GDPR for nurseries, your questions answered Part 2
In the second instalment of our series on GDPR, we get more of your questions answered.
Eddie Whittingham is a former Police Officer and qualified solicitor, specialising in Cyber Crime. He is now the Managing Director of The Defence Works who provide online security awareness training, help organisations stay secure against cybercrime and reduce the risk of data breaches.
He is putting his knowledge and expertise to use to help you understand GDPR and how it affects nurseries and childcare providers.
Karen asked; We are in a school but separate to them running in a school hall. They have our DBS records. How do we as an OOSC deal with school staff visiting when this comes in?
You could have a policy and process in place to deal with visitors, but this is not necessarily a part of GDPR. GDPR is primarily concerned with the processing of data.
Legally, anyone working with children without parental supervision is required to have a DBS check. So if school staff and visitors are working with the children, or are left alone with the children at any time then you should be collecting their DBS records too.
Once you’ve got this information, the way you process it and store it is governed by GDPR. GDPR is all about fairness for individuals and security for their personal data. So you need to make sure that the DBS checks are stored securely, either in a locked cabinet, or a password protected computer with suitable security measures – and they aren’t used for any other purpose than that which has been consented to. You should be mindful of whether this information is being stored in the cloud, for example – as the more places this information is shared/duplicated, the greater the risk to the individual.
In the previous blog post we discussed the importance of protecting data within emails. Farah would like to know what to do with personal information that is sent to her via email;
My first-time parents usually email to get the session for their child. In the emails, they sometimes write child’s date of birth and their phone numbers for getting in touch with them. So, do I need to delete all these emails as they have confidential information in it?
Firstly, plain emails are not particularly secure. So you should discourage parents from sending data in this way. That being said, it is likely that you’ll still get incoming enquiries via email so you may not be able to stop this altogether. You may, therefore, want to think about the security you have around your emails – do you have two-factor authentication to log in, can you lock down access to a particular IP address, have you conducted any security awareness training on things like phishing emails, etc.
I would suggest that you record the data in line with your normal processes, whether you want to transfer it onto a written form or type it in as an enquiry on Connect Childcare. You should then delete the email, ensuring it is properly deleted (and not just sent to a trash folder).
Bear in mind that if there is ever a breach, and you are inspected the ICO will want to see that you did everything you could to ensure the security of the data you hold.
Sarah has asked a question about an ICO publication; ’12 steps for preparing for the GDPR’ . The publication states that when collecting children’s data our privacy notice must be written in children’s language. We care for children under 5 – does this still apply?
No. Children under 13 cannot give consent themselves, so you need to have a legal justification for processing the data – whether that be through consent obtained from parents, or via another means – for example, legitimate interests. I imagine you’ll be processing data on the parents as well as the children so you’ll need explicit justification for both of these.
Although you don’t need to write things that make sense to your children, you do need to make sure it is easy to understand for their parents. For example, you need to make sure your consent forms are written in plain English and the way you will process the data is completely clear.
Debbie and Nicola have both asked questions about what data should be kept once children have left their settings. Can you shed any light on this?
GDPR does not change the data that you need to collect, or how long you keep it for. As a childcare provider, you are required to process certain data. Things like accident records, for example, are a legal requirement and need to be kept for a set number of years. GDPR doesn’t override this so you still need to comply with these data retention periods.
If there is any data that you’re keeping that doesn’t NEED to be kept, then you should think about deleting it. The less data you hold, the less risk there is of a data breach.