Social media is awash with questions about how to interpret GDPR regulations for practical management issues. Here’s a handy guide from Alexander Fetani of the Early Years Alliance*.
1. Can I give first names only when parents ask for names of children for party invitations or cards?
You will need to obtain written consent from parents before giving out names – whether it be first names, surnames or both.
2. I have an open Facebook page which helps me recruit new parents. What do I need to do to make sure it is GDPR-compliant?
You must ask consent from parents to post images of their children. It is best practice to use a form to document that the consent has been obtained. You will need to specify how the images will be used and give parents the opportunity to easily withdraw their consent at any time.
3. How do I deal with people seeing others’ personal information, e.g. in my visitor’s book? What about parents catching sight of the register with all children’s names and dates of birth on? Or members of our committee seeing a spreadsheet with details of new starters?
Whenever you collect personal data you should always consider whether it’s necessary for you to have it – try asking yourself whether there is a way to achieve your purpose without collecting the data. You should also consider the risk of this data being seen by others and what practical control measures you can introduce to prevent that.
For example, you can easily minimise information you collect in visitor log books – perhaps by restricting it to names and the purpose of the visit.
You also need to ensure data is kept securely and is accessible only to those who need it. So think about why someone would need to see the information in the first place. Is it necessary for a committee to see new starters’ names and addresses and other details, or would the number of new starters be sufficient?
It is important to remember that whenever you collect people’s data, they should understand how it is being used.
4. What about photo and video: can parents take photos of, or film, concerts/events in the setting? What about them seeing pictures which have other children in, such as in an online learning journal?
Your setting should have procedures for photographs and videos being taken on site and this should include asking for consent from the parents to take and share images of children in any format, whether it be for learning journals or social media, and make it clear if other parents may see these images. Photographs taken of children at the setting by other parents should only ever happen with the consent of parents. Some settings ask parents not to take or share pictures that contain other children on social media.
There is an obligation on settings to have learning journals, so consider the lawful reason used for maintaining them.
5. Do I need to register with the Information Commissioner’s Office?
Yes, as you will be handling sensitive data. The guidance provided by the ICO explains that the registration fee will depend on the ‘tier’ your organisation falls under, taking into account factors such as how many members of staff you have and your annual turnover.
See https://ico.org.uk/for-organisations/data-protection-fee/faqs
6. We ask for names and contact details from any parents who contact us. How do we deal with the personal data from parents who may not even enrol their child?
You should only hold information you keep for as long as is necessary. A reference can be made in your general Privacy Notice that such information taken from prospective parents will be held for as long as necessary, i.e. the period you define, in line with GDPR requirements.
7. Do I have to make sure that people I share data with, such as payroll and pension organisations, comply with GDPR? How do I do this?
The GDPR places an obligation on a controller, in this case you as a childcare provider, of personal data to ensure the protection of that data when it is processed by a third party. The GDPR is quite specific about the fact that a contractual agreement must be in place between the two parties, and that it should specify key items of information about the personal data involved and how it will be processed.
8. Do I have to seek consent from parents for children’s artwork or photographs to be displayed in a setting?
You may display artwork that has no personal data visible. However, if a child’s details are included in the artwork then you would need to rely on one of the lawful reasons to display the artwork with their name – this will primarily be with parental consent.
If you want to display photographs in a setting then again the easiest option is to ask for parental consent.
9. Does Ofsted inspect our GDPR/data protection policies?Our experience to date is that this tends not to be the focus of the inspection. However, while they do not routinely inspect your data protection/GDPR processes, inspectors may look more carefully if they believe a setting isn’t following or doesn’t have procedures in place.
10. I’ve heard that shredding confidential waste is not good enough and that I must pay for secure disposal, but other accounts say shredding is fine. Is this right?
Shredding is an acceptable way of disposing of sensitive data. Documents must not be dumped and any records awaiting destruction should be stored securely.
*formerly known as the Pre-school Learning Alliance
