€¦ · web viewthe government’s new data protection (dp) bill brings data protection...
TRANSCRIPT
General Data Protection Regulation (GDPR)
Preparation Pack for Early Years Settings
EY GDPR Preparation Pack LS V5 April 18 1
GDPR
Child Data
Staff Data
Data Controller
Privacy
and
Consent
DPO
DataProcessor
CONTENTS1. Introduction Page 22 Background and Key Changes Page 33. Data Protection Registration Page 54. Data Protection Roles Page 65. Data Protection Principles Page 86. Data covered by GDPR Page 87. Fair Processing (Privacy and Consent Notices) Page 98. Limited Lawful purposes and consent Page 179. Rights of Individuals Page 2010. Subject Access Requests Page 2311. Data Protection Breaches Page 2512 Useful Preparation. Templates Page 2712.1 Data Audit Page 2712.2 Data Risk Register Page 2812.3 Privacy Impact Assessment Page 2913. Data Protection Policy Page 2914. GDPR Summary and Checklist Page 3015. Other Considerations and Further Support Page 32
Appendices
A. Data Risk Register TemplateB. Data Audit (Asset) Template C. Privacy and Consent Notice TemplateD. Privacy Impact Assessment TemplateE. Subject Access Record TemplateF. Data Breach Record TemplateG. Wording to update existing Data Protection PolicyH. GDPR Preparation Checklist
EY GDPR Preparation Pack LS V5 April 18 2
GDPR Preparation Pack for Early Years Settings
1. Introduction
The Government’s new Data Protection (DP) Bill brings data protection legislation up to date and implements the EU General Data Protection Regulations (GDPR). The new Bill which is aimed to strengthen and unify data protection for all individuals within the European Union will replace the Data Protection Act (DPA) 1998 on 25 May 2018 regardless to Brexit.
The DP Bill will, when it is finalised provide clarity on some parts of the GDPR.
This preparation pack contains information to support all Shropshire Early Years settings to prepare for GDPR. It is supported by GDPR guidance, links to FAQ’s and links to Information Commissioners Office (ICO) This information is also available on the Shropshire Learning Gateway (SLG).
All providers in receipt of funding for the early years free entitlement will be required to adhere to the requirements of the GDPR in relation to all the data they collect and retain.
The templates in this GDPR preparation pack are included as separate appendices in word format available for Early Years settings to amend and complete accordingly. Early Years settings may find better ways of recording incidents and these should always be considered.
This preparation pack does not provide a full picture of the changes needed for GDPR. Early Years settings are therefore encouraged to access ICO links including ICO FAQ’s and attend Data Protection/ GDPR training.
The Information Commissioners Office (ICO) have provided resource for education establishments in preparing for GDPR. This is recommended as a starting point:
Home Pagehttps://ico.org.uk/for-organisations/education;
Education FAQ’s: https://icosearch.ico.org.uk/s/search.html?query=education+faqandcollection=ico-metaandprofile=_default
12 steps for preparing for GDPR: https://icosearch.ico.org.uk/s/search.html? collection=ico-metaandquery=12+stepsandprofile=_default
Additional work is being done by Shropshire Council to review systems, policies and procedures. Early Years settings will be provided with regular updates about progress in regard to these together with any other relevant GDPR information that Early Years settings may need to know to be compliant with this legislation.
EY GDPR Preparation Pack LS V5 April 18 3
2. Background and Key Changes
Early Years settings are likely to already be compliant with DPA 1998 which means they are in a good place to comply with GDPR and the DP Bill.
GDPR requires employers to refine their approach to data protection in terms of data capture, storage, processing, transport, security and removal of personal data.
In brief Early Years settings need to consider:
The Legal Basis for processing different types of personal data belonging to staff, children and parents/carer’s
Extended Rights of staff, children and parents/carer’s as to how their data is processed
The Additional Information that staff, child and parents/carer’s will need to be provided with
How Subject Access Requests will be processed
The data protection regulator (the Information Commissioner (ICO) will gain the power to impose greater sanctions where data is breached. Parental consent will be required to process the personal data of children under the age of 13
Unlike the DPA 1998, the GDPR imposes a significant burden for demonstrating compliance with the data protection regime on both data controllers (Early Years settings) and data processors (Local Authority and other processors of Early Years setting data). This contributes to the overall principle of accountability.
The main changes are explained in a little more detail:
The Legal Basis:
There are now six lawful bases* for processing personal data. See section 8 limited lawful purposes and consent for further information:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose**.
(b) Contract: the processing is necessary for a contract you have with the individual, (including a contract of employment) or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (e.g. deducting tax or employee liability information as part of TUPE transfer-but not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life (medical history in the event of life threatening accident at work).
EY GDPR Preparation Pack LS V5 April 18 4
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) Early Years settings should make it easy for people to withdraw consent and tell them how.
*No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on the purpose and relationship with the individual.
The lawful basis must be determined before beginning processing, and it should be documented. The privacy notice should include the lawful basis for processing as well as the purposes of the processing.
**If the purpose changes, Early Years settings may be able to continue processing under the original lawful basis if the new purpose is compatible with the initial purpose (unless the original lawful basis was consent) in which case the reason cannot be changed.
If processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
If processing criminal conviction data or data about offences, Early Years settings need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
Extended Rights
The GDPR introduces some new employee rights as well as enhancing existing ones. For example, employees will have a new data portability right which will allow them to request that certain personal data is transferred directly to a third party. Further, employees will be armed with the suite of so-called “delete it, freeze it, correct it” rights, which are aimed at giving them more control (in certain circumstances) over how their personal data is processed. These will be limited in Early Years Settings whereby there will be lawful basis for processing and retaining certain data in most cases. See section 9 for more information about Rights of Individuals.
The additional information
Under GDPR staff, child and parents/carer’s, in relation to child under 13, will need to be provided with more detailed information about the personal data that is held for them. This means that Privacy Notices will need to be reviewed or introduced to
EY GDPR Preparation Pack LS V5 April 18 5
ensure that the purpose for which any personal data is processed and the legal basis is for doing so. Amongst other things, any relevant data retention policy must be explained, along with the individual’s rights in relation to their personal data, their right to withdraw consent to processing and their right to lodge a complaint with a supervisory authority. Notwithstanding the volume of information, all details must be provided in a manner that is concise, transparent, intelligible and easily accessible. Early Years settings, as employers must be able to demonstrate that this has been done.
Subject Access Requests
GDPR has introduced changes to the time frames for accessing personal information although the right of employees to request information about the personal data processed by their employer remains broadly similar. However, under the new regime, the timeframe is reduced for processing a ‘subject access request’ to one month from 40 days – if complex this can be 2 months. There can no longer be an administration fee unless the request is deemed to be unfounded or excessive. Reporting data security breaches to the ICO is reduced to 24 hours. The starting position will be that employers must respond to a request without undue delay. See section 10.
What does processing cover?
Processing generally covers any operation or series of operations you carry out on personal data:
Collection Recording Organisation Structuring Storage Adaptation Alteration Retrieval Consultation Use Disclosure Dissemination
3. Data Protection Registration
Early Years Settings that were required to register with the ICO under the Data Protection Act 1998, will probably need to register, and pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.
When the new Regulations come into force on 25 May 2018 Early Years settings will not need to re-register and pay the new fee on that date. Data controllers who have
EY GDPR Preparation Pack LS V5 April 18 6
a current registration (or notification) under the 1998 Act, do not have to re-register or pay the new fee until that registration has expired. This is in the region of £25 - £300.
4. Data Protection Roles
4.1 Data Protection Officer
The Early Years setting may need to appoint a Data Protection Officer (DPO) to be the first point of contact with the ICO and data subjects.
The DPO has these main responsibilities:
To advise and inform the Early Years setting and its staff about their obligations to comply with GDPR and any other data protection legislation, including subject access requests.
To monitor the Early Years settings compliance with GDPR, train staff, conduct audits etc.
To report any breaches to the ICO
Who can Early Years Settings appoint to be the DPO?
GDPR states that the DPO must report to the highest level of management, be independent and not penalised for doing their job and be provided with adequate resources to perform their tasks.
On top of that, the DPO must have professional experience and knowledge of GDPR and data protection law and must have no conflict of interest.
The DPO could be a current employee if the above criteria can be met but could also be a newly recruited role, a volunteer (e.g. governor), an external party contracted in.
The Early Years setting employees can have access and be responsible for certain systems but should not have overall responsibility for ICT i.e. not be the ICT Network manager.
If an Early Years setting employee is appointed as the DPO they must be adequately trained and the responsibilities should be included in the employee’s job description.
The DPO does not have to be an employee of the organisation nor does there need to be a separate DPO for each Early Years settings/organisation.
One DPO could be responsible for a number of Early Years settings. However, they would need to be available when required and have sufficient time and resources to cover the Early Years settings adequately.
A decision about who is the DPO should be taken as soon as possible so that they can be appointed in time to help support the Early Years setting to become compliant before May 25th, 2018.
EY GDPR Preparation Pack LS V5 April 18 7
4.2 Data Controllers and Data Processors
The ‘data controller’ says how and why personal data is processed and the ‘data processor’ acts on the data controller’s behalf. The definitions have not changed within DPA but there are now specific duties and obligations placed on data processors as well as data controllers. Under GDPR, data controllers are required to ensure that their contracts with data processors comply with the GDPR.
The definition of a data controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and the means of processing the personal data i.e. the Registered Person/Manager. In effect, this means that a data controller not only has to comply with the Principles of GDPR (see section 5) but must also be able to evidence how they do so.
The data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. The Local Authority is a data processor.
In Early Years settings examples of other data processors may be an electronic software system i.e. Tapestry, Baby Days, a library system supplier, or any other third-party supplier that uses child data, parent or staff personal data to provide the Early Years setting with service or products. The Early Years setting should determine which supplier they will use and what data these suppliers can use to provide their services.
The obligations for data controllers and data processors are summarised as being responsible for determining:
The legal basis for collecting the data Which items of personal data to collect The purpose(s) the data is to be used for Which individuals to collect data about Whether to disclose the data and, if so, to whom Whether subject access and other individual’s rights apply How long to retain the data
Data processors also have obligations which must be set out in a legal contract which ensures that the processor:
Processes the personal data only on documented instructions from the controller
Ensures their staff involved in processing the data observe confidentiality
Takes appropriate security measures to protect the data
Helps the data controller by using appropriate technical and organisational measures
EY GDPR Preparation Pack LS V5 April 18 8
Helps the data controller to ensure compliance
Returns or deletes all the data at the end of the contract
Provides the data controller with all information necessary to demonstrate compliance
Early Years settings can no longer merely sign a supplier’s order form – they need a legally binding contract in place that stipulates all the above or they are not legally allowed to use the processor at all.
Suppliers to Early Years settings that use any of their personal data – whether on child, parents, staff, committee members, volunteers etc. – will need to review their contracts to ensure they meet these requirements and re-issue them as necessary.
5. Data Protection Principles
Early Years settings will already be familiar with the data protection principles in place under the DPA 1998. The GDPR updates these principles. The purpose of the principles is to protect individuals against infringements of their privacy that cause harm.
The GDPR introduces a new transparency requirement, more robust data minimisation concept, allowance for data to be stored for longer for statistical research and controller accountability.
1.Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly and in a transparent manner.
2.Limited lawful purpose
Personal data must only be collected for specified, explicit and legitimate purposes.
3.Dataminimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the intended purpose.
4. Accuracy Personal data must be accurate and, where necessary, kept up to date.
5.Storage limitation
Personal data must not be kept in a form which permits identification for any longer than necessary for the given purpose.
6. Integration and confidentiality
Personal data must be processed in a manner which ensures its appropriate security
EY GDPR Preparation Pack LS V5 April 18 9
7. Accountability The data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.
6. Data covered by GDPR
Personal Data
Both the GDPR and the DPA 1998 direct how ‘personal data’ should be processed, the scope of ‘personal data’ has broadened under the GDPR.
Personal data is any information about an identifiable living person. In an employment context this could include employees, workers, contractors or agency staff, as well as information about job applicants and individuals who have left the company.
The person may be identified by name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Early Years settings will need to consider what methods could be reasonably used to identify the individual from the data.
The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This is wider than the DPA definition and could include chronologically ordered sets of manual records containing personal data.
ImportantPreviously, the information had to have the individual as its focus i.e. being named on an email address list would not be sufficient. Now, the information may relate to an individual even if it does not focus on him/her.
Examples of personal data include CCTV film, lift or floor access information, computer log on data, data on websites visited, phone calls made and emails sent or received.
Sensitive Personal Data
Businesses will need to continue to take additional care when processing sensitive personal data. The definition of sensitive personal data has not changed and continues to include:
Racial or ethnic origin Political opinions Religious and philosophical beliefs
EY GDPR Preparation Pack LS V5 April 18 10
Trade union membership Health, sex life or sexual orientation Genetic and biometric data
7. Fair Processing (Privacy Notice and Consent Form)
Under the DPA 1998, Early Years settings will have to provide individuals with information about how their data will be used (or ‘processed’) to ensure transparency. These are sometimes referred to as ‘privacy notices’, ‘fair processing information’ or ‘notice of data processing’. The GDPR broadens those existing obligations.
Early Years settings must inform individuals that they have collected data from them whether that data has been collected directly, or received through a third party (unless providing the information would involve disproportionate effort). For example, personal data obtained from a job applicant who applies through your website or a candidate who has been sourced by a recruitment agent.
The information should be provided when the personal data is collected from the individual, before or at the same time that the data is collected. Where the data is collected from a third party - as soon as possible and no later than a month after collection.
Where the reason for processing the data changes, you will need to update the information provided to the individual.
The information must be conveyed in a concise, transparent, intelligent and easily accessible format using clear and plain language. Where data relating to children is processed - it should be simple enough for a child to understand.
It must be provided in writing unless someone asks for the information orally.
Where personal data is directly collected from the individual, the following needs to be included in the privacy notice:
The identity and contact details of the data controller or its representative
The contact details of the data protection officer (where applicable) The purpose(s) and legal basis for the processing of the personal data Where ‘legitimate interest’ is relied upon - details of that interest Who will receive the personal data (if anyone)? Whether there is an intention to transfer personal data to a non - EEA
country or an international organisation - the safeguards in place
EY GDPR Preparation Pack LS V5 April 18 11
How long the personal data will be stored (where unknown - the criteria for determining that period)
That the individual has the following rights: right of access, rectification, erasure, restriction of processing, objection and data portability
If data is being processed with the individual’s consent, their right to withdraw consent at any time*
The right to lodge a complaint with the ICO Whether providing the data is a statutory or contractual requirement, or a
requirement necessary to enter into a contract. Also, any obligation for the individual to provide the personal data and of the consequences if they fail to do so
Where the Early Years setting intends to further process the data for a purpose other than for which the data was collected, the Early Years setting should firstly provide the individual(s) with information on the new purpose and any other relevant information
Where personal data has not been obtained from the data subject, the categories of personal data concerned should also be included
* Please note that there should be very few categories (if any) of data held by an Early Years setting that require consent because they are not held for a legal or statutory purpose. There will be some data which is held for the purpose(s) of legitimate interest (e.g. holding a job applicant’s details for a period of time in the event that a further vacancy occurs and the applicant can be contacted).
The sample Early Years settings Privacy and Consent Notice template (seen in Appendix C) meets with the requirements of GDPR. This template is separated into 4 parts:
1. Part 1 - (of which 2 copies should be issued) summarises GDPR requirements and can is issued in duplicate so that the first copy is retained by the data subject and the second copy is returned as evidence of the notice being received. There is a separate consent box to comply with the requirements of GDPR
2. Part 2 - Informs the data subject the detail about what is held/collected/shared and for what purpose and lawful reason and for how long. There is also a Y/N summary about whether consent is required.
3. Part 3 - is optional and allows the Early Years setting to collect data as part of the privacy notice. The Early Years setting should provide the purpose for the collection and consequences of not providing the data
4. Part 4 - Informs the data subject about their individual rights including making SAR’s and who to contact in the event they want to exercise rights or have any concerns (including contacting the ICO).
EY GDPR Preparation Pack LS V5 April 18 12
Early Years settings will note that Part 2 of this draft has been populated with child data to demonstrate how this privacy notice might be completed.
Early Years settings will also need to consider additional data they hold/ collect/share and populate additional Part 2 pages as necessary.
The Local Authority, as a data processor will also review where they need to provide privacy notices for Early Years settings to pass on to their data subjects to ensure compliancy. This will include staff data. Early Years Ssttings should expect to receive these from other data processors
EARLY YEARS SETTING PRIVACY & CONSENT NOTICE PART 1
This privacy notice and consent applies to children, parent/carer and staff data held by this Early Years setting in relation to data held for:
PARENTS/CARERparent’s data
tick PARENTS/CARERchild data (for under 13-year-old child only)
tick
CHILD child data (over 13-year-old child only)
tick STAFFstaff data
tick
WHY IS THIS NOTICE BEING SENT?
The General Data Protection Regulations (GDPR) replaces the Data Protection Act 1998 on 25 May 2018. The Early Years Provider is now required to tell all data subjects about the data that is collected about them. This form may also be used to collect certain data. Early Years settings must tell parents/carers, children and staff:
what data is being collected what purpose data is used for whom the data is shared with the lawful basis for holding your
data
how long we will keep your data your individual rights under
GDPR
PURPOSE FOR HOLDING DATA
please see Part 2 for a full list of data the Early Years setting holds/collects/shares
WHAT ARE YOU REQUIRED TO DO?
please read this Early Years Setting Privacy and Consent Notice carefully
please complete all the details about additional data the Early Years setting needs to collect from you in Part 3
in all cases you will be asked to sign BOX A to confirm that you have received this information.
If your consent is required then you must also sign BOX B to demonstrate your consent to certain data being held or used.
all signed copies of Part 1 should be returned to the Early Years setting as soon as possible. You should keep the remainder of this notice.
YOUR CHOICES You have the right to see the information that we have about you and to get
any mistakes corrected. see section requesting access to your personal data
BOX A I the undersigned have received this Early Years Settings Privacy and Consent Notice template.
PRINT NAME …………………………...
SIGNATURE…………………………………..
ON BEHALF OF CHILD’S NAME ……………………………
DATE…………………………………….
EY GDPR Preparation Pack LS V5 April 18 13
(IF UNDER 13)
BOX B I the undersigned give permission to the collection and processing of my personal information to the third parties listed in this document.
PRINT NAME …………………………...
SIGNATURE…………………………………..
ON BEHALF OF CHILD’S NAME(IF UNDER 13)
……………………………DATE
…………………………………….
COPY FOR YOU TO KEEP
EARLY YEARS SETTING PRIVACY & CONSENT NOTICE PART 1
This privacy notice and consent applies to children, parent/carer and staff data held by this Early Years Setting in relation to data held for:
PARENTS/CARERparent’s data
tick PARENTS//CARERchild data (for under 13-year-old child only)
tick
CHILD child data (over 13-years-old child only)
tick STAFFstaff data
tick
WHY IS THIS NOTICE BEING SENT?
The General Data Protection Regulations (GDPR) replaces the Data Protection Act 1998 on 25 May 2018. The Early Years setting is now required to tell all data subjects about the data that is collected about them. This form may also be used to collect certain data. Early Years settings must tell parents/carers, child and staff:
what data is being collected what purpose data is used for whom the data is shared with the lawful basis for holding your
data
how long we will keep your data your individual rights under
GDPR
PURPOSE FOR HOLDING DATA
please see Part 2 for a full list of data the Early Years setting holds/collects/shares
WHAT ARE YOU REQUIRED TO DO?
please read this Early Years Setting Privacy and Consent Notice carefully
please complete all the details about additional data the Early Years setting needs to collect from you in Part 3
in all cases you will be asked to sign BOX A to confirm that you have received this information.
If your consent is required then you must also sign BOX B to demonstrate your consent to certain data being held or used.
all signed copies of Part 1 should be returned to the Early Years setting as soon as possible. You should keep the remainder of this notice.
YOUR CHOICES You have the right to see the information that we have about you and to get
any mistakes corrected. see section requesting access to your personal data See Part 4
BOX A I the undersigned have received this Early Years Settings Privacy and Consent Notice template.
PRINT NAME …………………………...
SIGNATURE…………………………………..
EY GDPR Preparation Pack LS V5 April 18 14
ON BEHALF OF CHILD’S (IF UNDER 13)
……………………………DATE
…………………………………….
BOX B I the undersigned give permission to the collection and processing of my personal information to the third parties listed in this document
PRINT NAME …………………………...
SIGNATURE…………………………………..
ON BEHALF OF CHILD’S NAME(IF UNDER 13)
……………………………DATE
…………………………………….
COPY TO BE RETURNED TO EARLY YEARS SETTING
DATA THE EARLY YEARS SETTING HOLDS/ COLLECTS /SHARES
PART 2
CATEGORY OF DATA: E.G. CHILD INFORMATION Personal Information (name, DOB, address, adults with PR and their addresses)
characteristics (such as ethnicity, language, nationality, country of birth and free Early Years setting eligibility);
attendance information (such as sessions attended, number of absences and absence reasons); exclusion / behavioural information; special educational needs; and any relevant medical information. any accident/incident data regarding child.
Early Years setting to add to this list other categories of children’s information they collect hold or share these may include assessment information, medical information, SEN information PURPOSE FOR HOLDING DATA:
to support child learning to monitor and report a child’s progress to provide appropriate medical care to assess the quality of our services to comply with the law regarding data sharing to safeguard children to comply with the law regarding monitoring and reporting on any accidents/incidents to child
arising out of or in connection with any Early Years settings activity
Early Years settings to add to list any other reason for which they collect and use children’s information
LAWFUL BASIS ON WHICH THIS DATA IS USED:We collect and use personal information in order to meet our legal obligations as set out in GDPR and UK law, including those in relation to the following:
• Article 6 and Article 9 of the GDPR• Statutory Framework for the Early Years Foundation Stage 2017 • Ofsted Childcare Register RequirementsEarly Years setting to insert the lawful basis for collecting and using childl information for general purposes (must include a basis from article 6 and one from article 9 where data processed is a special category) If there is no lawful basis then Early Years settings must inform that they have the right to withdraw this consent at any time
WHO THIS DATA IS SHARED WITH:
EY GDPR Preparation Pack LS V5 April 18 15
We do not share information about our child with anyone without consent unless the law and our policies allow us to do so. We routinely share child information with:
Shropshire Council; the Department for Education. Ofsted; Health and Safety Executive (HSE) Shropshire Council may share information about individuals where this is likely to enable a
beneficial intervention from the other public-sector agencies.
Early Years settings need to amend this list to include any other organisations to which information is shared with.
PERIOD DATA STOREDWe hold child data for a period. (Early Years setting to include length of time for which the data will be stored)
Data collected and stored concerning accidents/incidents arising out of or in connection with any Early Years setting activity is kept until the child is aged 21 as the child affected by the incident has the legal right to make a claim relating to that incident 3 years after their 18th birthday.
DO WE NEED YOUR CONSENT Y/NYES/NO (Early Years setting to insert)If ‘NO’ then please sign BOX A only and return second copy of Part 1If YES then please sign BOX A and BOX B and return second copy of Part 1
DATA THE EARLY YEARS SETTING NEEDS TO COLLECT FROM YOU
PART 3
CATEGORY OF DATA:
Early Years setting to insert here DATA REQUIRED: Early Years setting to insert here and/ or refer to attached document
PURPOSE FOR COLLECTING DATA Early Years setting to insert here and include consequence of failing to provide data
LAWFUL BASIS ON WHICH THIS DATA IS USEDEarly Years setting to insert here and ensure that it is clear that if there is no lawful basis then they have the right to withdraw this consent at any time
REQUESTING ACCESS TO YOUR PERSONAL DATA PART 4Under GDPR parents/carers, children and staff have the right to request access to information about them that the Early Years setting holds. This is called a Subject Access Request. To make a request for your personal information, or be given access to your child records contact (Early Years setting to include details of the names of data controller or nominated person)
YOU ALSO HAVE THE RIGHT TO:
enable correction to data for accuracy.
EY GDPR Preparation Pack LS V5 April 18 16
request the deletion or removal of personal data where there is no compelling reason for its continued processing.
object to processing of personal data that is likely to cause, or is causing damage or distress
to obtain and reuse your personal data for your own purposes across different services. prevent processing for the purpose of direct marketing object to decisions being taken by automated means in certain circumstances have inaccurate personal data rectified, blocked, erased or
destroyed; and claim compensation for damages caused by breach of the Data Protection Regulations
If you have a concern about the way the Early Years setting is collecting or using your personal data, please raise the concern with the Early Years setting in the first instance. alternatively, you can contact the commissioners officer at https://ico.org.uk/conerns/
If you would like to discuss anything in this Privacy and Consent Notice, please contact: Early Years setting to include details of the names of data protection controller or nominated officer)
8. Limited Lawful Purposes and Consent
Before processing personal data, Early Years settings must make sure that there is a legitimate ground for carrying out that activity.
This was already a requirement of the DPA, but the GDPR does make some significant changes in this area.
As a reminder, the following are the possible legal grounds for processing personal data:
1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose**.
2. Contract: the processing is necessary for a contract you have with the individual, (including a contract of employment) or because they have asked you to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for you to comply with the law (e.g. deducting tax or employee liability information as part of TUPE transfer-but not including contractual obligations).
4. Vital interests: the processing is necessary to protect someone’s life (medical history in the event of life threatening accident at work).
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to
EY GDPR Preparation Pack LS V5 April 18 17
perform your official tasks.). Early Years settings should make it easy for people to withdraw consent and tell them how.
Once the Early Years setting has confirmed what legal ground it is relying upon, it will be bound to use the data for that explicit purpose. Further processing of the data will only be permitted as long as the new processing activity is not incompatible with the original purpose. Where the new purpose is incompatible, consent from the individual must be obtained.
Can Early Years settings rely upon consent as the grounds for processing?
The concept of consent in the GDPR is stricter than in the DPA.
The GDPR states that consent must be: “freely given, specific, informed and unambiguous”. Consent can be provided verbally, but it advisable to get the consent in writing.
Where there is an imbalance in power between the individual and the data controller, consent will not be ‘freely given’. It is unlikely that consent given by an employee within an employment contract will be freely given. On this basis, it will be risky to rely upon ‘consent’ as the legal basis for processing all employee data, although it may be used for specific processing purposes such as occupational health referrals.
Consider if there is any data that is not required for one of the above reasons, there will not be many. An example Includes consent for taking photographs. In all cases Early Years settings should carefully consider if they can rely upon grounds of the processing of personal data being necessary for legitimate business interests, or it is necessary for performing the employment contract. In many cases, these grounds will be appropriate given the duties of the employer. The legitimate interests ground has not changed from its previous format within the DPA, although the Early Years setting should consider 1) whether the processing is necessary or could be carried out in a reduced format and 2) whether the employee would expect their data to be processed in that way. In some contexts, the Early Years setting will continue to rely upon consent as a legitimate ground for processing or will have this ground listed as one of the applicable legitimate grounds. If the Early Years setting have continued to rely upon the ground of consent, here are some requirements to remember:
The individual must be informed of the identity of the data controller and the purposes of processing the data.
EY GDPR Preparation Pack LS V5 April 18 18
Pre-formulated forms or templates should be provided in an intelligible and easily accessible format using clear and plain language and should not contain unfair terms.
The request for an employee to give consent must be separate from the remainder of the document and the employer must provide a separate signature box.
It must be made clear that the employee is not obliged to provide consent and has the right to withdraw their consent at any time.
It must be as easy for the employee to withdraw their consent as to give it.
If different processing operations are envisaged separate consents should be sought.
Historic consents
Previously obtained consents will only be valid if they meet the new requirements of the GDPR. If the Early Years setting can justify the processing of personal data on the basis of consent, they will need to check whether any existing declarations of consent comply with the GDPR. If they don’t comply, the Early Years setting will need to re-seek consent from the individuals.
Consider:
1. Blanket consent clauses are likely to be ineffective.2. Consent must be given for different personal data processing
operations.3. Is consent necessary for the contract to be performed?4. Have individuals been informed of their right to withdraw their consent at
any time and has this process been made easy?5. Consent cannot be indicated by opt-out boxes.6. Consent by inactivity (i.e. continuing to use a website) will not amount
to consent.
Processing of Sensitive Personal Data
Sensitive Personal Data is only permitted to be processed under one of the following conditions:
1. The individual has given explicit consent for one or more specific legitimate purposes.
2. It is necessary for the purposes of carrying out the obligations and exercising the specific rights of the Early Years setting as an employer and social security as authorised by the UK.
3. Processing is carried out in the course of its legitimate activities by a foundation association or any other not for profit organisation with
EY GDPR Preparation Pack LS V5 April 18 19
a political, religious, and trade union aim and on condition that the processing relates solely to the members or former members or to persons who have regular contact with it.
4. Processing is necessary to protect the vital interests of the data subject where the individual is physically or legally incapable of giving consent.
5. Processing relates to data which has been manifestly made public.6. It is necessary for establishing or defending legal proceedings.7. It is necessary for the purposes of occupational medicine for the
assessment of the working capacity of the employee. It must be carried out on the basis of UK law or pursuant to a contract with a health professional.
8. Processing is necessary for statistical, scientific, historical research purposes on the basis of EU or UK law.
9. Processing is necessary for reasons of substantial public interest on the basis of EU or UK law
9. Rights of Individuals
Early Years settings should ensure they are aware of individuals rights listed below to ensure they can respond to any requests including SAR’s (see Section 10). Individuals must be informed of these rights via privacy notices.
1. Right to be informed2. Right of rectification3. Right to object4. Right to restrict processing5. Right to data portability6. Right to erasure7. Right to notify8. Right of access9. The right not to be subjected to automated decision-making
including profiling
1. Right to be informed
This information is dealt with by providing a privacy notice described earlier in section 7.
2. Right to rectification
The GDPR includes a right for individuals to have their data rectified without undue delay and this includes having incomplete data completed. For example, the Early Years settings may be asked to update an incomplete performance record.
EY GDPR Preparation Pack LS V5 April 18 20
3. Right to object
If the Early Years setting has relied upon the ‘legitimate interest’ ground for processing any data, individuals should know that they have the right to object to the processing of their data. In most cases this reason will be acceptable because, the Early Years setting will be able to cite this as a valid reason to process data
Early Years settings will also need to tell individuals that they can object to the processing of their data no later than the first communication. In practice, the Early Years setting is likely to want to notify individuals at the point of data collection or at the time the privacy notice is provided.
4. Right to restrict processing
Individuals will have the right to restrict processing in the following circumstances:
They contest the accuracy of the personal data (the controller can then verify the accuracy of the personal data).
The processing is unlawful, but the individual doesn’t want the data erasing.
The Early Years setting no longer needs the personal data for the purposes of the processing, but the data subject requires the data for the establishment, exercise or defence of legal proceedings.
When data is subject to a restriction, Early Years settings will continue to be able to store the data, but may only process the data in the following circumstances:
With the individual’s consent For the purpose of establishing or defending legal proceedings For the protection of the rights of another person For reasons of important public interest
5. Right to Data Portability
GDPR includes a right for individuals to data portability where data has been processed by automated means. This is targeted at online service settings and allows data to be moved from one service to another. It could apply both in an automated recruitment process and on-boarding but also time and attendance records collected automatically.
EY GDPR Preparation Pack LS V5 April 18 21
The GDPR gives the individual the right to receive the personal data concerning themselves in a structured, commonly used and machine-readable format and have that data transferred to another controller without hindrance. This should take place without undue delay and in any event within one month of receipt of the request, although the period may be extended by two further months where necessary, taking into account the complexity and number of the requests (provided the individual has been advised of the extension within the first month and been given reasons for the delay).
It will be interesting to see how much this right is used within an employment context.
6. The right to erasure (or “the right to be forgotten”)
GDPR includes a right for employees to have their personal data erased without undue delay. The right to erasure of data will apply to employees:
Where their data is no longer necessary for the purpose it was collected, or processed, or if it was unlawfully processed.
Where the employee has withdrawn their consent or objects to the processing of their data.
However, with regard to Early Years settings there will be the right to retain the personal data to:
Comply with statutory obligation in accordance with retention schedules.
Establish, exercise or defend a legal claim e.g. tribunal proceedings.
7. Right to notify
When Early Years settings have shared the relevant data with a third party (i.e. a payroll provider or a training provider), the Early Years setting must take reasonable steps to inform that party of the individual’s wish for their data to be erased, rectified or restricted unless this will involve disproportionate effort.
8. Right of access
GDPR brings in further rights of access (above that currently in the DPA 1998) for individuals in relation to their data and these rights to information to be provided to an individual include:
The categories of personal data concerned. Whether their data has been or will be disclosed in other
countries or international organisations.
EY GDPR Preparation Pack LS V5 April 18 22
Where possible, the expected period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
The existence of the right to request from the employer rectification or erasure of their personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
The right to lodge a complaint with a supervisory authority. The existence of automated decision-making, including profiling and
meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
9. Right to object to automated decision making including profiling
Under the GDPR, individuals have the right not to be subject to a decision based solely on automated processing including profiling which produces legal effects on the individual or significantly affects them.
This does not apply where:
The decision is necessary for entering into or performance of a contract between the individual and the controller.
The decision is based on EU or UK law The decision is based on the individual’s explicit consent.
Where profiling involves sensitive personal data, there are specific restrictions. However, automated decisions on these grounds in an employment context amount to discrimination and are to be avoided.
Subject Access Requests
GDPR brings in specific changes to subject access requests (SARs) and these are summarised in the table below.
SARs can often be a labour intensive and time-consuming process. The Local Authority will also ensure that preparations are in place for processing SARs in compliance with the GDPR.
This will include updating policies and procedures and reviewing what resource may be needed to complete the requests.
EY GDPR Preparation Pack LS V5 April 18 23
DPA 98 (Before May 2018)
GDPR (After May 2018)
Timing of deliveryofinformationfollowingreceipt of request
Within 40 days from receipt of the request.
Without undue delay and at latest within 1 month of receiving the request
The period may be extended by 2 months taking into account the complexity and number of the requests.
Early Years setting must inform the individual of any extension within 1 month of receiving the request, together with the reasons for the delay.
Fees Fees can be charged up to £10.
No fee for a single copy of the requested data.
Reasonable administrative charges for further copies.
Where requests are manifestly unfounded or excessive, a reasonable fee is allowed taking into account the administrative costs involved.
Format of request In writing. No requirement for request to be made in writing and could be made verbally.
Format of delivery Data to be provided in an intelligible form
Where data is requested electronically, the data should where possible, also be provided electronically.
In all other cases data should be provide in a concise, transparent, intelligible an easy accessible form using clear and plain language. If requested by the data subject, the data may be provided orally provided identity has been proven.
Following a request action is not taken then the individual must be informed as soon as possible and at the latest within 1 month of receipt of the request of the reasons for not taking action. Early Years setting should also inform the individual of the possibility of lodging a complaint with a supervisory authority and to seek judicial remedy .
There are several questions that Early Years settings need to ask in completing a Subject Access Request (SAR). The SAR Template shown below (and available in
EY GDPR Preparation Pack LS V5 April 18 24
Appendix E) poses the questions and records the decisions that the Early Years setting has made.
SUBJECT ACCESS RECORD
Name of data subject:Name of person who made request:Date request received:Date request to be responded by:Date acknowledgement sent:Contact Data Protection Officer (DPO):Name of person dealing with request:
Notes (overwrite the statements in grey)Are they entitled to the data? If no reply stating reasons and/or ask for
proofDo you understand what data they are asking for?
If no, ask the requester for clarity
Identify the data What are the data sources, where are they kept
Collect the data required You may need to ask others - state a deadline in your request
Do you own all the data? If no, ask third parties to release external data. If data is supplied by another agency such as Psychology Service, you do not own the data.
Do you need to exempt/ redact data? If exempting/ redacting be clear of your reasons. Document name, data exempted/redacted and why
Is the data going to be ready in time Record delays and reasonsCommunicate with requester stating reasons for delay and asking if they would like the data you have collected so far
Create pack Make sure that the data is an easy to access format: paper, word or excel
Inform the requester you have the data Ask them how they would like it deliveredDeliver data Ask for confirmation/ special delivery of
receiptAt all stages, your DPO or Data Protection Lead will be able to provide you with advice
Date request competed: (within 30 days):
Signed off by:
EY GDPR Preparation Pack LS V5 April 18 25
11. Data Protection Breaches and Penalties
Currently there is no requirements for an organisation (unless a telecoms or internet provider) to inform data subjects or the Information Commissioners Office (‘ICO’) where there has been a breach of data security.
This changes with the introduction of the GDPR, when obligations are placed on all organisations including Early Years settings to notify certain types of personal data breaches to the individual/data subject and the ICO. Early Years settings will also need to keep a log of all breaches.
1. Reporting
Notification to regulator: Early Years settings as employers have a duty to inform the ICO without delay, and where feasible, within 72 hours of becoming aware that an individual’s personal data has been ‘breached’ unless the breach is unlikely to affect the rights and freedoms of the employee.
Notification to employee: There is no need to notify a breach to an employee unless the breach is likely to result in a high risk to the rights and freedoms of the employee.
Similarly, if technical measures have been put in place that make the data unintelligible (e.g. encryption) or subsequent measures have been taken to mitigate the risk to the individual’s rights or freedoms, there is no need to notify the data subject. If the duty to notify would involve disproportionate effort, a public communication or similar step may be suitable.
What is a personal data breach?
GDPR defines a personal data breach as:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
What is meant by the phrase ‘rights and freedoms’ of the employee?
This definition was already included with the DPA but is set out within the GDPR as:
Processing that could give rise to discrimination, identity theft, fraud, financial loss, reputational damage, and reversal of pseudonymisation, significant economic or social disadvantage.
Processing that could reveal sensitive personal data.
EY GDPR Preparation Pack LS V5 April 18 26
What must be reported?
Where notification is required this should include the following information:
1. The nature of the personal data breach including (if possible), the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
2. The name and contact details of the data protection officer or other contact point where the regulator can obtain more information.
3. The likely consequences of the personal data breach. 4. Measures (or proposed measures) taken to address the personal data
breach, including, where appropriate, measures to mitigate its possible adverse effects.
Records
How should the Early Years settings keep a record of breaches that have taken place?
The Early Years setting will need to keep a record of all breaches (whether notifiable or not) and the record should contain:
The facts of the data breach The effects of the data breach The action taken The record will enable the regulator to check
compliance with the regulations.
Steps to take now:
Ensure staff understand what constitutes a data breach, and that this is more than a loss of personal data.
Ensure that you have an internal reporting procedure in place, this could also be incorporated into the whistleblowing policy. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public.
In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place
The template overleaf (Also available in Appendix F) outlines the types of things that Early Years settings should think about when dealing with a breach.
EY GDPR Preparation Pack LS V5 April 18 27
DATA BREACH RECORD
Date / / Person responsible for dealing with breach
Which data subjects are involved
Data type involved
Reported by
Phone/email sent to DPO
Y/N Is this high risk Y/N Report to ICO Y/N
Date reported to data subjects
Actions taken
Preventative action suggestions –including training
Notes
Actions approved by Date: / /
EY GDPR Preparation Pack LS V5 April 18 28
12. Useful Preparation Templates
The following templates are included for if your Early Years Setting wishes to prepare and record data
12.1 Data AuditA key element in Data Protection is knowing what data is held by the Early Years setting.
Considerations include: Why the data is being processing Who the Early Years setting is sharing it with When it is being processed Where is it being stored? Is it manual data? Is it on separate hard drives? Is it on laptops that are being used by the Early Years setting? Is it on personal emails rather than Early Years setting emails?
This data audit template (also known as ‘data asset’ by the ICO) is essential to any Early Years setting. Early Years settings may need more than one person to complete this document and it should be kept as a dynamic document; it is essential that Early Years settings record whether there is a legal, statutory or other reason to hold the data. Early Years settings should also consider whether staff have signed up to services which need personal data such as IPad Apps. The on-line auditing toolkit on the ICO website is a good support to this task; it may help Early Years settings with data mapping
DATA AUDITDescription of data held
Type of data
Where does the data come from
Where is data stored
Where is data processed (location)
Why is this data held? i.e.purpose
Lawful basis for holding data:(choose one):ConsentContractLegal obligationVital interestPublic taskLegitimate interest
If legal quote piece of legislation:
If Consent required-has consent been obtained? – where is this?
EY GDPR Preparation Pack LS V5 April 18 29
DATA AUDIT (continued)
If legal quote piece of legislation:
If Consent requiredhas consent been obtained?
Where is this?
Do existing policy/ procedure cover individual rights including how Early Years settings delete or provide data on request
Who is the data shared with
Who has access to this?
How is it secured?
Retention period
Risks GDPR compliant
12.2 Data Risk Register
GDPR encourages organisations (Early Years settings) to develop Privacy by design. Early Years settings should consider where the dangers are in releasing data about staff or child).
To enable Early Years settings to complete a risk analysis it may be easier to consider people rather than technology
Early Years settings should ensure they have systems that remove access from any individual (s) with immediate effect should this be necessary. It is advised that this document (Appendix A) is completed by two or more people working together
DATA RISK REGISTER
Groups of people ReasonsStaffAdmin/office StaffOther members of the staff teamLocal Authority Other companiesParents/ carers
EY GDPR Preparation Pack LS V5 April 18 30
12.3 Privacy Impact Assessment
This may only be needed if there is high risk if data getting lost it is recommended that Early Years settings assesses uses of personal data using this Privacy Impact Assessment Template (see Appendix D).
Ideally the template would be completed for all uses of personal data and completed by the person who wants to use that service and signed off by the DPO. This will then be used to inform the Data Audit.
PRIVACY IMPACT ASSESSMENT
What is the aim of the project?
What data will be collected?
How will the data be collected?
Where will the data be stored?
How will the data be shared?
How will the data be amended or deleted?
Identified risk (issues, risk to individuals, compliance risk, Early Years setting risk, possible solution)
EY GDPR Preparation Pack LS V5 April 18 31
13. Data Protection Policy
Early Years settings with an existing Data Protection policy may need to update the policy to confirm that they recognise that GDPR may change some practice. Please refer to the wording below (also available in Appendix G) for wording to update Early Years settings existing policy
This policy will consider the additional data protection requirements of the General Data Protection Regulations (GDPR) effective from 25 May 2018. This includes all categories for review as summarized in the ICO’s advice in the 12 steps to prepare: for GDPR and additional advice from the Local Authority:
1) Raise awareness in this Early Years settings2) Review Information held by the Early Years settings3) Review the Early Years Setting’s Privacy Notices4) Review changes to Individual Rights5) Deal with changes to Subject Access Requests6) Identify the lawful basis for processing personal data7) Review how consent will be sought, held and recorded 8) Review changes to Children’s data9) Ensure compliance with Data breaches10)Review Data Protection by design with use of a Data Protection Impact
Assessments where necessary11)Appoint a suitable Data Protection Officer12)Review if there are any International considerations
Early Years settings may wish to consider reviewing their Data Protection Policy. A new Data Protection policy is being drafted by the Local Authority which will be available on the SLG. The new policy will update DPA requirements with GDPR considerations.
14. GDPR Preparation Summary and Checklist
Early Years settings are advised to start preparation as soon as possible. This guidance summaries recommended tasks. A GDPR preparation check list can be found in Appendix H.
The following steps are a good place to start:
Awareness
Make certain that the Early Years settings appreciate the impact GDPR is going to have on the setting and the resources they might need to provide to become compliant. Ensure that a Data Protection Officer (if applicable) is appointed as
EY GDPR Preparation Pack LS V5 April 18 32
soon as possible so they can help the Early Years setting to fully prepare for in time for the GDPR deadline.
Information Held
Start to document what personal data is held and processed, where it comes from and who you share it with and who has access to it in Early Years Settings. Also identify and document the legal basis for the processing of personal data. The Data Risk Register and Data Audit templates in this preparation pack may help you so that you can see clearly what personal data is moving through the Early Years settings systems and where it ends up. Then from that data mapping exercise, you are advised to create a gap analysis and an action plan to cover the gaps
Privacy and Consent Notices
Review and update what you have already in place and plan for any necessary changes. Often Early Years settings put this information into the parent/child contracts and then ask the parent/child to sign to give their consent. There is parental consent up to 13 years of age, thereafter the child’s own consent. Early Years settings need to consider how they are going to manage this.
A similar exercise will need to be taken in relation to staff data. In all cases Early Years settings should be not relying on consent for processing personal data and should in most cases be citing a statutory or legal basis of public interest for doing so, wherever possible, to prevent issues around consent being withdrawn. If you do need consent for any processing, work out how you are going to get it, record it and refresh existing consents. Early Years settings may wish to consider the Privacy and Consent template in this preparation pack.
Privacy Impact Assessments
As well as being a requirement for any new technologies or high-risk processing, it is good practice to have these for all processing and then update if your processes or technology change or new processing / suppliers are being considered. Early Years settings can use the Privacy Impact Assessment template in this pack.
Individual’s Rights
Consider all the personal data you hold or process and ask yourselves if you comply with the data subject’s rights. Can you deal successfully with data erasure requests or withdrawn consent?
Subject Access Requests
Check individual rights that can be implemented and have a mechanism for that, being prepared to deal with subject access requests for example. Make sure you have someone responsible for dealing with these and a second person to cover in the event of absence so that there are no delays. Early Years settings can consider using the Subject Access Record Template in this pack.
EY GDPR Preparation Pack LS V5 April 18 33
Data Breaches
Do you have procedures in place to deal with these if they occur? Whose responsibility will it be to handle them? Consider using the Data Breach Record Template in this pack
15. Other Considerations and Further Support
The Information Commissioners Office (ICO)
The ICO have provided additional resource on other areas to consider in preparing for GDPR.
Home Page. https://ico.org.uk/for-organisations/education;
Education FAQ’s: https://icosearch.ico.org.uk/s/search.html?query=education+faqandcollection=ico-metaandprofile=_default
12 steps for preparing for GDPR: https://icosearch.ico.org.uk/s/search.html? collection=ico-metaandquery=12+stepsandprofile=_default
Compliance of Contract Templates in procurement
Any contract put in place with a data processor (e.g. a training provider or payroll provider etc.) must impose certain obligations on that processor. Early Years settings will need to ensure that colleagues managing the procurement process understand the requirements.
Compliance of ICT Systems
One of the requirements of GDPR is that personal data will be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’
Early Years settings need to ensure that:
data they hold is on servers and devices (laptops, PC’s, tablets) that are within a secure network, with controlled access
these are regularly maintained with upgrades and security patches applied, the back-up of data is being completed regularly that back-ups are managed and stored in a secure manner.
EY GDPR Preparation Pack LS V5 April 18 34
Early Years settings need to consider the security of their data in relation to requiring access when not working on site. Copying of data to memory sticks, copying to hard drive of laptop or e-mailing to private e-mail address for access at home are all a security risk and make the managing of this data more difficult.
Fundraising and Marketing
Any planned fundraising or marketing must be taken in accordance with the Data Protection Act and Privacy and Electronic Communication Regulations (PECR) as data can now only be used for the reason it is collected and not for any other reason.
Surveillance
In the event of an Early Years setting deciding to use surveillance technology and body worn video it needs to be done in line with ICO’s CCTV code of practice. Images should only be issued for the purpose specified individuals must be made aware they may be recorded and appropriate measures must be put in pace to keep the recorded images secure. https://icosearch.ico.org.uk/s/search.html?collection=ico-metaandquery=surveillanceandprofile=_default
Taking photographs
There is no prevention for doing for taking photos of events but asking permission is normally enough to ensure compliance.
Bring Your Own Device (BYOD)
There is guidance for Early Years settings who want to allow staff to use personal devices to process personal data that they are responsible for. This is contained within the E-safety Policy guidance.
In preparing for the GDPR Early Years settings should not lose sight of what this new law is about. In our new digital world, it’s about delivering greater transparency, enhanced rights for employees and child and increased accountability. Whilst GDPR is bringing in a number of changes and will be the most robust data protection legislation we have ever seen, it is also an opportunity to review Early Years settings current data protection practices and update them so that the Early Years setting can demonstrate they understand the need to protect sensitive information and that they are doing all they can to ensure any personal data held is looked after adequately.
Appendices
Appendix A: Data Risk Register Template Appendix B: Data Audit Template
EY GDPR Preparation Pack LS V5 April 18 35
Appendix C: Privacy Notice and Consent TemplateAppendix D: Privacy Impact Assessment TemplateAppendix E: Subject Access Record TemplateAppendix F: Data Breach Record TemplateAppendix G: Wording to update existing Data Protraction PolicyAppendix H: GDPR Preparation check list
EY GDPR Preparation Pack LS V5 April 18 36