I don’t think anyone can argue that the Data Protection Act is out-of-date … it was written before use of the internet increased to the levels we see today. The General Data Protection Regulation (GDPR) is replacing it from May 2018 and one of the main aims of GDPR is to further protect information held about us online as well as in paper format.
GDPR will also give everyone more control over our personal data.
However, there is a lot of uncertainty in the early years about how GDPR will impact on childminders, nurseries, pre-schools and other early years providers. The Information Commissioners Office (ICO) has released some guidance: ’12 steps to preparing for GDPR’ (poster above) which I thought it might be useful to disseminate with some impact examples for early years.
ICO - https://ico.org.uk
12 steps poster - https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Step 1 – awareness
You must be aware that GDPR is coming in May and start thinking about how you will comply, including any changes you need to make now so it is fully implemented by the start date. If you have staff, you need to make them aware that GDPR is coming and plan some staff training*.
Make sure you keep up with payments to ICO – they are still the regulator of GDPR in the same way Ofsted regulates the EYFS.
Step 2 – information you hold
You will need to plan a Data Audit* which will document the information you hold about children, families and staff. You need to know where the information you hold about children and their families comes from and with whom it is shared.
For example, you will need to consider whether information is required by the EYFS and what information is not needed or maybe duplicated for no good reason.
Step 3 – communicating privacy information
You will need a written Privacy Notice* to share with parents and staff and this should include details about how you share information relating to children and their families.
For example, when thinking about sharing information with other professionals and agencies to comply with the EYFS you need to give details about what is shared to parents and ICO recommend you have a Data Sharing Agreement* in place.
Step 4 – individuals’ rights
You must consider the rights of children and their families to view information held by you and how the information is deleted when it is no longer required. There are 8 ‘rights for individuals’ which you will need to read and understand.
For example, as happens now, when a child leaves the provision their learning and development information is handed over to parents and other details relating to the safeguarding and welfare requirements of the EYFS are typically retained until the child is 21 years 3 months old for insurance purposes. If parents say they do not want you to keep information about their child’s accidents for that length of time, you will need to refer them to your insurance documentation – they do not have the right to ask you to delete documents if they are required for safeguarding purposes.
Rights for individuals - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
Step 5 – subject access requests
You will need to plan how you handle requests from parents or older children to view the information you hold about them. You will only have a month to comply with requests to share information and you cannot normally charge a parent to provide them with copies of information held about them and their child/ren.
For example, a parent might ask to look at records relating to their child many years after they have left the setting – these records must be stored securely but you will need to be able to access them quickly. If you have staff members and they are asked to share information about their child by a parent, they will need to have received training to know what to do in this scenario.
Step 6 – lawful basis for processing personal data
You will need to know why you collect data about / ask questions of parents about their children and write a Privacy Notice*. This will help you to comply with the new accountability requirements within GDPR.
For example, you must ask parents about their child’s dietary requirements because this is required by the EYFS and you must ask staff for relating to their continued suitability (disqualification and disqualification by association) because this information is required for safeguarding.
More information here - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
Step 7 – consent
You will need to review how you ‘seek, record and manage consent’. ICO have published a comprehensive guide to consent which you might find useful and I will provide further information over the coming months.
Guide to consent - https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf
For example, pre-ticked forms which parents are asked to sign must be replaced by an option for parents to say whether they do or do not give consent and you must inform them that they have the right to withdraw their consent at any time.
Step 8 – children
GDPR strengthens the rights of children and will introduce new requirements relating to the processing of children’s data.
For example, parents (someone with parental responsibility for the child) will need to sign to give consent for data processing of children’s information and you must take ‘reasonable steps’ to ensure that the person completing and signing your forms has parental responsibility for the child.
Frequently asked questions about rights of children answered by ICO - https://ico.org.uk/for-organisations/education/education-gdpr-faqs/
Step 9 – data breaches
GDPR will bring heavy fines for non-compliance and there are stricter regulations covering both paper and online record keeping. Most data breaches will need to be reported (further guidance is available) and ICO will investigate.
However, ICO have reassured us that they want to support us to get things right rather than fine us for making mistakes.
Step 10 – data protection by design and impact assessments
We have spoken to ICO who agree that childminders and most group early years providers will not be impacted by this requirement. If you have any concerns, you should speak to ICO and describe your individual circumstances.
Step 11 – data protection officers
ICO have confirmed that childminders and group providers will not be expected to employ the services of a data protection officer. However, it is important that you take responsibility for compliance with GDPR and any changes you need to make.
Step 12 – International
This step will not apply to the majority of early years providers.
This is a quick overview of the ’12 steps to compliance’ for early years providers. I am sure there will be a plethora of support documents published over the coming months to support providers with implementing GDPR – I plan to write further information and guidance for childminders and nurseries.
*Where you see an asterisk further guidance and sample documents will follow.