In this article
The General Data Protection Regulation (GDPR) is one of those things that many of us have heard about, and we have all received an abundance of emails regarding it. Yet, it can be difficult differentiating what it means and what you need to do to comply with the GDPR in Early Years. Furthermore, we do know that its implementation has been accompanied by stringent rules. With fines up to £20 million or 4% turnover, a failure to adhere with the GDPR in nurseries could result in significant consequences.
This guide will break down the responsibilities of nurseries and Early Years providers in implementing the GDPR, with reference to the Early Years setting. It will provide a detailed breakdown of all the factors you need to consider, and the potential implications and consequences of a data breach.
What is GDPR?
When the Data Protection Act 1998 was first implemented, Google did not even exist and technology was nowhere near the level it is today. Security and the protection of data focused mainly on paper files and outdated systems, and there was a definite need for change. As a result, the European Union devised the GDPR to ensure the protection of privacy for all EU citizens. The General Data Protection Regulation is an EU directive that was introduced on 25th May 2018. It is primarily concerned with the management and control of personal information; requiring you to have a ‘lawful basis for processing data’.
The measure ultimately aims to give individuals more control over their data and how it is used and disseminated. Within this, there are two main roles – the data controller and the data processor. Nurseries are considered to be data controllers, in that you have the responsibility to protect data that you have collected regarding your pupils, their families and your staff. As a data controller, you are then obligated to ensure that personal data is appropriately protected, with high penalties imposed for those who do not adhere to the rules.
What is personal information?
In accordance with the GDPR, personal information should be ‘processed fairly and lawfully’, and should only be collected for ‘specified, explicit and legitimate purposes’. Referred to throughout the measure as personally identifiable information, this refers to any data that could identify a person, such as their name, email address, postal address, telephone numbers or photographs, amongst other types. This is a much wider category than what you might think at first, and it could also include other identifiers such as a person’s IP address.
Moreover, even if a person cannot necessarily be identified from that information directly, it does not mean that they are not identifiable indirectly. Special categories of personal information include things such as health status, religion, ethnicity and the collection of other such markers will also require consent. As a result, only truly anonymous information is not affected by the GDPR.
A Rights-Based Approach to Privacy
As we said previously, the GDPR is based on ensuring that all individual EU citizens are afforded specific rights regarding privacy. These individual rights include:
The Right to be Informed
This is a key transparency requirement, as it ensures that all individuals have the right to be fully informed regarding what personal information is collected, how it is stored, and for what purpose. This means that auto opt-ins and other such ways to collect personal information are now illegal.
The Right to Access
Each individual has the right to request access to the information that you are holding about them or their child. This should be free of charge and provided in a commonly used format.
The Right to Rectification
If incorrect data is held, people have the right to update it. If you also share information with a third party, it is also your responsibility to update it as necessary.
The Right to Erasure
Also known as the right to be forgotten, this means that people can request that all of their information is deleted by the company that holds it. However, this does not contravene current regulations regarding how long nurseries should store information.
The Right to Restrict Processing
This means that people can object to their information being used in a specific way. You can store it, but it can only be used for the limited purposes that consent has been obtained for. It also means that a person can block processing to prevent it from being shared in the future. Again, this does not impact the rules already set out in the Early Years Foundation Stage (EYFS).
The Right to Data Portability
This basic right means that individuals have the right to move their personal data for their own purposes. A system needs to be in place so that information can be moved around in a way that is safe and secure.
The Right to Object
People have a legal right to object to their personally identifiable information being used in a way that has not been explicitly consented. An example of this would include using photographs of children as part of a marketing campaign.
Rights in Relation to Automated Decision-Making and Profiling
This may not apply to nurseries, but if an organisation utilises an automated decision-making process, such as profiling, then the above rules must still apply.
The Privacy Principles
As outlined in Article 5 of the GDPR, any organisation that processes the personal data of EU citizens has a responsibility to ensure that they abide by the seven privacy principles.
1 – Lawfulness, Fairness and Transparency
This means that you must have a lawful reason for collecting personal data. The six lawful bases of collecting information are outlined within the GDPR, and it should be collected, processed and shared in a manner that is fair and transparent.
2 – Limitations on the Collection, Processing and Storage of Information
This principle is outlined in Article 5 (1) (b); in which it states that personal information should be ‘collected for specified, explicit and legitimate purposes’, and not further processed in a manner that is incompatible with these. This basically means that you should only use the data for the reason it is initially obtained. For example, unless you have specified and gained consent, you cannot use photographs of children or adults for marketing purposes.
3 – Data Minimisation
The data minimisation principle means that you cannot collect more data than needed. This also suggests that data that is no longer required should be erased or made anonymous, but this does not apply to the information you must keep in line with your responsibilities as an Early Years provider.
4 – Data Accuracy
The personally identifiable information that you hold should be accurate, and you should have a system in place to ensure that it is kept up to date. For example, asking parents to update details on an annual basis and reminding them to let you know if there are any changes can be a great way to ensure that you have the most recent details.
5 – Limited Storage
6 – Confidentiality and Integrity
Everything that you do should maintain confidentiality and be done with integrity. Fundamentally, you are responsible for the protection of personal information and ensuring that it is stored, shared and processed securely.
The Principle of Accountability?
Accountability is considered to be the seventh bonus principle. Although it is not explicitly referred to within the list, being accountable is outlined within each of the other principles. Ultimately, it refers to the responsibility of companies to process information correctly and the obligation of the State to ensure appropriate consequences for those who fail to comply.
Why do nurseries need to comply with the GDPR?
As nurseries collect personal information regarding their pupils, their families and their staff, all Early Years providers have a responsibility to ensure that they work in adherence to the GDPR, as each person whose information you hold has the right to privacy, and for that information to be stored securely.
Moreover, a failure to adhere to this measure could have serious consequences, including significant fines. You will need to register with the Information Commissioners Office (ICO), and have sharing agreements in place with the organisations that you share personal data with. You will also need to display a privacy notice and should have a robust data protection policy in place.
What is a data breach?
A data breach refers to a situation in which data has been lost, destroyed, shared or accessed by an unauthorised source. This could be accidental or deliberate, and whether it is human error or a security issue – most companies will experience some form of a data breach at some point.
To assess the risk, you will need to establish whether the breach has impacted upon people’s rights to privacy. To do so, the ICO recommends that you focus on the potential negative consequences for the individual. If there is a risk, you need to report a data breach to the ICO within 72 hours and you should inform the individuals concerned. The ICO will guide you through the next step. They may also request that you undertake an investigation to help to identify the error that was made and further strengthen your nursery’s information management system.
How you store personally identifiable information is ultimately your choice. However, there are a number of restrictions that you will need to be aware of, and it is advised that you have a multi-layered security strategy in place. Paper files should always be stored securely in a locked cabinet, and electronic files should obviously be password protected. You may need to pay a company to ensure secure storage of information. Furthermore, only authorised (and trained) staff should be able to access the data.
However, per the GDPR, you will also need to keep on top of your information system, including erasing information that is no longer needed. However, remember it is important that you check out the appropriate retention periods regarding data. As we have previously mentioned, the current retention periods override the rights set out in the GDPR. For example, staff records should be kept for 8 years, and it is advised that you keep children’s information up until they reach the age of 21.
What else do nurseries need to consider?
Any organisation that collects and stores personal information is ultimately responsible for the protection of that data. They are also accountable for their action, as a failure to implement an effective system may result in a security issue. To ensure that the measure is adhered to, strict sanctions have been imposed, with fines up to £20 million or 4% of the company’s annual turnover.
Consent is a key theme that runs through the directive, and it is imperative that nurseries ensure that they obtain explicit consent for holding and using personal data. There needs to be consent for each purpose, and these should be in line with the six lawful bases. To be legal, consent needs to be fully informed. It is important to remember that the legal basis of consent degrades over time, so you will need to re-obtain it regularly. However, you do not need to obtain consent for the data you collect as part of your legal obligations as an Early Years provider.
As part of the GDPR requirements, you should display a privacy notice, so all individuals are fully aware of how you use, store and share their personal information. Your privacy notice should be accessible and written in plain English, and it should be clearly displayed on any emails or letters and your website.
Data Protection Officer
Appointing a data protection officer means that your company will have an individual who takes the lead when it comes to data. This is not necessarily required for smaller companies, but it is good practice regardless. Having somebody in place that is in charge of processing data means that they can be specifically trained to safeguard your system. However, all staff must have some awareness of the implications of the measure and should be able to answer parents’ questions regarding privacy.
Loss of Business
Implementing a system that is secure and robust is one of the ways that we can build a relationship with parents that is based on trust and transparency. However, when this trust has been broken due to a data breach, this may result in a loss of business.
What should be in our data protection policy?
- Contact details of your organisation
- The specific types of data that you process
- Your lawful basis for processing the data
- Your methods of processing data, such as any third party
- How long the data will be kept for
- The individual rights.
Do I need to do a data audit?
With so much information, it can be difficult to know where to begin implementing these changes. The ICO recommend starting with a data audit, as this will provide you with a clear understanding of the current data you hold. Consider how you are storing data, how long you need to keep it, and each piece of data’s function and whether you have gathered consent for it. It is advised that you conduct data audits regularly to maintain compliance, but they definitely get easier the more that you do.
What is a DSAR?
A DSAR is a data subject access request, and it is sometimes referred to as a Subject Access Request (SAR). This is a written request from an individual to ask for access to the information that a company holds. If a parent or staff member has requested a DSAR, you will have one month to reply, and you have to provide the personal data requested free of charge. You cannot share information that holds personal information of another child, and only those with parental responsibility can obtain records.
Do staff members need to be specifically trained?
Many of the changes that are associated with the GDPR are similar to those already in place. However, all staff members that handle data should be aware of current regulations and their responsibilities and they should also be able to answer parents’ questions regarding how information is used or stored.
Will the laws be affected by Brexit?
Despite Britain voting to leave the European Union, this should not affect the implementation of the GDPR in nurseries. Although we cannot know for certain, it is widely believed that the UK will maintain this measure.
What should we do about emergency contact details?
As part of your EYFS duties, all providers must possess emergency contact details for each of their pupils. As this information is provided by the parent or guardian, they are providing you with permission to hold it.
Can parents still send party invitations to other children?
Yes, of course. You should obtain permission from parents if possible. If not, you could just provide parents with a list of first names (with an initial for two the same) and distribute invitations in class.
Fundamentally, the GDPR promises more robust protection of people’s personal information. Although it may seem complicated at first, it is not necessarily about spending a lot of money or implementing an entirely new system. Instead, it is about using common sense practice, ensuring transparency throughout and if in doubt, get consent. You should also be aware of the strengths and weaknesses of your data management services and how this should be maintained for effectiveness.
When implementing the GDPR in nurseries, you will also need to be able to demonstrate how compliance is achieved and that you have taken the necessary steps. If you are still unsure what is required of you as a childcare provider, there is a wealth of information online. However, remember to prioritise the guidance set out by the Department of Education.