Over the past 12 months we have been running a series of data security (GDPR) workshops to address the recent changes in legislation. Understandably there are still continuing questions regards data security across the sector.
To help I have listed the key points which should be considered, on a monthly basis, by your management teams. This does not need to be an onerous task but needs to be a regular reminder of where you are.
- Children and parents need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.
- Think about the needs of children and parents from the outset and design your systems and processes with this in mind.
- Compliance with the data protection principles and in particular fairness should be central to all your processing of personal data.
- You need to have a lawful basis for holding and processing personal data. Consent is one possible lawful basis for processing, but it is not the only option. As mentioned in our training courses, Nurseries have a legal obligation to collect and process children’s data for their own use and on behalf of other external parties for example local authorities, Ofsted and HMRC. The legal obligation to process children’s data in most circumstances overrides many of the data protection principles.
- You need to get consent from whoever holds parental responsibility for the child, retain this consent and track any modifications.
- Children merit specific protection when you use their personal data for marketing purposes for example using photographs of children for extended periods of time.
- You should write clear privacy notices for parents so that they are able to understand what will happen to their and their children’s personal data, and what rights they have. Your processes should complement these notices.
- Children have the same rights as adults over their personal data and could request data access later in life. For example they may want to see what personal data you hold; request rectification; object to processing and have their personal data erased. Again your processes should cater for all of these requirements.
- An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child.
See a quick checklist to check where you are with GDPR at your nursery here.
Remember, you can still access NDNA's full FAQs from nurseries here, including a free data audit download and other resources.