Preparing for the GDPR: what nurseries and childcare providers can start doing now

22 August 2017

The General Data Protection Regulation will apply in the UK from 25 May 2018. Although it is not yet certain exactly how the GDPR will be implemented in practice, some things are already clear. Nurseries and childcare providers are well advised to start taking preparatory steps so that they are ready in good time.

Introduction

The General Data Protection Regulation will apply in the UK from 25 May 2018 and will replace the current Data Protection Act 1998. The GDPR will have “direct effect” meaning that it will apply without the need for a specific new Act of Parliament. However, the UK has the option of “derogating” (i.e. adding to or amending) certain provisions of the GDPR.

If your nursery has already begun looking at what it needs to do, you may have seen that there are still a number of grey areas about how exactly the GDPR will be implemented in practice. Some issues have recently been clarified by the Government’s statement of intention published on 7 August 2017. Other issues remain less clear for the time being.

Nonetheless, there are still a number of sensible preparatory steps which your nursery can take so that it is ready in good time.

1. Ensure that the board knows that the law is changing in May

The members of the board are legally responsible for the management and control of the nursery. It is primarily their responsibility to ensure that the nursery does whatever it needs to in order to comply with the GDPR. The ICO’s overview of the GDPR is a useful starting point, but formal training may also be required.

The board may well wish to form a committee or working group to review procedures and policies and to oversee the necessary changes.

2. Identify who will be responsible for reviewing procedures and policies and overseeing changes

The nursery will normally also employ someone whose job description includes key responsibilities under the Data Protection Act 1998. However, reviewing policies and procedures and implementing the necessary changes will likely be a significant task. For that reason the board may decide to form a committee or working group, comprising members of the board and nursery manager(s), to carry out the review and oversee implementation.

The GDPR will require certain organisations to appoint a designated Data Protection Officer to oversee compliance with the GDPR and advise the organisation at a senior level. If the nursery falls within the definition of a “public authority” (to be defined) or carries on “large scale” (to be defined) processing of special categories of personal data, it will need to appoint a designated DPO. Pending further guidance from the ICO, our current thinking is that most private and third sector nurseries will not be required to appoint a Data Protection Officer unless they are part of a large multi-setting provider.

In any event, your nursery may find it desirable to appoint a Data Protection Officer or someone to carry out the equivalent responsibilities.

Is there someone suitable within the nursery who has the expertise to perform this role? If not, it may be necessary to train an existing staff member or appoint someone additional; or the nursery may need to buy in this expertise from an external provider.

3. Carry out an audit of how your nursery uses personal data

The GDPR is concerned with “personal data” and what is called “special categories of personal data” (which is more or less what is currently known as “sensitive personal data” under the Data Protection Act 1998). The GDPR does not affect other types of records or information held by the nursery.

The nursery should ask itself:

• What types of personal data does it hold, use or send? The names and addresses of its children and their parents; the children’s entitlement to the 15 or 30 hours’ free childcare; their medical conditions and GP contact details; their religious beliefs and any dietary requirements; digital images of the children; and so on. The nursery will also hold personal data about its staff.
• Where does the nursery get this personal data from? Usually this will be from the child’s parent or the staff member. An important question is: does the nursery really need the information?
• How is the personal data held or stored? Is it secure? If it is held electronically, does the nursery have the relevant passwords and cyber-security software?
• What does the nursery use the personal data for? The nursery will use the children’s information for the day-to-day provision of childcare. Much of the parent’s information will often be used for the administration of the services e.g. the contractual and payment arrangements. Staff information will be used for HR, payroll and tax functions, for example.
• Who does the nursery disclose the personal information to? For different types of personal data this may include the parents and other family members; health and social care professionals; HM Revenue & Customs; and so on.
• How does the nursery ensure that the personal data is not disclosed to the wrong person? For example, if personal data is kept electronically, is access limited to those who need to see it? If it is transported outside the nursery, is the laptop or USB-stick password-protected?

This exercise will assist the nursery when it comes to updating its policies and procedures (see below). For this the nursery will also need to identify on what legal basis it processes the personal data.

4. Review the nursery’s third party data processing arrangements

Does the nursery disclose personal data to a third party so that the third party can process the personal data on behalf of the nursery? For example, does the nursery have an external HR or payroll provider? If so, the nursery will need to have a written data processing agreement containing various mandatory provisions required under the GDPR. The nursery should speak with its providers and take legal advice to ensure that a compliant agreement is put in place.

In addition, does your nursery process personal data on behalf of another organisation e.g. a “Friends of X Nursery” group? If so, and the nursery looks after personal data on behalf of the group, it may be necessary to have a written data processing agreement with the group.

5. Review and update the nursery’s policies and privacy notices

The nursery’s existing data protection policies and privacy notices are unlikely to comply with the GDPR in their current form. Having gone through the audit processes above, the nursery should consider how procedures and policies should be updated to ensure compliance. It may be necessary to obtain professional advice from data security professionals as well as specialist legal advice.

Chris Hook is an associate solicitor at Hempsons in Newcastle upon Tyne. He provides specialist legal advice to charities, social enterprises and educational institutions on a wide range of charity, commercial, regulatory and public law matters. He can be contacted at [email protected] or 0191 230 6052. You may be interested in his other articles below.

Philippa Doyle is an associate solicitor at Hempsons in Harrogate. She advises private, public and third sector organisations, particularly in the area of health and social care, on information governance, data protection and regulatory matters. She can be contacted at [email protected] or 01423 724028.

Disclaimer: This article contains information which is necessarily general. It does not constitute legal advice. It is essential that, before proceeding with a particular course of action, you take specialist legal advice on any relevant considerations which may apply in your specific circumstances so that you can properly assess your options and any associated risks and benefits.

Charity and social enterprise

Financial resilience – reassessing reserves (5 Jun 2017)

Where next for volunteerism? (4 May 2017)

How will charities fare under the Government’s new vision of a ‘Shared Society’? (16 Feb 2017)

Charity Commission publishes report on tackling abuse and mismanagement in the charity sector (6 Jan 2017) 

Charity fundraising (II) – so what’s new? (9 Nov 2016)

Serious incidents: does your charity know when it should notify the Charity Commission? (26 Oct 2016)

Charity reporting: should charities have to disclose the identity of significant donors? (19 Oct 2016)

Charity investments: is it time to divest from fossil fuels? (17 Oct 2016)

Charity fundraising: so what’s new? (14 Oct 2016)

Charity VAT: Court of Appeal restricts zero rating on constructions costs (6 Oct 2016)

Charity Commission sets out expectations on reporting safeguarding concerns (5 Oct 2016)

Charity Commission to “further consider” draft guidance on new power to issue warnings (30 Sep 2016)

Will independent schools have to do more to keep their charitable status? (29 Sep 2016)

Education and childcare

Disqualification by association – Care Standards Tribunal sets out factors when considering a waiver from disqualification (21 Aug 2017)

DfE updates operational guidance on 30 hours of ‘free’ entitlement while evaluation report shows mixed results for early implementation pilot (20 Aug 2017) 

High Court quashes Ofsted inspection report (12 Aug 2017)

30 hours’ free childcare – DfE updates guidance on early education and childcare (12 Mar 2017)

School admissions: do you need to update your admission policy? (3 Oct 2016)    

Will independent schools have to do more to keep their charitable status? (29 Sep 2016)

DfE publishes updated safeguarding guidance for schools (28 Sep 2016)