General Data Protection Regulation (GDPR) for nurseries

What is the General Data Protection Regulation (GDPR), introduced on 25 May 2018, and what do you, as a nursery or early years and childcare provider, need to do about it?

Make sure you are compliant with our GDPR FAQs for nurseries below:

1. What is it?
2. How does this differ from the current data protection laws?
3. What is a data audit and why do I need one?
4. What is personal data?
5. Does this include children’s data?
6. What do I do with emergency contacts on the nursery database?
7. How does this work with nurseries’ legal obligations?
8. What are the rights for individuals?
9. Why do we have to comply?
10. What is a breach?
11. Who does it affect?
12. Will it cost our setting to do this?
13. When will we need to do this by?
14. Will all staff need to know this?
15. Do I need to fill in forms that I receive from external organisations?
16. Birthday party invitations
17. Using external photographers and sharing images
18. Keeping paper documents of children attending the nursery
19. Sending emails to multiple recipients and forgetting to blind copy
20. Displaying staff photos and names
21. Names on registers and visitor books
22. Providing documents for Subject Access Requests (not related to safeguarding).

What is GDPR?

GDPR stands for General Data Protection Regulation which became law on 25 May 2018. It covers the management and control of personal information. Regardless of Britain’s plans to leave the EU, this will still be a legal requirement for all organisations. 

How does GDPR differ from other data protection laws?

The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). It replaces the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003. It increases the obligations that companies have regarding personal data and focuses on rights for individuals. There is an emphasis on a more robust protection for individuals and higher penalties on organisations who fail to comply. 

What is a data audit and why do I need one?

Your first step in complying with GDPR is to prepare a data audit. It is important to clarify to yourself and others what personal data your organisation holds and where it is kept. You may already know about some of the personal data you hold and where it is kept but it is important that everyone in the organisation participates in this and is engaged with the process in order to build up a thorough and detailed picture. As a nursery manager, you should ensure that you are able to access all the personal data resources you may be in possession of to allow the process to be as easy as possible. 

GDPR RESOURCES FOR NURSERIES

GDPR Privacy Notice for nurseries:
FREE GDPR Privacy Notice for nursery members here
View headings to use in your own Privacy Notice here

Record retention for nurseries:
FREE Record Retention Policy for members in England, Scotland and Wales
FREE Record Retention factsheet for members in England and Data Retention factsheet for Scotland

More GDPR support for nurseries:
GDPR factsheet for England, Scotland and Wales 
'GDPR for nurseries: an expert's view' blog post by NDNA's Director of Technology

GDPR training and support visits for nurseries:
GDPR Training, the only face to face GDPR training specifically for nurseries.
NDNA support visits to review your data protection processes

What is personal data in regards to GDPR?

This is classed as any data which can be linked to a single person and can identify them. Examples include a name, email address, postal address, telephone numbers, bank accounts and photos. But just an email address is not personal data unless it can be directly linked to more data that is stored somewhere else.

Does GDPR include children’s data?

Yes it does. But it also provides an opportunity for nurseries to engage with parents and build up trust and loyalty. Let them know what measures you are putting in place and that you are ahead of the game regarding their personal details.

What do I do with emergency contacts on the nursery database?

You are required under EYFS duties, for the health and well-being of children to have emergency contact details for all children attending your setting in case of emergency when unable  to contact parents directly.

You are given these details by the parent/guardian as the people they authorise to collect their child in their absence, therefore the parent is giving you permission to hold this information, your duty is to protect this data as with all other data and only use it for the intended purpose, in the case to contact in the event of an emergency.

Local Authorities may require providers in their area to obtain signed consent from emergency named contacts.

How does GDPR work with nurseries’ legal obligations?

Although consent is a huge part of GDPR, as a nursery you have lawful obligations that require you to collect, process and store personal data.

 In order to comply with regulatory frameworks and inspectorates across the UK, there is a large amount of data that you must hold and maintain. These legal obligations override GDPR and therefore you do not need consent to collect certain data from your parents or children.

What are the rights for individuals?

GDPR works around the principal of consent and assumes the automatic right of privacy to individuals. If you are holding anyone’s data, they need to give consent to this and agree with what you intend to do with it. You would need to inform them how long you intend to hold onto this data and for what purpose.

Individuals have the right to be “forgotten” and can also object to some use of their own data.

GDPR downloads for nurseries

Why do we have to comply with GDPR?

All organisations which handle this type of data have to comply. Failure to do so can result in sanctions. Serious breaches can be penalised with fines of up to 20 million Euros or 4% of your annual turnover.  

What is a GDPR breach?

If you accidentally lose, destroy or share data, this is a breach. Sharing in this instance means giving unauthorised access to personal data. Any breaches must be reported to the Information Commissioner's Office. Find out how to do this here. 

Who does GDPR affect?

This affects everyone as individuals and all organisations which hold personal data of any type. 

Will it cost our nursery to implement GDPR? 

It will mainly cost your setting staff time – but you may wish to update your processes and systems which could mean an investment.

When does GDPR need to be in place in my nursery?

The regulation became law from 25 May 2018 – settings must now comply with GDPR. Review what you are currently doing to comply with the existing laws and take it from there.

Will all nursery staff need to know about GDPR?

It’s useful that everybody is aware of GDPR and what it means. All staff that handle data need to know more about the regulation. NDNA recommends each setting appointing a lead person who is the designated data controller. They can work with all other staff who are designated as data handlers.

It’s also important that all staff can answer parents’ queries about how their data will be used and stored. Make sure you are clear about the benefits this will give and also your legal obligations regarding safeguarding the children.

Do I need to fill in forms that I receive from external organisations?

We have had some members query forms they are receiving from external organisations.

You may be receiving requests from external organisations to fill in forms and legal agreements to show compliance with GDPR.

You only need to respond if you are actually processing (handling, using or sharing) personal data which they have either sent to you or received from you.

Personal data is data which can identify a single person.
If none of this applies then we recommend you simply contact the organisation to tell them this.  Do not waste time completing their forms.

Can I still let parents send birthday party invitations to other children in the nursery?

Yes you can do this if you have permission from all the parents.  If you don’t have this permission then you should only provide the children’s first names and possibly an initial for the surname where two children have the same first name.

Can I provide a photographer’s website link/images to parents if the images taken include other children? 

Yes providing that no personal details are included on the website link eg. Children’s names.

How long do I need to keep paper documents of children attending the nursery?

There is no standard answer to this, as it depends on the type of document and your Local Authority’s requirements. In brief, business records need to be retained for 7 years, accident reports until the child is 21 years and 3 months, safeguarding records and causes for concern until the child is 25 years old. Download our Record Keeping and retention periods fact sheet here for more detail or download our Record Retention Policies from England, Scotland and Wales.

I have sent an email to multiple recipients and forgotten to blind copy them (BCC) – is this a data breach?

If the recipient email addresses are business related and are available in the public domain, then this is not a data breach. If the email addresses are personal and can identify a person, then this is a data breach and should be reported to the ICO.

Can I display staff photos on display board with names?

Yes, if staff members have all given permission.

Do I have to remove last names on the child and parent register and visitor books?

How do we deal with personal information which is usually shared with members of the public, e.g. self sign-in registers, visitor books etc.? You should limit the amount of information that is available unless you have obtained specific consent to be able to share this information. We recommend that the full names of children should not be entered onto self-sign in registers, birthday displays and anywhere else which is in view of other parents or the general public. In relation to visitor books we also recommended that full names of parents or members of the public should not be shared, alternatively a GDPR compliant visitor book can be purchased which reduces the amount of information that is visible to other visitors.

Can I provide documents if I get a Subject Access Request to disclose employee statements regarding a nursery incident, which was not a safeguarding incident?

There is no clear definitive answer and each request needs to assessed on its own merits. However, if you decide not to provide the information requested you need to be able to justify it.

Our recommendation is to provide the information but before sending it to the parent remove or redact (hide or make unreadable) any personal information that could be used to identify anyone apart from the child concerned in the query.
Prior to sending the information, it may also be worth discussing the request with persons who have provided the statements to ensure they have no strong objection to the information being provided.

See NDNA GDPR resources