Data protection aims to protect people’s personal information from misuse by placing controls on organisations and people who handle personal information. Early years settings must comply with the Data Protection Act 2018 and correctly store and record all the personal information that it holds about individuals whether they are an employee, child, parent or member of the public.
Data protection aims to protect people’s personal information from misuse by placing controls on organisations and people who handle personal information. The principal piece of legislation is the Data Protection Act 2018 (DPA). As part of this the 2018 Act applies the EU’s GDPR standards and ensured that modern, innovative uses of data can continue while at the same time strengthening the control and protection individuals have over their data.
The DPA places a number of obligations on settings when they process personal data.
For example, settings must notify the Information Commissioner about the information it holds and the purpose for holding such information and it must also comply with 8 data protection principles. To check whether you need to register with the Information Commissioner you can go through their quick self assessment tool. Some not-for-profit organisations may be exempt from registering with the Information Commissioner. Please see their website for further information.
Personal data must be:
As of the 25 May 2018, the European Union's GDPR (General Data Protection Regulation) comes into force in the UK. The GDPR will bring in stricter obligations that all employers must follow. GDPR a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union
The ICO (Information Commissioner's Office) has produced a guide to the GDPR, and has developed a number of free tools to help organisations to use. All businesses will be impacted – even a small, one-person business such as a childminding business. PACEY are launching tools to support childminders with this.
WF Traded Services offer a new service to assist you in complying with the requirement to appoint a Data Protection Officer (DPO) and the responsibilities set out in Article 39 of the General Data Protection Regulations (GDPR).
When an organisation collects personal information about an individual, it must make that information available to them.
In the documents below is a template privacy notice which is intended to enable you to fulfil your obligations under the Data Protection Act 2018 (‘the DPA’) and the EU General Data Protection Regulation (GDPR) Article 6 and Article 9 (from 25 May 2018). You may wish to use this privacy notice to update your existing privacy notice and it is recommended that you amend the notice to suit your local needs and circumstances.
The privacy notice should be given to both staff and parents.
The Early Years Foundation Stage statutory guidance places specific requirements on childcare providers in storing and protecting information and records, as well as the need for staff to be aware of their obligations to protect the privacy of children and the legal requirements which underpin this (paragraphs 3.68-3.71). Any provider which retains electronic records and/or digital photographs of the children in their setting must register with the Information Commissioner's Office.
The Early Years Foundation Stage statutory guidance (paragraphs 3.72 and 3.76) states that the following records must be held and in accordance with the DPA: