General Data Protection Regulation (GDPR)

IMPORTANT NOTE:

All the information that follows is only guidance from SOSCN's own understanding of the legislation- this may change or develop as time continues, and in no way can this be seen as legal advice. The information has been gathered from a variety of official resources listed at the end, as well as a conversation with the Information Commissioner's Office (ICO).

WHAT IS THE GDPR?

The GDPR is legislation which will be enacted from the 25th May and it is concerned with how personal data is stored, handled, shared and ultimately destroyed -it recognises an individual's rights to privacy, including that of children.

“Many of the GDPR's main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are some new elements and significant enhancements, so you will have to do some things for the first time and some things differently.” ('Preparing for the General Data Protection Regulation (GDPR) 12 Steps to Take Now', ICO)

What does this mean for out of school care services?

In the first instance you need to declare your 'lawful basis' for processing personal data. There are 6 lawful bases:

“(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone's life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)”
(https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ accessed 08-03-18)

You have to meet at least one of these basis, and for out of school care services these would be: 'legal obligation' - it is a legal obligation by the Care Inspectorate that you hold personal data on children in your care, and 'vital interests' - you require personal data on children to ensure the children's wellbeing and safety within your care.

When gathering information about children through completion of registration forms, 'all about me' etc on registration of children, parents (and children) must be aware of why you are gathering this personal data, how this will be stored and what will be done with this data when it is no longer required. So, parents must sign and date terms and conditions/privacy agreement which states they have read and agreed to the terms and conditions associated with the personal data held by the organisation.

The terms and conditions should:

1. State your legal basis to gather personal data in accordance with the GDPR ('legal \obligation' and 'vital interests', and clearly state that is through compliance with Care Inspectorate registration).

2. State how this information will be SECURELY stored. If you use digital files then you need to ensure that all devices storing this data or emails etc are encrypted.

3. State which persons (their professional roles) within the organisation will have access to the full personal data- these are the organisation's 'data processors', and only they should have access to full records.

4. State the organisation's procedures to detect, report and investigate any data breaches.

5. State how any personal data will be shared, if at all with other agencies- for out of school care this will be on a parent (and possibly child) consent basis unless it is a child protection issue which relates to a parent/carer, where child protection procedures come into effect.

6. State that parents and children are able to request to see the personal data which is held.

7. State how often this information will be reviewed - six monthly minimum for information held on children in out of school care.

8. State WHEN personal data will be disposed of, including circumstances and timeframes.

9. State HOW personal data will be SAFELY disposed of.

Please note that this also applies to personal data held on employees and committee/board members. If parents refuse to sign this agreement then you will not be able to hold personal data, and since you have a legal obligation to do so, you cannot provide a service for this child. No agreement, no service.

CHILDREN AND THE GDPR

You should write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.

Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. Again, if they request personal data to be erased which you are required to have by law, then you would not be able to provide a service for them.

PHOTOGRAPHS AND THE GDPR

Please note that photographs can be considered personal data if the person can be identified so signed consent from children and parents should be given before photographs are used in the public realm such as published materials, website, social media etc. Also, children (and adults) will have recourse to request that these images are deleted at a later date from online resources.

So you can ask for general consent from children and parents for photographs which will be used within the service e.g. floor books, information folders, children's own folders etc however, you will require specific and additional written consent if you wish to use a particular photograph on a website, facebook, twitter etc. if a child is identifiable. You can still use photographs of activities showing hands etc without specific consent since children are not personally identifiable.

PLEASE NOTE

Employment files must also be treated in the same way as children's records- the GDPR relates to all personal data held by an organisation.

RECOMMENDED READING

'Preparing for the General Data Protection Regulation (GDPR)'
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

'Getting ready for the new data protection law. Eight practical steps for micro business owners and sole traders.'
https://ico.org.uk/media/for-organisations/documents/2258293/eight-practical-steps-for-micro-business-owners.pdf

GDPR Checklist
https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

The GDPR and children
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/

Taking photos in schools
https://ico.org.uk/for-the-public/schools/photos/

last updated: 17/04/2018