Whether you’re a small childminder or a large nursery chain, the GDPR regulations will affect everybody when they become a legal requirement on the 25th May.
The GDPR applies to information that can be used to personally identify an individual. Examples include name, date of birth, bank details and photographs you may have of your staff, children or parents. It also applies to information which is gathered online.
What is a lawful basis for processing data and why do I need it?
You need to write down why you’re processing personal data in different areas of your business. This is because the GDPR regulations state that you need a valid lawful basis in order to process personal data. There are 6 different lawful bases, however, we have highlighted two very common ones you’ll come across as a childcare provider:
This is where parents give you clear consent to process their child’s personal data for a specific purpose. Children under the age of 16 cannot give consent and it falls to childcare settings to check whether parents have full parental responsibility to be able to give this consent.
Under clause 3.72 of the statutory EYFS framework, providers must record each child’s name, date of birth, address and emergency contact details of parents. This data is normally collected by a registration form. If there’s an obligation to hold personal data in order to meet the requirements of the Children’s Act, Ofsted or employment law, then this overrides the need to gain consent.
How often do I need to update the information I hold?
Personal data must be fairly and lawfully processed, but it must also be kept up to date. Let’s use the example of a child registration form. How often do you check the information is up to date – termly, 6 monthly or yearly? The GDPR requires that the records you hold be updated at least annually.
Rather than waiting for parents to notify you when their information has changed, it’s much better practice to show what information you hold on them. For example at parents evening, ask what information needs updating. You could also issue an update form which parents must sign and date whenever their information needs to be amended.
What can I do to minimise the risk of a data breach?
Minimising the processing of personal data at your setting to only what’s necessary for a specific purpose is a good way to reduce the risk of a data breach. For example, on your accident forms you need to include the child’s name, who dealt with the incident, where it happened and what treatment was given. But do you need the child’s date of birth, address details or the names of parents on it, too? Reducing the amount of personally identifiable information on your forms will help reduce the risk.
Another way to minimise risk surrounding personal data is by not keeping information for longer than necessary. For example, when a child leaves your setting all photos of them should be destroyed (or handed back to the parents) as there’s no lawful reason for you to keep these.
You should also assess whether your staff are competent at handling data. Your employees will handle a huge amount of children’s data on a day-to-day basis. They need a good understanding of what personal data is and what their responsibilities are to keep this data safe, in order to minimise the risk of a data breach occurring.
In our next GDPR instalment on 28th March, we explore what other requirements childcare providers must prepare for under the new GDPR rules.
We have put together a handy guide which explains what GDPR is, and it gives you information on what you need to do when collecting any data.