5th March 2018 All Posts Leadership & Management

GDPR for nurseries, your questions answered

GDPR is the hot topic that everyone is currently talking about.

The new General Data Protection Regulation is an EU directive starting in May and it affects ALL UK businesses.

There is a lot of confusion in the childcare sector about GDPR, what changes need to be made and the best way to handle them.

So we brought in the experts to get your questions answered in a series of blog posts.

Eddie Whittingham is a former Police Officer and qualified solicitor, specialising in Cyber Crime. He is now the Managing Director of The Defence Works who provide online security awareness training, help organisations stay secure against cyber crime and reduce the risk of data breaches.

He came to Connect HQ and we asked him some of your questions:

Sheelagh asked, does GDPR affect data retention periods for childcare providers?


The new GDPR regulations don’t override any of your existing legal requirements. For example, you need to keep all of your staff records for 7 years.

Under GDPR any member of staff can request ‘the right to be forgotten’ but as you have an obligation to keep this data, you should not erase it until the 7 year retention period has expired.

I imagine there will be very few examples in a childcare provision where the right to be forgotten will be legitimate as you’ll need to keep your data for other purposes.

Connect Childcare have pulled together a data retention download with requirements from the Companies Act 2006, The Childcare Act 2006 and The Chartered Institute of Personnel and Development to help you understand your data retention requirements.

You can download it here.

We’ve had a number of Childminder’s get in touch to find out how long they need to pay to store data. Can you shed any light on this?

I can try!

It is the responsibility of the childminder to retain their data for the required retention periods. It doesn’t matter whether they’ve retired or changed roles, the data retention periods still apply.

This is actually no different under GDPR as it has been previously, as GDPR doesn’t affect your existing retention periods.

The question of paying to store data will depend on how you store it. But unfortunately yes, you may need to pay a hosting company to store electronic data, or a storage company to keep archived paper files depending on how many files you need to keep.

Catriona and Anthony have both asked questions about sharing data with schools, Ofsted and their Local Authorities. What is the best way for providers to share data, considering that some of it can be sensitive?

It’s important that you have sharing agreements in place with any organisation that you share personal data with.

The ICO have some guidance on this in their code of practice that you can find here: https://ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf (have a look at the section on Page 25)

When it comes to actually sending the data you need to think about the security of the data you’re sending and how you can safeguard it.

GDPR places a big onus on encryption when sending data electronically, so try not to send emails without additional security measures. You can get software to encrypt messages for you which makes it much harder to decipher data if it is intercepted. On a more basic level, you can password protect electronic documents to add further security.

If you’re sending hard copies make sure you send them as recorded mail, so you know who has received them, just to give you that little bit more security.

Karen has asked about sharing information between her Out Of School Club and the school whose grounds she operates on. Although they share their premises they operate completely separately. How should she manage this relationship and the data they share?

The data sharing tips that we just discussed still apply here, so encryption or password protection are important. But as the two organisations, in this case, are so close they could collaborate and create a sharing process together. By working together they can create sharing processes and procedures that they both adhere to ensure that data is secure on both sides.

It’s also important to think about exactly what data they are sharing and why. Do you need to share as much as you currently do or can you limit it? Limiting the data that is shared will limit your risk of a breach.

Anthony would like to know how to manage photography within his setting. He uses photographs to update parents on child progress, decorate the nursery rooms and in his marketing material. What does he need to do to ensure this complies with GDPR?

This is really a question of consent. Under GDPR you need specific consent for all of the ways you might process and use data. So he might already have consent to take photos, but does he have consent to use them for marketing on his website etc?

It’s crucial to get explicit consent for each of the different uses.

For this example, you might also want to think about your retention policy. We know that you need to keep certain data for set time periods, but do you need to use photographs of children that have left your setting in your marketing material?

Mel has also asked a question about consent; We sometimes need to access our online learning journey software from home out of hours, do we need to get parental consent for this?

The first thing to highlight is that we needn’t solely rely upon consent.  Under GDPR, it is likely you would also be relying upon a lawful basis, legal obligation or even legitimate interests.  Presuming that you have a basis for processing data then no, you don’t need consent based on the time of day and the location you access from, but there are some security implications you need to consider.

This is less to do with GDPR and more about security good practice itself. You need to make sure the systems you are using are adequately secure. There must be a secure way of logging into those systems. iConnect, from Connect Childcare has a 2 Step Authentication feature, which ensures that anyone logging in out of hours is approved (or denied) by a designated safeguarding officer. Find out more here

Avoiding using the internet in a public place, like a train station or coffee shop as these connections are not secure. Speak to your staff about the importance of staying secure whilst working from home to ensure that your data isn’t at risk. We will be working with Eddie to answer more of your questions in our next blog.

To find out more about Eddie, The Defence Works and the service they provide have a look at his website: www.thedefenceworks.com/
Share this article
About the Author

Connect Childcare have been developing purpose built nursery management software for the past 15 years. Their missions is: To develop management software that improves the lives of children, globally.