GDPR - General Data Protection Regulation
What is GDPR?
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
The law means that anyone who processes personal or sensitive data needs to make sure they are meeting key guidelines to protect data.
How does this impact childcare practitioners?
Childcare practitioners should assess their use of data and look at how they gather, hold, and share any personally identifiable information, which includes anything that can be used to identify a specific person.
You will need to ensure that you have included GDPR in your policies and procedures, inform parents how you use their data, and take steps within your setting to make sure all data and information is secure.
Meeting the requirements of GDPR should not require you to spend lots of money; you should beware of targeted marketing suggesting you need to purchase costly training and/or resources to be compliant. The Information Commissioner’s Office has produced some free guidance.
What resources does PACEY have to support practitioners?
- Data protection policy (England only) - use this policy as a template for your setting and give to all parents to sign and date. You can regularly review your policies if changes are made. Not yet a member? You can buy this sample policy in the shop.
- Confidentiality policy (Wales only) - if you are a practitioner in Wales, there will be specific support for you within this policy
- GDPR practice guide - this practice guide looks at areas of best practice when processing data in line with GDPR. Updated following advice from ICO.
- Record keeping practice guide - understand rules around how long you can keep data for in your setting. Updated to include information about retaining insurance certificates.
- Sample privacy notice - use this template to tell parents the reasons why you need to collect data, and what you do with the data you have. Updated following recommendations from ICO.
- Communication preferences sample template. This template may be useful to adapt to collect contact preferences from parents if you use direct marketing as part of your business. If you do not use direct marketing as part of your business, you are unlikely to need this, although you may find it useful to explain to parents exactly what information you share with them and whether it is mandatory or optional and, if optional, how they can choose whether or not to receive it.
- FAQs to support you - we have collected some frequently asked questions and answered them to help practitioners with any worries that you can see below.
We have gathered together some questions we have been asked by members to form our FAQs, if you have any additional questions then please email the team and we will get back to you and update our FAQs here.
What is GDPR?
GDPR is the 'General Data Protection Regulation'.The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR) and is designed to improve upon and strengthen the way in which you process personal data
What is the ICO?
The ICO is the Information Commissioner's Office. You need to register with the ICO as part of GDPR and, depending on the way you store the personal infomation you collect, may already be registered with them. Find out more about them here – https://ico.org.uk/
Do I have to pay the ICO?
Yes, there is a fee for registering with the ICO. You can find more information about this from the ICO in their fee guide. If you have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff, the fee is £40.
Additionally, in terms of current registration requirements, if a childminder (or any other data controller) has absolutely no electronic processing of personal data for their business then they would not need to register. Remember that would mean not only no computer, but no smartphone, social media or digital camera too. Even where a childminder may not need to register, they will of course need to continue to comply with the data protection act. If you are unsure please do call the ICO helpline (0303 123 1113) and select the option for ‘Registration’ where expert colleagues will be happy to help.
Where do I use data in my practice?
You're using data whenever you collect or use information about a child. For example, filling out accident forms, recording activities or completing your daily register. You need to assess your setting and understand how and where you use, gather and process data. Our data audit template will help, which can be found within the GDPR practice guide
How can I make sure my paper files are secure?
When not being used, all paper files should be kept securely in a lockable cupboard and always kept locked, with the keys securely stored.
I use a family computer for my work, how can I keep this secure?
If you use a family computer, make sure you have a separate log in for your work which should be securely password protected. The computer should also be encrypted.
How can I make my electronic devices secure?
- Encrypt your computer, laptops and USB sticks
- Always use secure passwords, with upper/lower case letters, digits and special characters (e.g. £$%&*)
- Always keep your anti-virus software up to date
- Make sure any laptop, computer or mobile phone/tablet has auto lock enabled after one minute of no use.
Find further support on PACEY’s GDPR practice guide and support video in MyPACEY – pacey.org.uk/GDPR
The ICO also has support specifically about encryption of your devices.
I use online apps to track children’s daily activities and communicate with parents, is this impacted?
You will need to contact any third party suppliers of any online systems or apps that you use and make sure they are complying with GDPR and have their own processes in place.
How do I safely dispose of old data/paperwork I don’t need?
Delete files once the use for those files has been fulfilled. You should also delete any information from your computer ‘recycle bin’ or ‘trash’. If in paper form, use a cross-cut shredder to dispose of the paperwork safely. Consider having a "data cleanse" day on a quarterly basis.
How do I communicate this to parents?
You will need to make sure that you have a data protection policy in place with parents, as well as a sample privacy notice to tell parents about the changes, the reasons why you collect data, and what you do with their data.
Download PACEY’s sample data protection policy, sample privacy notice and confidentiality policy in MyPACEY. Resources are listed on pacey.org.uk/GDPR.
What paperwork do I need?
- A privacy/confidentiality policy
- Communication preferences document (if you're using direct marketing)
- A process for reporting and investigating security incidents
- A process for dealing with subject access requests
- Staff training – if you are a childminder, childminding assistant, nanny or nursery, all staff should undergo induction training and renew training every two years
- Retention of data policy.
How do I let parents opt in?
When parents join your setting, you should give them a way of choosing their preferred methods of communication. For example, an opt in document for each individual child that parents sign to either agree or disagree to data being sharing in specific ways, for example, on social media, in WhatsApp groups, in Facebook private groups etc.
PACEY is producing a communications preferences template, go to pacey.org.uk/GDPR for a full list of resources.
What happens if privacy is compromised? For example, if a laptop is locked in a car and gets stolen.
You need to make sure you have procedures and policies in place to demonstrate that you have done everything you can to prevent the situation from arising and data being compromised as a result. Take a look at ealier questions for more support.
Can I get fined if I don’t comply with these restrictions?
If you do not comply with these changes, the ICO can issue warnings and fines.
What resources does PACEY have for members?
- Data Protection Policy - use this policy as a template for your setting and give to all parents to sign and date. You can regularly review your policies if changes are made
- Confidentiality Policy – if you are a practitioner in Wales, there will be specific support for you within this policy
- GDPR practice guide - this practice guide will consider areas of best practice when processing data in line with GDPR and it also includes a data audit template
- Sample privacy notice - use this template to tell parents the reasons why you need to collect data, and what you do with the data you have
- Communications preferences template - use this to collect data from parents, and regularly review personal data to make sure it is relevant and necessary
Are my PACEY childminding contracts valid?
You collect and process data on contracts, child record forms and similar in order to provide the services requested by parents. Under your existing data protection and confidentiality good practice, you won’t be sharing information unless you are required to do so by law or have the agreement of parents.
Use the GDPR resources that PACEY has produced including the sample privacy notice and the communications preferences template to help parents understand how they can obtain access to the information you hold about them, or alternatively, how they can request a copy if they are unable to obtain access.
We have had PACEY's contracts assessed in detail by our legal team and they are fully compliant with the GDPR regulations. Using PACEY's GDPR resources in conjunction with your contracts will help you meet the regulations.
Do I need to attend a training course?
If you are a childminder, childminding assistant, nanny or nursery, all staff should undergo induction training and renew training every two years.
I use Google Drive or iCloud to store my settings information, how does GDPR impact this?
The ICO has a full guidance on the use of cloud computing. You should also query this with your supplier and they will be able to support you.
Do I have to keep an individual register per child?
There is no prescribed format for attendance registers. The requirement is that you need to be able to evidence the dates and times a child is with you and keep the data for as long as needed. PACEY would advise, along with the format of our own attendance register, that you have one child per page.
Retention of records is discussed in our record keeping practice guide.
If a parent emails enquiring about a place for their child, am I liable for the personal information in the email?
Storing data including emails that contain personal information needs to be included in your audit process, i.e. what is the data, why do I need it, how is it received, who has access to it, how long do I keep it. Any personal data no-matter what format follows the same process.
The GDPR practice guide talks about asking these questions, and safe deletion, and includes a data audit template.
If a parent revokes photo permissions for Facebook when a child leaves the setting, would I have to delete all previous pictures?
In this case, we would suggest looking at the record keeping practice guide for reference to photos, how to store, keep and use them on social media and build this in as part of the agreement with parents. Within the agreement, state that you will not use photos from the date that a parent revokes permissions and/or from the date a child leaves.
Do you need to remain registered with ICO as a childminder after you retire?
If you are still holding personal data electronically after you have retired from or stopped childminding, you will still need to be registered with the ICO. If however you are no longer holding the data electronically you will no longer need to be registered.
Please contact the ICO for more information on whether or nor you should still be registered with them.
If you need to remain with the ICO after retiring as a childminder, what about insurance?
Public Liability insurance is generally written on a “claims occurring basis”; this means that it will, in theory, meet claims arising from incidents which have that have occurred during the policy period irrespective of when the claim is made (which might be some years later).
As always, this is subject to policy wording and complying with notification requirements, and to the claimant having a valid and legally enforceable claim.
The claim may be made after the policy expires, subject to legal considerations (for example the time limits within the Limitation Act); however, cover should not be needed to be taken out after childminding has ended as no new claims can arise.
Some policies are issued on a “claims made basis” which means that cover needs to be in place when a claim is made. Professional liability policies are usually like that, but that should not affect your member. “Claims made” is the opposite of “claims occurring”.
Do I need to ring the emergency contacts parents have provided and inform them about GDPR?
You do not need to get in touch with the emergency contacts parents have nominated and let them know that you as a childminder, have their details. This responsibility lies with the parent who gave the emergency contact details.
We would suggest that you state this within your policy, stating that you will hold this information only during the time that the child linked to the emergency contact is in your care. Once leaving the setting the information held about the emergency contact will be destroyed.
Can I pass on parents/childminders phone numbers to other parents/childminders?
So long as you have consent of the person whose number you are passing on that’s fine. Consent doesn’t have to be written, so long as the person has given a positive affirmation that’s what they want you to do. Ideally keep a note of that consent, and that you shared the info, but take care not to record any unnecessary personal data.
As a Nanny, do I need to register with the ICO?
With regards to registration the best way forward is to complete the self-assessment toolkit on ICO's registration page to see whether you would need to register as a member.
The pages also provide a link to ICO's registration helpline if you still feel unsure.
How long should I keep my ELI certificate for?
There is no requirement to keep ELI certificates for a certain time. PACEY would strongly recommend that they are kept forever just in case however having them electronically is fine.
How should I record children's ethnicity?
Ethnicity is a mandatory data item within the early years census and should be collected for all children. The childcare provider must not ascribe any ethnicity to the child. This information must come from the parent/guardian. Where the ethnicity has not yet been collected this is recorded as NOBT (Information not yet obtained). If a parent has refused to provide ethnicity, REFU (refused) is recorded and returned. The EY census data collection guide contains details of the relevant legislation that provide lawful basis for collection. For example, the individual level data collection from EY providers (i.e. under Early Years Census) is a statutory requirement on providers and LAs through regulations under Section 99 of the Childcare Act 2006 and the Education (provision of information about young children)(England) regulations 2009 as amended.
Have any other questions? Email firstname.lastname@example.org
and we will update our FAQs!