Why do we have to comply with GDPR?
All organisations which handle this type of data have to comply. Failure to do so can result in sanctions. Serious breaches can be penalised with fines of up to 20 million Euros or 4% of your annual turnover.
What is a GDPR breach?
If you accidentally lose, destroy or share data, this is a breach. Sharing in this instance means giving unauthorised access to personal data. Any breaches must be reported to the Information Commissioner's Office
. Find out how to do this here.
Who does GDPR affect?
This affects everyone as individuals and all organisations which hold personal data of any type.
Will it cost our nursery to implement GDPR?
It will mainly cost your setting staff time – but you may wish to update your processes and systems which could mean an investment.
When does GDPR need to be in place in my nursery?
The regulation became law from 25 May 2018 – settings must now comply with GDPR. Review what you are currently doing to comply with the existing laws and take it from there.
Will all nursery staff need to know about GDPR?
It’s useful that everybody is aware of GDPR and what it means. All staff that handle data need to know more about the regulation. NDNA recommends each setting appointing a lead person who is the designated data controller. They can work with all other staff who are designated as data handlers.
It’s also important that all staff can answer parents’ queries about how their data will be used and stored. Make sure you are clear about the benefits this will give and also your legal obligations regarding safeguarding the children.
Do I need to fill in forms that I receive from external organisations?
We have had some members query forms they are receiving from external organisations.
You may be receiving requests from external organisations to fill in forms and legal agreements to show compliance with GDPR.
You only need to respond if you are actually processing (handling, using or sharing) personal data which they have either sent to you or received from you.
Personal data is data which can identify a single person.
If none of this applies then we recommend you simply contact the organisation to tell them this. Do not waste time completing their forms.
Can I still let parents send birthday party invitations to other children in the nursery?
Yes you can do this if you have permission from all the parents. If you don’t have this permission then you should only provide the children’s first names and possibly an initial for the surname where two children have the same first name.
Can I provide a photographer’s website link/images to parents if the images taken include other children?
Yes providing that no personal details are included on the website link eg. Children’s names.
How long do I need to keep paper documents of children attending the nursery?
There is no standard answer to this, as it depends on the type of document and your Local Authority’s requirements. In brief, business records need to be retained for 7 years, accident reports until the child is 21 years and 3 months, safeguarding records and causes for concern until the child is 25 years old. Download our Record Keeping and retention periods fact sheet here for more detail or download our Record Retention Policies from England, Scotland and Wales.
I have sent an email to multiple recipients and forgotten to blind copy them (BCC) – is this a data breach?
If the recipient email addresses are business related and are available in the public domain, then this is not a data breach. If the email addresses are personal and can identify a person, then this is a data breach and should be reported to the ICO
Can I display staff photos on display board with names?
Yes, if staff members have all given permission.
Do I have to remove last names on the child and parent register and visitor books?
How do we deal with personal information which is usually shared with members of the public, e.g. self sign-in registers, visitor books etc.? You should limit the amount of information that is available unless you have obtained specific consent to be able to share this information. We recommend that the full names of children should not be entered onto self-sign in registers, birthday displays and anywhere else which is in view of other parents or the general public. In relation to visitor books we also recommended that full names of parents or members of the public should not be shared, alternatively a GDPR compliant visitor book can be purchased which reduces the amount of information that is visible to other visitors.
Can I provide documents if I get a Subject Access Request to disclose employee statements regarding a nursery incident, which was not a safeguarding incident?
There is no clear definitive answer and each request needs to assessed on its own merits. However, if you decide not to provide the information requested you need to be able to justify it.
See NDNA GDPR resources
Our recommendation is to provide the information but before sending it to the parent remove or redact (hide or make unreadable) any personal information that could be used to identify anyone apart from the child concerned in the query.
Prior to sending the information, it may also be worth discussing the request with persons who have provided the statements to ensure they have no strong objection to the information being provided.