As an early years and childcare practitioner in England, you are required to comply with the Data Protection Act 1998. You will already be collecting, storing, maintaining, and sometimes sharing the personal data of the children and families that you work with.
In May 2018, data protection rules changed with the introduction of the General Data Protection Regulation (GDPR). GDPR builds on the Data Protection Act 1998 and is designed to strengthen the way that you process personal data. Processing data covers anything that you do with the personal data that you hold.
Personal data means any information about a person that can be directly or indirectly identifiable to them. Examples include names; addresses; telephone numbers; email addresses; reference numbers; CCTV images, voice recordings; photographs and online profiles, for example on Facebook. Personal data can appear in many forms, from pen and paper to WhatsApp groups.
GDPR gives individuals more control over their own personal data. It is about being open and transparent about the data you keep and how you use it or share it.
GDPR condenses the Data Protection Principles into seven areas, referred to as the Privacy Principles. They are:
- You must have a lawful reason for collecting personal data and must do it in a fair and transparent way.
- You must only use the data for the reason it is initially obtained.
- You must not collect any more data than is necessary.
- It has to be accurate and there must be mechanisms in place to keep it up to date.
- You cannot keep it any longer than needed.
- You must protect the personal data.
- You must be accountable. This means your must the right thing with data and you must also show that all the correct measures are in place to demonstrate how compliance is achieved. There is also an expectation that assistants will be trained on data protection.
Things to consider
Privacy notices
When you collect any data you must tell people exactly how you are going to use it, who might you share it with, how long you will keep it as well as information on consent and complaint.
Individual rights
People now have new and enhanced rights on the collection, access and deletion of their data so you must ensure your setting has mechanisms to allow individuals to exercise these rights.
Consent
GDPR requires early years providers to have a legitimate reason for processing any personal data. Where you rely on consent for processing data you must be able to demonstrate that the consent was freely given. Pre-ticked boxes or inactivity will no longer suffice. People have to actively opt-in.
Data agreements
Early years providers are now obliged to have written arrangements with anybody processing data for them. Providers must make sure that anyone processing data meet GDPR requirements. This may be an App that you use to process Childminding data.
Breach notification to the ICO
You are obligated to notify the Information Commissioner's Office (ICO) of a data breach within 72 hours of becoming aware of the breach. An example of this would be if you lost some documents containing personal information of families.
You may be registered with the Information Commissioner’s Office (ICO).
The ICO is the UK regulator and enforcer of Data Protection legislation. If you keep any information digitally then you should be registered with the ICO, this includes photographs taken on a mobile phone or digital camera.
More information is available in the ICO’s guide to the UK General Data Protection Regulation.