Yes – it is an EU law which covers every business (big and small) which processes data. This includes childminders, nannies, before and after school clubs, nurseries etc.
Do I have to keep paying ICO?
Yes – the Information Commissioners Office (ICO) are the regulators… General Data Protection Regulation (GDPR) is the new law which replaces the Data Protection Act on 28th May 2018.
What will ICO / GDPR cost?
ICO have published their fees for data controllers – if you choose to pay by direct debit the fee will be £35 a year; if you pay another way it will be £40 a year.
Do I have to pay twice - once for ICO and once for GDPR?
No – there is only one fee and that’s for ICO. Think about how Ofsted regulate the EYFS – we pay Ofsted not the EYFS.
When do newly registering childminders need to pay ICO?
You need to pay ICO as soon as you start to process data (information) about children and / or their families.
Will childminders have to keep paying ICO until the child is 21 years 3 months old – because we have to retain information for that length of time?
We don’t know the answer to this yet – we are waiting to hear from ICO.
Do I need to employ a Data Protection Officer?
No – childminders and nurseries will not normally need to employ a Data Protection Officer.
What is a Data Audit and do I need to do one?
A Data Audit is a check to determine what data you hold about children and their families, why it is collected (the legal / lawful reason why it is collected), how it is stored, who has access to it, how long it is retained and how it will be destroyed when no longer needed. More information about the 6 lawful basis for data processing here.
Yes – you will need to do a Data Audit. My advice (personal opinion) is to print a blank copy of all your forms and check them for accuracy, legal relevance, minimisation (to comply with the ‘right to restrict processing’. For more information, see Individual Rights – all individuals including you and your children have more rights under GDPR.
I will share more information about the 6 lawful basis for collecting data soon.
What is a Privacy Notice and do I need one?
A Privacy Notice covers which data is collected about children and their families, why the data is collected, how the data is stored, who has access to it, how long it is retained and how it will be destroyed when no longer needed.
Yes - a written Privacy Notice is required by GDPR – I will share more information about how to write a Privacy Notice soon.
Has anything changed with parental permission on forms?
Parents need to sign your Permission Form/s as normal.
GDPR states you must make ‘reasonable efforts’ to check the person signing on behalf of the child has parental responsibility for them. We have not been given any guidance about how to do this.
Do I need to update any other documents?
You might need to make changes to your –
- Permission Form – any permissions which use ‘consent’ as the legal basis for processing must be clearly set out so parents can say ‘yes’ or ‘no’ and parents must be informed that they can withdraw consent at any time.
- Complaints Procedures – parents will need to be informed how to make a complaint if, for example, their data is shared without their permission.
- Confidentiality Policy – or confidentially statement in your Safeguarding Policy – might need to be updated for GDPR.
- Other documents – you should check your legal / lawful basis for processing data and consider whether you have duplicated questions.
- Contract Termination letter – this is (I think – personal opinion) the best place to add information about how long data will be stored when a child leaves the setting.
- Mobile Phone and Camera Policy – you might need to update this in relation to how you process images of children and, if relevant, staff to comply with GDPR.
I will share more information about these updates soon.
Can I still take photos of children?
Yes – but you need specific, opt in permission from parents and you must inform parents why the photos are taken, where they are stored and exactly how they are used. If you change how they are used for any reason you will need to ask for further opt in (yes tick box and signed) permission.
You need to think about what happens to photos when children leave – photos included in learning and development folders should be either sent home with the child or destroyed; photos displayed in your setting or online must be destroyed unless you have specific written permission to keep them; parents must be informed that they can withdraw their permission at any time and you must be ready to agree to their request.
You will find more information about processing children’s data from ICO here.
Can I take group photos of children?
Under GDPR you will need specific opt in permission for all photos - so you will need to have permission from a parent to allow you to include their child in group photos – you will also have to inform parents that they are able to withdraw permission at any time. So, if a parent falls out with you and withdraws permission for group photos, you will have to remove all of their child's photos ... which will be tricky if they are in another child's file and have gone home with that child.
There are big fines for non-compliance and you will need to include the ICO Complaints information in your Complaints Policy or on your Privacy Notice.
Do I have to shut my Facebook page?
Facebook is a useful medium for advertising and sharing information with parents but, like any online service, it can also be a dangerous place and must be used in a safe and controlled way. There are lots of questions to consider around this…
How do you limit the danger of children’s data being shared? For example, is your Facebook page private – for current families only – or public? If it is public, think about how you keep children’s data secure.
Have parents ticked a ‘yes’ box to give permission for you to share their child’s information on the page? If they have not actively opted in then you need to update your Permission Form and ask them to tick and sign again.
Do parents know they have the right to withdraw their consent at any time? If you haven’t informed them about this on your Permission Form you need to update the wording.
I will share more information about updating Permission Forms soon.
Can staff take tablets home to update them with children’s learning and development information?
Note that the EYFS states you must have permission to take information off-site in requirement 3.69:
‘Records must be easily accessible and available - with prior agreement from Ofsted, these may be kept securely off the premises.’
If staff do take children’s data off the premises to, for example, update learning and development records, you must ensure they use secure systems such as, for example, a secure Virtual Private Network (VPN) and secured home internet - how will you check this?
You must, to comply with GDPR, provide staff training and tablets, laptops etc must be password protected, shut down when not in use and not accessible to other family members.
You must also consider disqualification by association – what if staff have lied about the continued suitability of their family members?
I will share more information about staff training soon.
Can I still send emails to parents and staff?
Yes – but you need to think about security.
For example, if you are sending an email to a group of people, make sure you use ‘BCC’ and consider using encrypted email for, for example, sensitive data such as staff payslips.
I am researching encrypted email at the moment – more information to follow soon.
Can I still send information by post to parents and staff?
Yes – but you need to think about security.
If you are sending sensitive data about children and their families through the post you might want to consider using, for example, recorded delivery.
What is a Data Sharing Agreement and do I need one?
ICO recommend that, when information is shared between you and, for example, other settings children attend, a Data Sharing Agreement is drawn up to state what information is shared and how and signed by you and the other party.
You will need to reflect on how you will do this with parents and consider how you limit information while still ensuring you are supporting the child’s care, safeguarding, learning and development.
I will share more information about Data Sharing Agreements soon.
Am I required to lock children’s documents away to comply with GDPR?
The EYFS states in requirement 3.69: ‘Confidential information and records about staff and children must be held securely and only accessible and available to those who have a right or professional need to see them.’
It is up to you to decide whether locking information away helps you to comply with this requirement. You must also consider how you ensure online / electronic data about children and their families (and staff if relevant) is secure.
For example, you should consider whether you need to use encryption and whether your virus protection software is up-to-date.
How will the requirement to retain information until a child is 21 years 3 months old be impacted by GDPR if parents say they want us to remove the information?
The insurance requirement to retain documentation overrides the GDPR ‘right to be forgotten’ if there is a clear legal basis for the information to be retained.
I will share more information about the legal basis for requesting information and how this links to the ‘right to be forgotten’ this soon.
I have a register with all the children’s names on one page – is this still ok?
In my personal opinion I have never recommended this way of recording attendance because you will need to remove a child’s data from your files when the oldest child reaches the age of 21 years 3 months old but the registers or diaries will contain other children’s attendance records which you might need to keep for longer.
It is something you might need to reflect on in relation to GDPR.
However, as I have already said, this is my personal opinion and not something I have seen ICO comment on – I am researching the impact of this on schools at the moment, but I imagine since all the children will be 21 years 3 months old at the same time it will not impact on them as much as it does on a childminder.
I have staff – do I need to do anything different?
Yes – you need to train staff on GDPR.
You will also need to do a Data Audit of staff information and write a Privacy Notice which they will need to read, understand and sign. It will contain the same information you have included in the children’s Privacy Notice.
I will share more information about staff and GDPR soon.
If you have any further questions about how GDPR will impact on your business and ways of working, please ask!
Thank you, Sarah.