GDPR – privacy policy example
The GDPR will apply in the UK from 25th May 2018 despite Brexit. You will need to review the way your process information on parents, children and staff. You will also need to update your “Privacy and Confidentiality Policy” and make an amendment to your contract. You should share your new privacy notice with parents who already use your setting and get them to sign the amendment to your contract.
You should:
- Make a list of all the personal information that you store on parents, children and staff in your setting.
- Check that the personal information and data you hold on people is:
- Up to date and accurate
- Kept secure
- Adequate, relevant and not excessive
- Lawfully processed (see below)
- Only kept for as long as necessary
- If you have staff, make sure that they are also aware of your processes regarding personal information.
You should: Update your Privacy Notice
Update your Privacy Notice and permissions from parents to include information about how the data you hold on people is being lawfully processed. Here is a sample privacy policy you can adapt for your setting:
Confidentiality and Privacy Policy
In order to work as your childminder I am legally obliged to collect certain information about you and your child to comply with the requirements of the EYFS and to maintain accounts and records. Other information that I collect is not a legal requirement but will help me to do my job as your childminder. I will need to process information such as: personal details, family details, life style and social circumstances, financial details, GP contact details, inoculation details, allergy details and digital photographs. I also process sensitive classes of information that may include racial or ethnic origin, religious or other beliefs, and physical or mental health details. I have a legal requirement to collect and process some of this personal information about you and your child. I need you to sign to say that you are happy for me to collect and process the non-statutory information I need to best look after your child.
All information on children and families is kept securely and treated in confidence. I am registered with the Information Commissioner’s Office (ICO) and am aware of my responsibilities under General Data Protection Regulations (GDPR). In general, the confidential information I have on file will only be shared if you give permission or there appears to be a child protection issue. I will only share information about your child with you or your child’s other carers, other professionals working with your child, or with the police, social services, local or central government including Ofsted. All details will be kept confidential and records are kept secure. You have a right to access any of the information that I hold on you or your child at any time.
If your child attends nursery or another setting while in my care, or arrives from nursery, school or another setting, then we will need to be able to share appropriate information between each other. This two way flow of information will help your child to make the transition between carers. It will also keep you informed about anything you need to know that you weren’t there to hear yourself. You will need to sign to say you are happy for me to share information about your child in this way, and to pass along any information I learn to you.
When your child leaves my setting I will only store information on you or your child for as long as is necessary. Anything I don’t need to keep I will delete from my computer or shred. I may hold onto some photographs for my own personal use in albums or displayed in my house. Your child’s learning journey will be sent home with you on your last day.
If you have any complaints with the way you feel I have handled any of your personal data, please speak to me in the first instance so that we can resolve the complaint. You have the right to complain to the Information Commissioners Officer (ICO) if you feel I have not resolved the complaint to your satisfaction.
Here is a sample permission box you could ask parents to complete. If you use my Contracts, Policies and Forms, you would add this as an amendment to your Contract and make sure that all the parents who use your setting have signed it:
____ I give permission for the childminder to collect and process non-statutory information about my child such as the name of my child’s GP, interests, likes and dislikes etc, as well as sensitive classes of information including your child’s racial or ethnic origin, religious or other beliefs, and physical or mental health details. This information will be kept confidential.
You should: Register with the Information Commissioners Office (ICO)
In the past many childminders have got out of registering with the ICO because it was felt that the ICO only cared about the storing of digital photographs. Childminders could get out of paying by saying, “I don’t need to register as I don’t store photos on my computer; I print then delete.”
The GDPR requires “every organisation that processes personal information must register with the ICO”. So the wriggle room to avoid the ICO registration fee has gone. ALL childminders will need to register with the ICO because all childminders must legally record and store personal information as a requirement of the EYFS statutory framework. Information about registering with the ICO as a childminder is here.
Many councils are putting on training sessions for childminders and I recommend you take one if you can. For general information from the ICO about GDPR read Preparing for the GDPR: 12 steps to take now. This is one of the most useful articles I have read so far that is specifically written for early years providers.
Please note that the information I’m presenting to you here is correct to the best of my knowledge but I am not an expert. If your council tells you something that directly contradicts something I’ve written here, please do as they say and most importantly TELL ME so that I can correct the information that I am sharing with others. Thank you.