What is GDPR?

The General Data Protection Regulation (GDPR) is an EU law that came into effect on 25 May 2018.  It replaced the current Data Protection Act 1998 and the changes remain in place even though the UK has left the EU.

GDPR gives individuals greater control over their own personal data.

Early years providers must be aware of GDPR and make changes to how they handle and store data in order to be compliant. 

GDPR principles

GDPR condenses the Data Protection Principles into six areas, referred to as the Privacy Principles. They are:

  1. Lawfulness: You must have a lawful reason for collecting personal data and must do it in a fair and transparent way.
  2. Purpose: You must only use the data for the reason it is initially obtained.
  3. Data minimisation: You must not collect any more data than is necessary.
  4. Accuracy: It has to be accurate and there must be mechanisms in place to keep it up to date.
  5. Storage limitation: You cannot keep it any longer than needed.
  6. Integrity and confidentiality: You must protect the personal data.

These privacy principles are supported by a further principle – accountability.

This means your setting must not only do the right thing with data but must also show that all the correct measures are in place to demonstrate how compliance is achieved.

There is also an expectation that staff will be trained on data protection. Documentation on policies, procedures and training is going to be a key part of any effective compliance programme.

GDPR Nursery Policy

At The Crown Nursery, like most other work environments, we are reliant on technology. Smartphones, computers, laptops and tablets are a fundamental part of modern life. From online banking and shopping, to email and social media, to the ‘smart’ devices that monitor and protect our premises - it’s difficult to imagine how we’d function without them. It is therefore more important than ever to take steps to protect these devices (and the data we store on them) from accidental damage, or from online criminals. Cyber security is about safeguarding the devices we rely on, protecting the services that we need to function and about protecting the vast amounts of personal or sensitive information we hold on the children in our care and their families.

At The Crown Nursery we ensure that all confidential records held about staff and children  can only be accessed by those who have a right or professional need to see them (either physically or digitally/online).

We will:

  • back up important information regularly
  • use passwords to control access to computers and information
  • protect devices from viruses and malware
  • deal with suspicious messages (phishing attacks)
  • ensure all data is held securely

 We will also:

  • appoint a Data Protection Officer – Charlotte Grubb
  • ask parents/carers for permission to obtain, hold and share data with other relevant professional (see GDPR Permission Form below)
  • tell parents/carers how we will use their data, who we might need to share it with eg other providers, healthcare professions
  • hold all data securely
  • ensure data is only accessible and available to those who have a right or professional need to see it
  • ensure that all staff understand the need to protect the privacy of the children in their care
  • ensure parents/carers have access to all records about their child, provided that no relevant exemptions apply to their disclosure under the Data Protection Act eg. consideration as to whether the disclosure of certain information about a child could cause harm either to the children or to any other individual
  • keep data safe for a period of time after children have left the setting (6 years)
  • have written arrangements with anybody processing data for them eg. accountants, healthcare professionals
  • notify the Information Commissioner's Office (ICO) of a data breach within 72 hours of becoming aware of the breach.