GDPR guidance for childcare providers
The General Data Protection Regulation (GDPR) is an EU law that came into effect on 25 May 2018. It replaced the Data Protection Act (DPA) 1998 and the changes remain in place after the UK left the EU.
GDPR has given individuals greater control over their own personal data. Your nursery or early education and childcare setting should already have a data protection policy in place, which will need to be compliant.
The best place to check you are compliant is the Information Commissioner’s Office's Guide to the GDPR.
GDPR condenses the Data Protection Principles into 6 areas, which are referred to as the Privacy Principles:
- You must have a lawful reason for collecting personal data and must do it in a fair and transparent way
- You must only use the data for the reason it is initially obtained
- You must not collect any more data than is necessary
- It has to be accurate and there must be mechanisms in place to keep it up to date
- You cannot keep it any longer than needed
- You must protect the personal data
These privacy principles are supported by a further principle – accountability.
This means your setting must not only do the right thing with data but must also show that all the correct measures are in place to demonstrate how compliance is achieved.
There is also an expectation that staff will be trained on data protection. Documentation on policies, procedures and training is going to be a key part of any effective compliance programme.
Areas to consider
Appointing a data protection officer
For most settings, appointing an individual who takes the lead on data compliance will be enough, although for larger early education and childcare provider chains may need to appoint a data protection officer. Check with the Information Commissioner's Office.
When you collect any data you must tell people exactly how you are going to use it, who might you share it with, how long you will keep it as well as information on consent and complaint.
People have rights on the collection, access and deletion of their data so you must ensure your setting has mechanisms to allow individuals to exercise these rights.
GDPR requires early education and childcare providers to have a legitimate reason for processing any personal data. Where you rely on consent for processing data you must be able to demonstrate that the consent was freely given. Pre-ticked boxes or inactivity will not be sufficient. People will need to actively opt-in.
Early education and childcare providers will be obliged to have written arrangements with anybody processing data for them. Providers must make sure that anyone processing data will meet GDPR requirements.
Data protection must be incorporated into new projects and services at the development stage — not simply as an after-thought.
You are obligated to notify the Information Commissioner's Office (ICO) of a data breach within 72 hours of becoming aware of the breach.
One of the key drivers of compliance is that organisations can be fined significant amounts if they are not. However, you should focus on the benefits of ensuring you are handling your data properly, rather than worry about avoiding a potential fine.
Frequently asked questions about GDPR
What is personal data?
Personal data, in relation to early education and childcare providers, is any information collected about children and their families.
Do you collect and process personal data?
Yes – all early education and childcare providers collect and process personal data about children and their families.
Is the data you collect sensitive?
Yes – all providers collect and process sensitive personal data about children and their families.
Do you have lawful grounds for processing personal data?
Yes – early education and childcare providers are required to collect information about children and their families to comply with the statutory requirements of, for example, the EYFS, HMRC, the Childcare Register, The Early Years Inspection handbook and Ofsted.
How is consent collected?
Consent is a tricky one - in some instances the questions early education and childcare providers ask parents to answer are statutory - you cannot do our job without them, such as the child's full name, date of birth and address.
Therefore, early education and childcare providers have a legal reason for requesting the information and do not need consent. In other instances, the questions asked to parents are useful and allow you to do your jobs better - such as asking for information about children's siblings or their doctor's contact details, but they are not statutory (required by the EYFS or other statutory frameworks).
ICO advise that you are likely to need consent to process this type of data.
Can parents withdraw their consent?
Yes – however, this might mean that the provider is in breach of the EYFS, HMRC or insurance requirements, so if parents withdraw consent advice should be taken from ICO and / or Ofsted before information is deleted.
Is collected data accessible to parents?
Yes – parents can view, update and change any data that is held at any mutually agreed time.
Is data used only for the purpose it was originally collected?
Yes - as a general rule further written permission is requested from parents before data is used for other purposes. For example, parents are asked for written permission before you share information with other settings or professionals to support their child.
Is data accurate?
Yes – parents are required to be regularly asked to update the information held.
Is information about data storage shared with parents?
Yes – parents must be informed how long data will be stored and how it will be destroyed when no longer required as evidence for Ofsted, HMRC or insurance purposes.
Is data protected and secure?
Yes – security measures must be in place including:
- computer security measures – for example, password protection and virus protection can both be used
- paper security measures – for example, locks on cupboards where written data is stored or an alarm on a house
How are data breaches reported?
GDPR states that data breaches which are ‘likely to result in a risk to the rights and freedoms of individuals’ must be documented and reported to the Information Commissioner's Office (ICO) not later than 72 hours after it has occurred.
If you are investigated, ICO will expect to see a risk assessment which shows how the risk of data breaches will be minimised in the future.
Parents must also be informed about data breaches which impact their ‘rights and freedoms’. ICO will give advice on whether a report is needed.
Read more about data breaches on the ICO website.
Are your documents up to date?
- permission form
- parent / child documentation
- privacy notice
- confidentiality policy
- complaints procedures
- induction training
Last updated 13 October 2023