All organisations which handle personal information about individuals must ensure that they follow the guidelines set down by the Data Protection Act.
In addition to this, some organisations will need to be Data Protection registered with a governing body called the ICO. However, there is no need to register if you handle personal data only for core business purposes like record keeping, accounts and staff administration. To find out if this applies to you, click here.
The law surrounding Data Protection Act can be confusing, so here we have outlined the answers to some common questions.
What is it?
The Data Protection Act (DPA) was brought into law in 1998 with the intention of governing the way that organisations process and manage data on living identifiable individuals. This data is often referred to as “Personal data”.
Personal data is things like:
– Children’s names, dates of birth, address, allergies and medical information
– Parents’ names, addresses and bank details
– Staff information such as bank details, national insurance number and qualifications
What does the Data Protection Act consist of?
The DPA has 8 overriding principles that businesses must comply with:
– Data must be fairly and lawfully processed
– Data must be used for limited and specifically stated purposes
– Data must be adequate, relevant and not excessive
– Data must be accurate
– Data must not be kept for longer than necessary
– Data must be handled according to individual’s data protection rights
– Data must be kept safe and secure
– Data must not be transferred outside of the European Economic Area (EEA) unless the country that the data is being sent to has a suitable data protection law.
Who can request access to personal data?
All staff members and parents have the right to access personal information which is being processed, stored, or relates directly to them. They also have the right to request changes to be made to personal information about them if the data you hold is not accurate or up to date.
In most circumstances, a childcare setting will need permission from the relevant individual if they wished to share personal data with an outside organisation. However, if a setting has a child protection concern, they are able to consult the relevant authorities without asking for the consent of the parents of that child.
How can I comply?
All childcare settings should have a Data Protection Policy which outlines what measures they take to comply with the Data Protection Act. It should also describe what actions staff should take to take if they think there has been a breach, and how individuals can access information relating to them.
In addition, you will need to nominate a Data Controller. This is someone within your organisation who must apply to the ICO for permission to store and use personal data. Their job is to make sure that any processing of personal data at your setting complies with the Data Protection Act.
What should happen if a staff member thinks their setting breaches the DPA?
If a member of staff thinks that there has been a violation of these rules, they must notify the Data Controller as soon as possible and give them details of the breach. It is then the responsibility of the Data Controller to investigate and then either rectify or report any violations of the Data Protection Act to the ICO.
What penalties can I incur if I do not follow the principles outlined in the DPA?
Aside from your brand and reputational damage should personal information become lost or stolen, the Information Commissioner’s Office can prosecute businesses. You can be liable for fines of up to £500,000 if it is found that your setting has seriously breached the rules of the DPA.
To find out more about Data Protection and how to comply, please visit the ICO website.
Worried about whether you’re keeping children’s details safe? Our management software will help you keep all personal details secure. Find out more about what our software can do!