The EU General Data Protection Regulation (GDPR) will be introduced in the UK from 25th May 2018. The Government have confirmed that GDPR will not be impacted by Brexit – so we all need to think about how we can comply with GDPR and what changes we might need to make.
These are my steps to compliance with GDPR, shared to support colleagues.
Step 1 – Data Audit
The first step is to know what data (information) I hold about the children and families in my care, on paper and electronically.
To do this efficiently as possible, I printed a copy of all my forms and worked through them, checking that the questions I ask parents to answer on behalf of their child are necessary for me to do my job. GDPR states that I must have a lawful / legal basis for asking questions, so I have thought about this as I have worked through them.
Please see: Planning for GDPR - free from Childcare.co.uk.
I have removed any duplicate questions (GDPR states that data collection must be minimised) and if there are any questions that are not necessarily needed I have put an asterisk next to them and noted that they are optional.
The forms which needed the most tweaking included:
- Accident, injury and first aid
- Child record and emergency contacts
- Contract termination letter
- Parent-provider contract
- Parent-provider permissions
Please see: ‘GDPR – Data Audit’ for more information.
Step 2 – updating policies and procedures
I have updated some of my Policies and Procedures to help me comply with GDPR including –
- Complaints – to include ‘how to report a data breach’
- Confidentiality – to include reference to GDPR
- E-safety – to include reference to GDPR
- Safeguarding / child protection – mobile phone and camera section.
Please see: Policies and Procedures – free from Childcare.co.uk.
I ask parents to acknowledge receipt of my Policies and Procedures – I will send out the updated P & Ps by email in pdf format and ask them to re-sign the confirmation form.
Please see: Acknowledgement of Receipt of Policies and Procedures form.
To help me comply with GDPR, I have written a new Policy:
- Retention Policy – this states how long I will keep information about children and their families after they leave the setting. To write this policy I have researched the requirements of the Limitation Act 1980, the wording in the Early Years Foundation Stage (EYFS, 2017) and Childcare Register (2016) and spoken to my insurance company about their data retention requirements.
Please see: sample Retention Policy.
I have also included retention information in my ‘Termination of Contract’ letter so parents are given the details at the start and end of the contract.
Please see: termination of contract letter.
Step 3 – writing a Privacy Notice
It is a requirement of GDPR to have a written Privacy Notice. I have written a Privacy Notice following advice from the Information Commissioners Office.
Please see: Writing a Privacy Notice guidance.
I will share the Privacy Notice with parents and add it to the ‘Acknowledgement of Receipt’ form (link above) with the list of other Policies and Procedures. I have also given parents a link to more information about GDPR on the ICO website.
Step 4 – Data Sharing Agreements
An important part of GDPR is considering how information about children and their families is securely shared.
For example, the EYFS requires me to share information about children in my care with other settings and professionals and to share a copy of each child’s 2 Year Progress Check with their health visitor – I am in Cheshire East and this is required as part of the Integrated Review at 2.
Note: I do not share information with an accountant or other professional, but if I did I would write Data Sharing Agreements for them.
Please see: ‘GDPR – Data Sharing Agreements’.
I have also considered what to do if data about children and their families is lost, stolen or misused and written a report form for recording and reporting a data breach.
Please see: ‘GDPR – Reporting a Data Breach’ for more information.
Step 5 – finishing off
I still have some bits and bobs to finish off for GDPR.
For example, I need to put together a little information pack for parents explaining about GDPR – it will include a copy of my new Privacy Notice and Retention Policy. I will also email them copies of the updated Policies and Procedures and ask them to sign my ‘Acknowledgement of Receipt of Policies and Procedures’ which will include the new policies.
I will then add the new documents to my Parent Information Pack so new parents receive GDPR information as part of their child’s induction process.
I will ask parents to complete a new Permission Form … I will not ask them to complete a new Parent-Provider Contract until our usual contract review in August because I have only tweaked the wording rather than made big changes to the document.
I also need to write information for providers who have staff including:
- Planning for GDPR – Staff
- Staff training - to help Managers train their staff to comply with GDPR
- Privacy Notice for staff.
If you have any further questions about GDPR and the impact on your business, please email me and ask.
Thank you, Sarah.