Last reviewed 19 February 2018
The new data protection law, the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. This is an EU Law and we are still part of the EU until agreements have been finalised. On leaving the EU, the GDPR will remain in force until the Government makes any changes. Liz Hodgman, Childcare Consultant, looks at what GDPR will mean for an early years provider.
Under the Data Protection Act 1998, organisations were thought to be compliant until there was a data breach. Under the GDPR this is no longer the case; organisations need to have evidence that they are compliant from the start. This requires organisations to have documents and processes in place to demonstrate that they are following the regulations and ensuring the safeguarding of the data that they hold.
Why do we need a new law?
The Data Protection Act is 20 years old and there have been significant changes in the data that is held on individuals through the use of information technology (IT). The security threats to personal and sensitive data is much greater than it was 20 years ago. The law needed to be updated to reflect the rapid development in IT and changing risk levels of breaches.
There are two main roles under the GDPR; the data controller and the data processor.
For a childcare provider, you are most likely to be the data controller. The data is your data that you have collected about the child and their family. If you contract with another company to process your data, then they will be the data processor. The two roles have some differences but the principles of GDPR apply to both.
There are six principles of the GDPR.
Fair and Lawful.
The GDPR provides the following rights for individuals.
The right to be informed.
The right of access.
The right to rectification.
The right to erase.
The right to restrict processing.
The right to data portability.
The right to object.
Rights in relation to automated decision-making and profiling.
The last point, rights in relation to automated decision-making and profiling, is unlikely to impact on most early years providers. An example of profiling is when you use your computer to search for a product online. Later you log onto your Facebook account and adverts down the side link to the type of products you have been searching for. Cookies on a website can be used for profiling, collating information on how the user accesses different parts of the website for example. Under GDPR, an individual has the right to ask for human input into these automated processes.
Lawful basis for processing personal data
You must have a lawful basis for processing all personal data within your organisation and this needs to be recorded in your register for processing activities. The six reasons are set out in Article 6 of the GDPR.
Where possible, avoid using consent as your lawful basis. Consent can be withdrawn at any point and then you may run into problems. For example, if a parent decides midterm to remove their child from your setting and they are accessing 30 hours funded childcare, they may immediately withdraw consent for you to process the information on their child. Therefore how will you be able to claim the funding you are owed from your local authority (LA) if you are unable to use the child and parent’s information?
Further information on the GDPR can be found on the Information Commissioner’s Office (ICO) website.
Working towards compliance
In order to demonstrate that you are compliant, you will need to have documentation in place. Best practice would be to have a folder on your computer with electronic files stored there and a ring binder for paper records. This file will contain registers of the staff who have engaged with training, minutes of staff meetings where GDPR has been discussed, etc.
You may be required to make available your documentation to the ICO on request.
Registration with the Information Commissioner’s Office
It is required that all organisations that process personal data are required to register with the ICO. In February 2018 the Government announced a new charging structure for data controllers to ensure the continued funding of the ICO. Until the GDPR comes into effect the current fees apply. From 25 May 2018 there will be a tiered approach to charges.
Tier 1 – micro organisations. You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2 – small and medium organisations. You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3 – large organisations. If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900.
The ICO has published a document that provides further information on the charges, exemptions and how to calculate which tier your are in. This can be downloaded from the ICO website.
Information Asset Register
You need to have a “catalogue” of all the information that your provision holds and processes. This will include information on the types of information/data.
Is it personal or sensitive?
How is the information stored?
Is it shared or transported, and if so, how is this done?
Is the information included in a retention schedule?
How long are you keeping it for?
This will need to be established prior to the introduction of GDPR and regularly maintained. Ideally, having an electronic version will enable items to be added/updated or deleted easier than a paper record.
One way of ensuring that you have captured all the information assets within your organisation is to carry out an audit with the whole staff team. Ask them to help you do a mind map.
Think about the different individuals you may hold data on:
the children in the provision
the parents/carers of the children
extended family/emergency contacts
contractors who undertake work in or for the provision.
Contractors could include an accountant, a solicitor, a cleaning or catering company, a keyholder company or an IT company which maintains your computer systems.
The types of data documents that you may hold within your provision include:
child protection files and referrals
tracking sheets for a group/whole nursery
computer systems (software packages)
bank details (staff and parents)
allergies and medication information
EYPP, DAF and Inclusion Fund lists
staff meeting minutes
emergency contacts list (children and staff)
birth certificates (for funding purposes)
Cookies (website only).
You may hold data in a number of places:
portable IT (laptops, tablets, etc)
website and social media
website surveys (eg SurveyMonkey).
See the template Information Asset Register in your Early Years Administrative Records topic. Transferring the template to an excel spreadsheet will make it easier to manage the information.
Once you have completed your Information Audit and established your Information Asset Register you will need to document your data processing. This will need to include information on the lawful basis for processing.
The ICO has developed a free downloadable excel spreadsheet to record all the data processing.
Privacy or Data Protection Impact Assessments (DPIAs)
These are useful tools to help you identify the most effective way to comply with your data protection duties and meet an individual’s expectations of privacy. You do not need to carry out a DPIA for every process, just ones that you feel could be high risk for the data subject or for any new technology. So this could be the introduction of a new system to record children’s progress that is shared with parents electronically.
Consent and privacy notices
When writing your privacy notices, you need to have decided what lawful basis you are processing this information under.
Your privacy notice should include the following.
The type of information you are collecting (names, addresses, dates of birth, ethnicity, etc).
Who is collecting it and how (paper forms, electronic forms, through a parent portal, etc)?
Why is it being collected?
How will the information be used (this will not only include providing a safe and quality provision for their child but also to access funding from the LA and to submit data for headcounts and census)?
Who will you share the data with (this will include the LA for funding and census information as well as any referrals for additional support for example the area SENCO)?
Will there be an effect on the individual (data subject) concerned and is it likely to cause any individuals to object or complain?
The Department for Education has developed a privacy template for schools and early years providers to adapt. This can be downloaded from their website.
The checklist will help provide a framework of steps for any childcare provider to work through. The ICO has also produced an online self-assessment tool that will help to gauge your progress and provides guidance on the next steps that need to be taken.
You will need to have audited all areas of your provision when working towards compliance for the GDPR as you will have data in lots of places.
Consider how you will manage keeping information secure when you are taking the children on an outing.
Will you be taking the provision’s mobile phone with you?
Does it have a lock on it so that if it was stolen or lost, no one else would be able to access the parents’ names and contact details?
If you carry paper records with you, discuss how these can be kept safe.
However, the safeguarding of children will always be a higher priority than the GDPR compliance.
Add GDPR and data sharing to your supervision template and ensure it is regularly discussed and documented. Include in staff meetings and record in minutes. Copies can be retained in the GDPR file.
Look at the information that you have on display around the provision. Does any of it identify children and is it accessible to the public? This is particularly important if you use a shared space such as a church or village hall and you do not pack away fully at the end of sessions.
While a session is in operation, it is necessary to have on display, as a reminder to staff, the list of children who have medical issues and allergies. This is a safeguarding requirement; however it is not acceptable to have a list of EYPP children on the wall. This would identify to any prospective parents or visitors to the provision that these children are from more deprived backgrounds.
Ensure that your setting’s contingency plan is up to date and includes information technology. What would happen if your setting’s main laptop was dropped and the hard drive was unable to be saved? Or if it was stolen? Consider options on how you can back up data so that a normal service can resume. This could be having an encrypted external hard drive or memory stick that is regularly used to back up the main computer records. This drive or stick then needs to be safely stored. Alternatively consider using a cloud storage system. You will need to ensure that whatever cloud provider you choose has high levels of security, are operating within the GDPR and have a UK or EU data sovereignty. This means that they are storing the data in the UK or EU. Other countries outside of the EU will not be subject to the GDPR. Many of the main cloud providers have moved some data storage to the UK so that they will be compliant for the launch of GDPR.
You will need to inform parents that you are making changes to your processing and consent arrangements so that you are compliant with the GDPR. This could be done within a regular newsletter or through your website or social media accounts.
Any new contracts with parents will need to include the new wording for consent and privacy notices. It is good practice to provide all existing contracted parents with a copy of the wording and ask them to sign their agreement. This can then be added to their current contract.
Data Protection Officer
Although there is no legal requirement under the EYFS or GDPR for a childcare provision to have a Data Protection Officer, it is seen as good practice.
Ideally, the Data Protection Officer should not be the manager or owner of the provision or have power to make decisions. They do however need to have support from these people in order to be effective in their role.
Main duties include the following.
Ensure that the provision is compliant with GDPR.
Audit all personal data held.
Establish an Information Asset Register and maintain it.
Ensure all staff are aware of their responsibilities under the law, this may include delivering staff training.
Undertake investigations when there is a breach of personal data and report to the ICO.
Keep up to date with the legislation.
Everyone needs to have completed GDPR awareness training and have a thorough understanding of your policies and procedures regarding data, consent and sharing. This includes:
volunteers and work placement students
You could ask your staff to undertake online training on Information Governance and the GDPR.
Ensure all staff know how to password protect a document or if you have a secure email system on how to use it. You could have the guidance sheet for password protecting a document on a notice board in your office or staff room as a reminder.
For more information and practical help with preparing for the GDPR, take a look at our GDPR Toolkit for early years providers. This groups together all our GDPR information in one place and give you a step-by-step guide of what you need to know, with links to template documents.