GDPR stands for General Data Protection Regulation which becomes law on 25 May 2018. It covers the management and control of personal information. Regardless of Britain’s plans to leave the EU, this will still be a legal requirement for all organisations.
GDPR will replace the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003. It increases the obligations that companies have regarding personal data and focuses on rights for individuals. There is an emphasis on a more robust protection for individuals and higher penalties on organisations who fail to comply.
This is classed as any data which can be linked to a single person and can identify them. Examples include a name, email address, postal address, telephone numbers, bank accounts and photos. But just an email address is not personal data unless it can be directly linked to more data that is stored somewhere else.
Yes it does. But it also provides an opportunity for nurseries to engage with parents and build up trust and loyalty. Let them know what measures you are putting in place and that you are ahead of the game regarding their personal details.
You are required under EYFS duties, for the health and well-being of children to have emergency contact details for all children attending your setting in case of emergency when unable to contact parents directly.
You are given these details by the parent/guardian as the people they authorise to collect their child in their absence, therefore the parent is giving you permission to hold this information, your duty is to protect this data as with all other data and only use it for the intended purpose, in the case to contact in the event of an emergency.
Local Authorities may require providers in their area to obtain signed consent from emergency named contacts.
Although consent is a huge part of GDPR, as a nursery you have lawful obligations that require you to collect, process and store personal data.
In order to comply with regulatory frameworks and inspectorates across the UK, there is a large amount of data that you must hold and maintain. These legal obligations override GDPR and therefore you do not need consent to collect certain data from your parents or children.
GDPR works around the principal of consent and assumes the automatic right of privacy to individuals. If you are holding anyone’s data, they need to give consent to this and agree with what you intend to do with it. You would need to inform them how long you intend to hold onto this data and for what purpose.
Individuals have the right to be “forgotten” and can also object to some use of their own data.
All organisations which handle this type of data have to comply. Failure to do so can result in sanctions. Serious breaches can be penalised with fines of up to 20 million Euros or 4% of your annual turnover.
If you accidentally lose, destroy or share data, this is a breach. Sharing in this instance means giving unauthorised access to personal data. Any breaches must be reported to the Information Commissioners Office
. Find out how to do this here.
This affects everyone as individuals and all organisations which hold personal data of any type.
It will mainly cost your setting staff time – but you may wish to update your processes and systems which could mean an investment.
The regulation becomes law from 25 May 2018 – settings must comply with GDPR from that date onwards. NDNA advises that businesses start planning now. Review what you are currently doing to comply with the existing laws and take it from there.
It’s useful that everybody is aware of GDPR and what it means. All staff that handle data need to know more about the regulation. NDNA recommends each setting appointing a lead person who is the designated data controller. They can work with all other staff who are designated as data handlers.
It’s also important that all staff can answer parents’ queries about how their data will be used and stored. Make sure you are clear about the benefits this will give and also your legal obligations regarding safeguarding the children.
We have had some members query forms they are receiving from external organisations.
You may be receiving requests from external organisations to fill in forms and legal agreements to show compliance with GDPR.
You only need to respond if you are actually processing (handling, using or sharing) personal data which they have either sent to you or received from you.
Personal data is data which can identify a single person.
If none of this applies then we recommend you simply contact the organisation to tell them this. Do not waste time completing their forms.