On the 25th May 2018 the General Data Protection Regulation will come into effect and become law which will impact all businesses including the Early Years sector. As childminders we must be compliant with all new legislation that comes into force and we must meet any new requirements. This is European legislation and includes the UK now, but this will remain in place even once we leave the EU.
The GDPR has been brought in to reflect more modern times including the electronic systems and processes we use to collect and store data. It is also to give individuals greater control over their own personal data. However, it is not just for those who use modern technology, the law affects any business which uses a highly structured filing system –in short, any setting that needs to process and store away personal data as part of their responsibilities. Personal data includes any data which can identify a person including but not limited to; names, addresses, invoices, date of birth, telephone numbers and email addresses.
GDPR uses two terms, the controller and the processor. The controller determines the purpose and the means of personal data. The processor processes data on behalf of the controller. As childminders we will always be one or both.
The GDPR Principles for data processing are as follows:
- Processed lawfully, fairly, and in a transparent manner.
- Collected for specified, explicit, and legitimate purposes.
- Adequate, relevant and is limited to what is necessary.
- Accurate and where necessary kept up to date.
- Retained only for as long as necessary.
- Processed in an appropriate manner to maintain security.
Lawfulness of Processing Data:
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject.
- Processing is necessary for the compliance with a legal obligation.
- Processing is necessary to protect the vital interests of the data subject.
- Processing is necessary in the public interest or the controller has official authority.
- Processing is necessary for the purposes and legitimate interests pursued by the controller or a third party.
Consent.
- All consent to collect or store data must be freely given.
- It should be unambiguous.
- Consent can be withdrawn at any time.
- Consent must now be freely given so pre-ticked boxes will no longer be used; in short people must now be able to opt in rather than opt out.
As childminders we are already bound by the regulations set by the Information Commissioner’s Office (ICO) and pay our yearly fee to ensure all our data is protected by the laws of the country.
Retention Periods.
This remains unaffected by the GDPR, and we must continue to store personal data for the specified length of time. We only hold what we are legally required to keep, and if we have other information you as the parents have the right to request it or request for it to be destroyed. Retention periods change so please get in touch if you would like to know what the current regulations are regarding retention of personal data. We also must ensure we keep up to date with the latest retention regulations.
Any data we collect must fall into one of the six “Lawfulness of Processing Data” categories described above. If it does not we can ask you for explicit consent, which you can withdraw from at any time. Of course, there will be some Acts which we must adhere to over and above GDPR; one example of this is the Children’s Act.
Data Storage at Nido Montessori.
Nido stores all data electronically within secure systems and encrypted hardware, protected by complex passwords where required. Any documents either produced or received as hard copies are scanned to PDF file format after which the hard copies are destroyed.
Data Breaches.
We will be obligated to notify the ICO of a data breach within 72 hours of becoming aware of the breach. We understand that significant fines can be imposed for failing to follow correct procedures following a data breach.
Please see separate Privacy Notice.