GDPR - General Data Protection Regulation
What is GDPR?
GDPR is the 'General Data Protection Regulation' and became law in the UK on 25 May 2018. GDPR is a Europe-wide law designed to improve and strengthen the way in which personal data is processed. It is not be affected by Britain's plans to leave the EU.
The change in the law means that anyone who processes personal or sensitive data needs to make sure they are meeting key guidelines to protect data.
How does this impact childcare practitioners?
Childcare practitioners should assess their use of data and look at how they gather, hold, and share any personally identifiable information, which includes anything that can be used to identify a specific person.
You will need to ensure that you have included GDPR in your policies and procedures, inform parents how you use their data, and take steps within your setting to make sure all data and information is secure.
Meeting the requirements of GDPR should not require you to spend lots of money; you should beware of targeted marketing suggesting you need to purchase costly training and/or resources to be compliant. The Information Commissioner’s Office has produced some free guidance.
What resources does PACEY have to support practitioners?
- Data protection policy (England only) - use this policy as a template for your setting and give to all parents to sign and date. You can regularly review your policies if changes are made. Not yet a member? You can buy this sample policy in the shop.
- Confidentiality policy (Wales only) - if you are a practitioner in Wales, there will be specific support for you within this policy
- GDPR practice guide - this practice guide looks at areas of best practice when processing data in line with GDPR. Updated following advice from ICO.
- Record keeping practice guide - understand rules around how long you can keep data for in your setting. Updated to include information about retaining insurance certificates.
- Sample privacy notice - use this template to tell parents the reasons why you need to collect data, and what you do with the data you have. Updated following recommendations from ICO.
- Communication preferences sample template. This template may be useful to adapt to collect contact preferences from parents if you use direct marketing as part of your business. If you do not use direct marketing as part of your business, you are unlikely to need this, although you may find it useful to explain to parents exactly what information you share with them and whether it is mandatory or optional and, if optional, how they can choose whether or not to receive it.
- GDPR support video - understand more about GDPR, how it impacts your setting and the seven key principles to protect data
- FAQs to support you - we have collected some frequently asked questions and answered them to help practitioners with any worries that you can see below.
Please note, these resources will be regularly updated and added to as we get more information from the ICO. If you have any feedback you'd like to share, please email email@example.com.
We have gathered together some questions we have been asked by members to form our FAQs, if you have any additional questions then please email the team and we will get back to you and update our FAQs here.
1. What is GDPR?
GDPR is the 'General Data Protection Regulation'. It is a change in law that will be coming into force on 25 May 2018. GDPR is a Europe-wide law designed to improve and strengthen the way in which personal data is processed.
2. What is the ICO?
The ICO is the Information Commissioner's Office. You need to register with the ICO as part of GDPR and, depending on the way you store the personal infomation you collect, may already be registered with them. Find out more about them here – https://ico.org.uk/
3. Do I have to pay the ICO?
Yes, there is a fee for registering with the ICO. The fee structure changed in April 2018 - you can find more information about this from the ICO in their fee guide. If you have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff, the fee is £40.
Additionally, in terms of current registration requirements, if a childminder (or any other data controller) has absolutely no electronic processing of personal data for their business then they would not need to register. Remember that would mean not only no computer, but no smartphone, social media or digital camera too. Even where a childminder may not need to register, they will of course need to continue to comply with the data protection act. If you are unsure please do call the ICO helpline (0303 123 1113) and select the option for ‘Registration’ where expert colleagues will be happy to help.
4. What is the fee going to be?
The ICO fees changed in April 2018 and you can read about the fees in their guide. Most childcare practitioners and their businesses will come under Tier 1 which is £40. This is for businesses with a maximum turnover of £632,000 for the financial year or no more than 10 members of staff.
Additionally, in terms of current registration requirements, if a childminder (or any other data controller) does absolutely no electronic processing of personal data for their business then they would not need to register. Remember that means not only no computer, but no smartphone, social media or digital camera too. Even where a childminder may not need to register, they will of course need to continue to comply with the data protection act. If you are unsure please do call the ICO helpline (0303 123 1113) and select the option for ‘Registration’ where expert colleagues will be happy to help.
5. Where do I use data in my practice?
You're using data whenever you collect or use information about a child. For example, filling out accident forms, recording activities or completing your daily register. You need to assess your setting and understand how and where you use, gather and process data. Our data audit template will help, which can be found within the GDPR practice guide
6. How can I make sure my paper files are secure?
When not being used, all paper files should be kept securely in a lockable cupboard and always kept locked, with the keys securely stored.
7. I use a family computer for my work, how can I keep this secure?
If you use a family computer, make sure you have a separate log in for your work which should be securely password protected. The computer should also be encrypted.
8. How can I make my electronic devices secure?
- Encrypt your computer, laptops and USB sticks
- Always use secure passwords, with upper/lower case letters, digits and special characters (e.g. £$%&*)
- Always keep your anti-virus software up to date
- Make sure any laptop, computer or mobile phone/tablet has auto lock enabled after one minute of no use.
Find further support on PACEY’s GDPR practice guide and support video in MyPACEY – pacey.org.uk/GDPR
The ICO also has support specifically about encryption of your devices.
9. I use online apps to track children’s daily activities and communicate with parents, is this impacted?
You will need to contact any third party suppliers of any online systems or apps that you use and make sure they are complying with GDPR and have their own processes in place.
10. How do I safely dispose of old data/paperwork I don’t need?
Delete files once the use for those files has been fulfilled. You should also delete any information from your computer ‘recycle bin’ or ‘trash’. If in paper form, use a cross-cut shredder to dispose of the paperwork safely. Consider having a "data cleanse" day on a quarterly basis.
11. How do I communicate these changes to parents?
You will need to make sure that you have a data protection policy in place with parents, as well as a sample privacy notice to tell parents about the changes, the reasons why you collect data, and what you do with their data.
Download PACEY’s sample data protection policy, sample privacy notice and confidentiality policy in MyPACEY. Resources are listed on pacey.org.uk/GDPR.
12. What paperwork do I need?
- A privacy/confidentiality policy
- Communication preferences document (if you're using direct marketing)
- A process for reporting and investigating security incidents
- A process for dealing with subject access requests
- Staff training – if you are a childminder, childminding assistant, nanny or nursery, all staff should undergo induction training and renew training every two years
- Retention of data policy.
13. How do I let parents opt in?
When parents join your setting, you should give them a way of choosing their preferred methods of communication. For example, an opt in document for each individual child that parents sign to either agree or disagree to data being sharing in specific ways, for example, on social media, in WhatsApp groups, in Facebook private groups etc.
PACEY is producing a communications preferences template, go to pacey.org.uk/GDPR for a full list of resources.
14. What happens if privacy is compromised? For example, if a laptop is locked in a car and gets stolen.
You need to make sure you have procedures and policies in place to demonstrate that you have done everything you can to prevent the situation from arising and data being compromised as a result. Take a look at questions 7 and 8 for more support.
15. Can I get fined if I don’t comply with these new restrictions?
If you do not comply with these changes, the ICO can issue warnings and fines.
16. What resources does PACEY have for members?
- Data Protection Policy - use this policy as a template for your setting and give to all parents to sign and date. You can regularly review your policies if changes are made
- Confidentiality Policy – if you are a practitioner in Wales, there will be specific support for you within this policy
- GDPR practice guide - this practice guide will consider areas of best practice when processing data in line with GDPR and it also includes a data audit template
- Sample privacy notice - use this template to tell parents the reasons why you need to collect data, and what you do with the data you have
- Communications preferences template - use this to collect data from parents, and regularly review personal data to make sure it is relevant and necessary
- GDPR support video - understand more about GDPR, how it impacts your setting and the seven key principles to protect data
17. Are my PACEY childminding contracts still valid under GDPR?
You collect and process data on contracts, child record forms and similar in order to provide the services requested by parents. Under your existing data protection and confidentiality good practice, you won’t be sharing information unless you are required to do so by law or have the agreement of parents.
Use the GDPR resources that PACEY has produced including the sample privacy notice and the communications preferences template to help parents understand how they can obtain access to the information you hold about them, or alternatively, how they can request a copy if they are unable to obtain access.
We have had PACEY's contracts assessed in detail by our legal team and they are fully complient with the new GDPR regulations. Therefore the current contracts will not be changing and are still valid in light of the new data protection laws. Using PACEY's GDPR resources in conjunction with your contracts will help you meet the new regulations.
18. Do I need to attend a training course?
If you are a childminder, childminding assistant, nanny or nursery, all staff should undergo induction training and renew training every two years.
19. I use Google Drive or iCloud to store my settings information, how does GDPR impact this?
The ICO has a full guidance on the use of cloud computing. You should also query this with your supplier and they will be able to support you.
20. Do I have to keep an individual register per child?
There is no prescribed format for attendance registers. The requirement is that you need to be able to evidence the dates and times a child is with you and keep the data for as long as needed. PACEY would advise, along with the format of our own attendance register, that you have one child per page.
Retention of records is discussed in our record keeping practice guide.
21. If a parent emails enquiring about a place for their child, am I liable for the personal information in the email?
Storing data including emails that contain personal information needs to be included in your audit process, i.e. what is the data, why do I need it, how is it received, who has access to it, how long do I keep it. Any personal data no-matter what format follows the same process.
The GDPR practice guide talks about asking these questions, and safe deletion, and includes a data audit template.
22. If a parent revokes photo permissions for Facebook when a child leaves the setting, would I have to delete all previous pictures?
In this case, we would suggest looking at the record keeping practice guide for reference to photos, how to store, keep and use them on social media and build this in as part of the agreement with parents. Within the agreement, state that you will not use photos from the date that a parent revokes permissions and/or from the date a child leaves.
23. Do you need to remain registered with ICO as a childminder after you retire?
If you are still holding personal data electronically after you have retired from or stopped childminding, you will still need to be registered with the ICO. If however you are no longer holding the data electronically you will no longer need to be registered.
Please contact the ICO for more information on whether or nor you should still be registered with them.
24. If you need to remain with the ICO after retiring as a childminder, what about insurance?
Public Liability insurance is generally written on a “claims occurring basis”; this means that it will, in theory, meet claims arising from incidents which have that have occurred during the policy period irrespective of when the claim is made (which might be some years later).
As always, this is subject to policy wording and complying with notification requirements, and to the claimant having a valid and legally enforceable claim.
The claim may be made after the policy expires, subject to legal considerations (for example the time limits within the Limitation Act); however, cover should not be needed to be taken out after childminding has ended as no new claims can arise.
Some policies are issued on a “claims made basis” which means that cover needs to be in place when a claim is made. Professional liability policies are usually like that, but that should not affect your member. “Claims made” is the opposite of “claims occurring”.
25. Do I need to ring the emergency contacts parents have provided and inform them about GDPR?
You do not need to get in touch with the emergency contacts parents have nominated and let them know that you as a childminder, have their details. This responsibility lies with the parent who gave the emergency contact details.
We would suggest that you state this within your policy, stating that you will hold this information only during the time that the child linked to the emergency contact is in your care. Once leaving the setting the information held about the emergency contact will be destroyed.
26. I've been contacted by Sodexo, the childcare voucher company, telling me to complete a form, but I don't think it's right. What should I do?
PACEY has raised this issue with Sodexo and made clear ICO’s advice is that members and other childcare providers are NOT processing Sodexo's data. In fact Sodexo is processing their personal data. So Sodexo’s current approach is incorrect. We are advising our members NOT to fill in the current Sodexo form nor the new one (when it is sent out). If you have already returned their form, you should email them again to say you want to “rescind it, as you are now aware they have incorrectly identified you are a data processors”. Once we have a copy of the new Sodexo form, we will seek legal advice on it and share this with members and Sodexo. We expect this legal advice will reinforce what the ICO has already said. This means our current advice to members is unlikely to change. We will then try to work with Sodexo to stop them making this unnecessary request of their customers.
27. Is there a grace period after the 25th?
The legislation for GDPR is implemented from the 25th May and there is no grace period after this date. However, if you haven't got everything in place but can demonstrate to ICO that you are working towards being GDPR compliant, then that would be fine but of course not the preference.
The best thing to do is to make sure you have everything in place by the 25th May 2018.
28. Can I pass on parents/childminders phone numbers to other parents/childminders?
So long as you have consent of the person who’s number you are passing on that’s fine. Consent doesn’t have to be written, so long as the person has given a positive affirmation that’s what they want you to do. Ideally keep a note of that consent, and that you shared the info, but take care not to record any unnecessary personal data.
29. As a Nanny, do I need to register with the ICO?
With regards to registration the best way forward is to complete the self-assessment toolkit on ICO's registration page to see whether you would need to register as a member.
The pages also provide a link to ICO's registration helpline if you still feel unsure.
30. How long should I keep my ELI certificate for?
There is no requirement to keep ELI certificates for a certain time. PACEY would strongly recommend that they are kept for ever just in case however having them electronically is fine.
31. How should I record children's ethnicity?
Ethnicity is a mandatory data item within the early years census and should be collected for all children. The childcare provider must not ascribe any ethnicity to the child. This information must come from the parent/guardian. Where the ethnicity has not yet been collected this is recorded as NOBT (Information not yet obtained). If a parent has refused to provide ethnicity, REFU (refused) is recorded and returned. There are no plans to drop the data item from the 2019 census. The EY census data collection guide contains details of the relevant legislation that provide lawful basis for collection. For example, the individual level data collection from EY providers (i.e. under Early Years Census) is a statutory requirement on providers and LAs through regulations under Section 99 of the Childcare Act 2006 and the Education (provision of information about young children)(England) regulations 2009 as amended.
32. What is the difference between the DPA 2018 and GDPR?
"The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DPA 2018 is the details of these. It is therefore important the GDPR and the DPA 2018 are read side by side.
However, the DPA 2018 is not limited to the UK GDPR provisions."
Quoted from ICO - find out more
Have any other questions? Email firstname.lastname@example.org
and we will update our FAQs!