to sign the Parent Permission Form.
**Note – the Permission Form on Childcare.co.uk will be updated.
Can parents withdraw their consent?
Yes – however, this might mean that the provider is in breach of the EYFS, HMRC or insurance requirements, so if parents withdraw consent advice should be taken from ICO and / or Ofsted before information is deleted.
Is collected data accessible to parents?
Yes – parents can view, update and change any data that is held at any mutually agreed time.
Is data used only for the purpose it was originally collected?
Yes - as a general rule further written permission is requested from parents before data is used for other purposes. For example, parents are asked for written permission before we share information with other settings or professionals to support their child.
However, the Local Safeguarding Children Board (LSCB) states that information relating to abuse including the risk of a child being drawn into extremism (linked to the Prevent Duty) and any concerns about sexual abuse including Female Genital Mutilation must be reported without informing parents.
Is personal data limited to what is necessary?
Yes – an audit of all data collected has been carried out and any duplicated information or information not required to fulfil our role as an early years provider has been removed.
**Note – some of the parent / child documentation on Childcare.co.uk might be updated to comply with this requirement.
Is data accurate?
Yes – parents are regularly asked to update the information we hold.
Is information about data storage shared with parents?
Yes – parents are informed how long data will be stored and how it will be destroyed when no longer required as evidence for Ofsted, HMRC or insurance purposes.
**Note – the current data storage advice is that children’s learning and development information is handed to parents when they leave or move on to school; information relating to the safeguarding and welfare requirements of the EYFS is stored until the child is 21 years and 3 months old to comply with insurance requirements; some LSCBs advise that the 2 year progress check should be retained until the child is 21 years 3 months old; HMRC information is stored for 6 years.
Is data protected / secure?
Yes – security measures are in place including –
- Computer – for example, password protection and virus protection are both used.
- Paper – for example, locks on cupboards where written data is stored or an alarm on the house.
Are parents informed about data protection?
Information about data protection is currently shared verbally and parents are informed about data retention when their child leaves. From May a written Privacy Notice will be needed.
**Note – write a Privacy Notice and share it with parents.
Is the Complaints Policy up-to-date and shared with parents?
Yes – the complaints policy has been updated to include making complaints about data processing in relation to GDPR.
**Note – the Complaints Policy on Childcare.co.uk will be updated to include information about making complaints relating to GDPR.
Is personal information securely transferred?
Information might be transferred to the Local Safeguarding Children’s Board (relating to safeguarding), Health Visitor (relating to learning and / or development) or the child’s school (safeguarding or learning information). Information is transferred as securely as possible.
**Note - Cheshire East provide a ‘Transfer of Safeguarding Records Template’ for providers to use when handing safeguarding information to schools. This can be adapted for other record transfers.
How is personal information destroyed?
When it is no longer needed –
- Computer data is securely deleted
- Paper documents are shredded.
**Note – the Confidentiality Policy on Childcare.co.uk will be updated.
How are data breaches reported?
GDPR states that data breaches which are ‘likely to result in a risk to the rights and freedoms of individuals’ must be documented and reported to the Information Commissioners Office (ICO) not later than 72 hours after it has occurred. If you are investigated, ICO will expect to see a risk assessment which shows how the risk of data breaches will be minimised in the future. Parents must also be informed about data breaches which impact their ‘rights and freedoms’. ICO will give advice on whether a report is needed.
More information about data breaches from ICO here.
**Note – extra insurance against data breaches is not required by GDPR.
What happens if data is taken out of the EU?
For example, if a childminder is moving to a country outside the EU and needs to take data with them – for example, under the requirement to retain information about children until they are 21 years 3 months old for insurance purposes – advice must be sought from ICO.
Is training provided for staff (if relevant)?
Yes – staff have been provided with training on GDPR.
Note – update induction training to include information about GDPR.
Have documents been updated for GDPR?
Things to update / write –
- Permission Form;
- Parent / child documentation;
- A Privacy Notice;
- Confidentiality Policy;
- Complaints Procedures;
- Induction training.
**Note - free documents on Childcare.co.uk will be updated soon –
We are still waiting for the following clarification:
- Cost of registering with ICO for early years providers including childminders.
- Will there will be an ongoing cost due to the requirement to retain information relating to the Safeguarding and Welfare Requirements of the EYFS for insurance purposes until the child is 21 years 3 months old?
- What will happen if consent to process data is withdrawn by parents? For example, if there is a dispute and parents say they don’t want the provider to keep information about their child any more because GDPR states that ‘the data subject must have the right to withdraw consent at any time’? ICO state that, as a general rule, EYFS, insurance and HMRC requirements will take priority but this needs clarifying further.
- GDPR states that we must make ‘reasonable efforts’ to check the person signing on behalf of the child has parental responsibility – how will this be done? What documents will we need to see? What if the parent refuses to share them with us?
There is a free 'Data Protection Update' Information guide on the Childcare.co.uk website for all members and further information will follow.
If you have any questions you can find me on the Independent Childminders Facebook group or Knutsford Childminding Facebook page - please ask if I can help further.