Statutory requirement, data sharing and regulations
The legislation, guidance and best practice to follow.
The individual child level data collection from early years settings is a statutory requirement on providers and local authorities through regulations under Section 99 of the Childcare Act 2006 and The Education (Provision of Information About Young Children) (England) Regulations 2009 (PDF, 55KB).
This means that:
- the word ‘providers’ is applied to both childminders registered with Ofsted and childminders registered with a childminder agency which is itself registered with Ofsted
- providers do not need to obtain consent for the provision of information from parents of individual children but must meet their obligations to data subjects under the general data protection regulation
- providers and local authorities are protected from any legal challenge that they are breaching a duty of confidence
- providers are required to complete a return
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) mandate certain safeguards regarding the use of personal data by organisations, including DfE, local authorities and early years settings. Both give rights to those (known as data subjects) about whom data is processed, such as children, parents and staff. These rights include (amongst other information that DfE is obliged to provide) the right to know:
-
the types of data being held
-
why it is being held
-
to whom it may be communicated
As data processors and controllers in their own right, it is important that schools process all data (not just that collected for the purposes of the census) in accordance with the full requirements of the UK GDPR. Further information on the UK GDPR can be found in the Information Commissioner’s Office (ICO) overview of the UK General Data Protection Regulation (UK GDPR).
Legal duties under the UK General Data Protection Regulation and the Data Protection Act 2018: privacy notices
Being transparent and providing accessible information to individuals about how schools and local authorities will process their personal data is a key element of UK GDPR and the DPA 2018. The most common way to provide such information is through a privacy notice. See the Information Commissioner’s Office (ICO) website for further guidance on privacy notices.
DfE provides suggested wording for privacy notices that early years settings and local authorities may wish to use. However, where the suggested wording is used, you must review and amend the wording to reflect local business needs and circumstances. This is especially important, as early years settings and local authorities will process data that is not solely for use within census data collections.
It is recommended that the privacy notice:
- is included as part of an induction pack for parents and staff
- is made available on the early years setting’s website for parents
- features on the staff notice board or intranet
Privacy notices do not need to be issued on an annual basis, where:
- new parents and staff are made aware of the notices
- the notices have not been amended
- they are readily available in electronic or paper format
However, it remains best practice to remind parents of the early years setting’s privacy notices at the start of each term (within any other announcements and correspondence to parents), and it is important that any changes made to the way the early years setting processes personal data are highlighted to data subjects.
Legal duties under the UK General Data Protection Regulation and the Data Protection Act 2018: data security
Local authorities and early years settings have a legal duty under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 to ensure that any personal data they process is handled and stored securely. Further information on data security is available from the Information Commissioner’s Office.
Where personal data is not properly safeguarded, it could compromise the safety of individuals and damage an early years setting’s reputation. Your responsibility as a data controller extends to those who have access to your data beyond your organisation where they are working on your behalf – for example, where external IT suppliers can remotely access your information.
It is vital that all staff with access to personal data understand the importance of:
- protecting personal data
- being familiar with your security policy
- putting security procedures into practice
As such, early years settings should provide appropriate initial and refresher training for their staff.