Latest updates - 17 November 2023
17 November 2023 - We’ve updated tip two to emphasise the need to consider any safeguarding concerns even if somebody has parental responsibility.
We’ve updated tip three to clarify that you can disclose unredacted CCTV footage where it’s reasonable to do so, and to emphasise you should only consider providing stills of CCTV footage where this is appropriate.
It’s vital to create a safe learning environment for early years children. Part of this is making sure the information you hold about them is used properly, shared appropriately and kept safe. We’re here to help you get it right.
These top tips will help day nurseries, pre-schools, nursery schools and childminders get started with data protection compliance.
Tip one: Know what ‘personal data’ is.
If you have information that identifies someone, either directly or indirectly, it’s classed as ‘personal data’. This includes all the information you hold about staff, suppliers, parents and carers, as well as the children in your care. This information might be held electronically, such as on your computer system or CCTV footage, or in hard copy, such as paper documents or printed photographs.
You need to know what information you have, why you have it, how long you need to keep it for, and how to keep it safe.
Tip two: Know how to deal with a request for information.
People have rights over their personal information. This includes being able to ask for a copy of the information you hold about them, known as making a subject access request (or a SAR). This right applies to children’s information too. If a child can’t request their own information, for example because they’re too young, a parent or representative can make a request on their behalf. If someone makes a request on behalf of a child, you must make sure it’s appropriate for them to see the information. For example, by checking whether they have parental responsibility and whether there are any safeguarding concerns.
The best starting point for responding to any requests made on behalf of a child is to consider what’s in the child’s best interests. If you’re not sure how to respond, contact us. We’re here to help.
Tip three: Know what to do with your CCTV footage.
It’s now commonplace to see CCTV being operated in small businesses. This may be for staff monitoring, health and safety, or for the detection and prevention of crime. If you have CCTV you’re likely to be capturing personal information, such as people’s faces or movements, so you’ll need to comply with data protection rules.
As with other types of personal information, people can make a SAR for the footage of themselves or, in some situations, on behalf of a child. If this footage contains images of other people, you should only disclose the footage if you have the third party’s consent to do so, or if it’s reasonable to do so without their consent. Where this isn’t the case you should redact the footage to remove or disguise the third parties wherever possible.
If your CCTV system doesn’t have the functionality to redact footage, you could consider providing stills with the identity of third parties blanked out where this is appropriate. Contact us if you’re unsure.
Tip four: Share data when needed.
In an early year’s setting, you’re likely to share information with the relevant regulatory authorities and other childcare providers. Data protection doesn’t prevent you from doing this where it’s relevant and necessary to do so.
Sometimes the information may relate to safeguarding issues. In these cases you must decide what information you need to share in the interests of protecting children. To help with this, we’ve produced a guide to sharing information to safeguard children.
Tip five: Keep data secure for the time you hold it.
Whether keeping personal information electronically or in hard copy, you must make sure the information is safe. A lot of this will be children’s data, and may also contain potentially sensitive information that will need a higher level of protection, such as safeguarding details or health information.
Your filing cabinets should be locked, and computers password protected. When sending sensitive information you should apply extra measures, such as restricting who can see it and encrypting emails. Your staff should be given regular training about their data protection obligations and confidentiality in and out of the workplace. Be aware of timescales for keeping the different types of information you work with because you must only keep information for as long as you need it.