General Data Protection Regulation (GDPR) and Data Retention Policy
General Data Protection Regulation (GDPR) Policy and Data Retention
The General Data Protection Regulation (GDPR) is a new EU law that came into effect on 25 May 2018. It replaces the current Data Protection Act 1998 and the changes will remain in place even after the UK leaves the EU in 2019.
GDPR gives individuals greater control over their own personal data.
My setting like all early years settings, already has a data protection policy in place but GDPR will introduce some significant changes.
GDPR will condense the Data Protection Principles into six areas, which are referred to as the Privacy Principles. These are:
We must have a lawful reason for collecting personal data and must do it in a fair and transparent way.
- We will only use the data for the reason it is initially obtained.
- We will not collect any more data than is necessary.
- It has to be accurate and there must be mechanisms in place to keep it up to date.
- We cannot keep it any longer than needed.
- We must protect the personal data.
This means that setting must not only do the right thing with data but must also show that all the correct measures are in place to demonstrate how compliance is achieved.
As part of the compliance programme I will be trained on data protection and have documentation on policies and policies.
Areas to consider
I will be responsible for data protection
Privacy notices — When I collect any data I must tell people exactly how I am going to use it, who might I share it with, how long I will keep it as well as information on consent and complaint.
Individual rights — People will have new and enhanced rights on the collection, access and deletion of their data so I must ensure we have mechanisms to allow individuals to exercise these rights.
Consent — GDPR will require early years providers to have a legitimate reason for processing any personal data. Where I rely on consent for processing data I must be able to demonstrate that the consent was freely given. Pre-ticked boxes or inactivity will no longer suffice. People will have to actively opt-in. I will continue to ask parents and carers to sign and date policies, permissions and other relevant documents
Data agreements — Early years providers will now be obliged to have written arrangements with anybody processing data for them. Providers must make sure that anyone processing data will meet GDPR requirements. Other people using the data I collect will be shared Devon County Council, HMRC, Ofsted where legally required. I treat all information as confidential and share your information with no one else.
New projects — Data protection must be incorporated into new projects and services at the development stage.
Breach notification — I am obligated to notify the Information Commissioner's Office (ICO) of a data breach within 72 hours of becoming aware of the breach.
The Information I will collect
AS part of my registration I am required by Ofsted and the Inland revenue to collect the name, address and date of birth of your child as well as parents contact details. I note who has parental responsibility and the names and contact details of emergency contacts. I will ask you to sign and date all legal permissions.
I keep a register of attendance which I will ask you to sign each week. I record of all fees received each week and ask you to sign the monthly totals.
I will ask parents for their National Insurance Number if they wish to apply for 30 hours Early Years Funding.
How long must I keep this information?
I will keep clearly written records, signed by parents and stored securely in a locked filing cabinet.
For legal reasons some records must be retained securely until the child is 21 years and 3 months old. These include –
• Accident and first aid forms*
• Medication administration forms*
• Incident records*
• Complaints made by parents relating to their child’s care, safety, health etc*
• Physical intervention reports*
• Records of any reportable death, injury, disease or dangerous occurrence* reported to RIDDOR**
• Permission forms*
• Safeguarding allegations*
• Attendance registers
All forms marked with * must be signed by parents – it is not a requirement for attendance registers to be signed by parents but this remains good practice.
** RIDDOR require records to be retained for 3 years after the date on which it happened.
I will keep your signed records of payment for at least 7 years to comply with HMRC
Child protection records should be kept until the child is 25 years old according to some Local Authorities
Insurance - the Employers’ Liability (Compulsory Insurance) Regulations 1998 states that PLI documents must be retained for 40 years from date of issue.
What the requirements say…
EYFS requirement 3.70 – ‘Records relating to individual children must be retained for a reasonable period of time after they have left the provision.’ A ‘reasonable period of time’ is generally accepted to be 3 years. However, this requirement is superseded by insurance requirements.
Note that ICO guidance states learning and development information including photographs must be given to parents when it is no longer useful to the childminder ie when the child leaves the provision. All childminders who hold information about children and their families on digital media including using mobile phones or cameras to take photos of children, must be registered with the ICO .
Childcare Register requirement CR8 states – ‘Childminders must keep records of the following and retain them for a period of two years:
• The name, home address and date of birth of each child who is looked after on the premises
• The name, home address and telephone number of a parent/guardian/carer of each child who is looked after on the premises
• A daily record of the names of the children looked after on the premises and their hours of attendance
• Accidents which occur on the premises where childcare is provided
• Any medicine administered to any child who is cared for on the premises, including the date and circumstances and who administered it, including medicine which the child is permitted to self-administer, together with a record of a parent/guardian/carer’s consent
• The name, home address and telephone number of every person living or working on the premises on which childcare is provided (or the part of the premises where the childcare is held, in the case of premises such as community/leisure centres, where only parts.’
The Childcare Register covers statutory requirements for children from the ages of 5 to 18 years.
Please see my Data Audit for further details
Tel. 01297 552011