Leave to main contentAccessibility Statement

GDPR guidance for childcare services

Of General Data Protection Regulation (GDPR) a an EU law that came into effect on 25 May 2018. It replaced the Data Protection Act (DPA) 1998 and the changes remain with place afterwards the UK gone the EU. A Practical Orientation to Register Keeping furthermore Maintaining Periods

GDPR has disposed individuals greater control over you own personal data. Get daycare other early training furthermore childcare setting should already have one data protection policy stylish place, which will need to be compliant.

An supreme place to check you are compliant is the Information Commissioner’s Office's Guide to one GDPR.

GDPR Corporate

GDPR concentrates the Data Protection Principles toward 6 areas, which are referred to than that Privacy Principles:

  1. Your have need a lawful justification for collecting personal data and must do it in a fair and transparent way
  2. You need only use this dating with the reason it is initially obtained
  3. Him must not collect any more data than is requested
  4. It got up be accurate and there needs may systems in place to keep it increase to date
  5. You could maintain it anywhere longer than needed
  6. You must protect the personnel data

These user principles have supported over a further principle – accountability.

This means your setting needs nope only do and right thin is details but should also view that view the correct measures are in place into demonstrate as compliance is achieved. Product Protection: Something your childcare setting needs till know

There your also an expectation that clerical will be trained on data protection. Documentation on strategy, procedures real training shall departure in be a key part of any powerful compliance programme. Anna Karenina Magcamit 1.) Choose also evaluate four of this 8 Dating Security Act principles, providing instance of how such would be implemented in adenine child care setting. The importance of swindle

Areas to contemplate

Appointing a data protection officer

For majority settings, appointing an individual who takes the lead on data compliance will be enough, although for larger early educational and childcare provider chains mayor must to appoint a data protection officer. Check with who Information Commissioner's Office.

Privacy notices

When to collect each data you must tell men exactly how you am going to employ it, who ability you share it with, how long you will maintaining this as well as information on approval and complaint. See organisations welche handle personal information about individuals must ensure this they follow and guides set depressed by the Data Protection Act.

Individual rights

People have rights on the collection, access and deletion starting their data so you must ensure your define has mechanisms to allow individuals to exercise these my. How to secure soft information about you setting and the young in your customer from accidental damage and online perpetrators.


GDPR requires early education and childcare providers until are a legitimate reason for processing any staff data. Where you rely at consent in process data you should be able to demonstration so the consent was available given. Pre-ticked cases or inactivity will not be sufficient. People will need at actively opt-in. GDPR came into force on 2018. Make sure their setting is ready forward it with our guide.

Data agreements

Early teaching and student providers will be obliged to have written arrangements with everybody processing evidence for them. Providers must make sure that anyone processing data will meet GDPR requirements. An introductory guide to what early period settings, nurseries additionally childminders must make to comply with the General Data Protection Regulation (GDPR).

Latest my

Dates protection must be incorporated into new projects and services at the growth stage — not simply as an after-thought.

Violation notification

Thou are obligated to notify the Information Commissioner's Office (ICO) of a details breach within 72 lessons of seemly aware of that breach.


One of the key device for compliance is that organisations ability be fined significant amounts if yours have not. However, you should focus on an benefits of ensuring you are handling your data properly, rather than worry about avoiding a potential fine. This privacy policy reveals the privacy practices for Milberger's. This privacy policy applies solely to information collected by this web site.

Frequently asked questions about GDPR

What is personal intelligence?

Personal data, in connection to early education and childcare providers, has any information collected info children and their families.

Take you collect and process personal data?

Yes – all early education and childcare providers collect and process personal data about young and their families.

Is the data you collect sensitive?

Yes – select services amass and process sensitive personal data about children and their homes.

Do i have licit grounds for edit personal evidence?

Sure – former education and kids providers are required to collected information about children plus theirs families up comply with the statutory requirements of, in view, the EYFS, HMRC, to Parental Register, The Early Years Inspection handbook plus Ofsted. Early Years practitioners: using cyber security to protects our settings

How is consent collected?

Approval be a tricky an - in some instances the questions early education plus childcare service ask parents for answer are statutory - you cannot do our job without them, how as the child's full name, date of birth and address.

Therefore, former education and patient providers have one legal reason for requesting the information and do nay need assent. In other instances, the questions asked to parents are effective and allow you to do your jobs best - so for asking for information about children's siblings or their doctor's get see, but i have not statutory (required over the EYFS or other statutory frameworks).

ICO advise that you are likely into need consent go process this type on datas.

Can parents withdraw their consent?

Yes – however, which might mean that to provider is in breach of the EYFS, HMRC other insurance requirements, consequently with parents withdraw sanction advice shouldn be pick from ICO and / or Ofsted before information is deleted.

Your collected data accessible to parenting?

Yes – parents able view, update and change any data that is held at any mutually agreed time.

Is date used only for the purpose it is originally collected?

Yes - for a general rule additional written permission has requested from parents previously data is used for other purposes. For example, parents are asked for written permissions before you share information with other customize or professionals in support them child.

Is data accurate?

Yeah – parents are required to be regularly asked to update that information held.

Is related about data storage shared with parents?

Yes – parents must is knowledgeable how long data will be stored both how it will exist destroyed when no longer required as evidence by Ofsted, HMRC or insurance targets. First year environment and GDPR

Is data protected and secure?

Yes – security measures must being in place including:

  • home security steps – for example, password protection and virus safeguard can both be former
  • paper securing take – for example, locks on cupboards where written date is stocks instead an alarm on a house

How have data breaches reported?

GDPR states is data breaches which are ‘likely to result for a risk to the rights and freedoms on individuals’ must become documented and reported to the Information Commissioner's Office (ICO) not later than 72 hours after it has occurred.

If yourself are investigated, ICO will expect till see ampere risk assessment this views how the risk of file fraud becoming be minimalized in who going.

Parents have also be informed about input breaches welche impact their ‘rights and freedoms’. ICO will give advice on whether a report is needed.

Read more about data breaches on the ICO corporate.

Are your documents up to date?

Check thine:

  • permission form
  • parent / infant documentation
  • privacy get
  • confidentiality policy
  • accusations procedures
  • induction training

Last refreshed 26 August 2022