BEST PRACTICE

Data protection in the early years

Faye Spencer, head of business services at the Information Commissioner’s Office, gives her top tips to help early years settings keep up-to-date with data protection compliance

In the early years, a safe learning environment for children is vital. Part of this is making sure the information you hold about them is used properly, shared appropriately and kept safe and we at the Information Commissioner’s Office (ICO) are here to help you get it right.

Tip one: Know what ‘personal data’ is

If you have information that identifies someone, either directly or indirectly, it’s classed as ‘personal data’. This includes all the information you hold about staff, suppliers, parents and carers, as well as the children in your care. This might be held electronically, such as on your computer system or CCTV footage, or in hard copy, such as paper documents or printed photographs.

You need to know what information you have, why you have it, how long you need to keep it for, and how to keep it safe.

Image
Tip two: Know how to deal with a request for information

People have rights over their personal information. This includes being able to ask for a copy of the information you hold about them, known as making a subject access request (or a SAR). This right applies to children’s information too.

If a child can’t request their own information – for example, because they’re too young – a parent or representative can make a request on their behalf. If someone makes a request on behalf of a child, you must make sure they’re entitled to see the information. For example, you may need to check whether they have parental responsibility and if there are any safeguarding concerns.

People have rights over their personal information.

The best starting point for responding to any requests made on behalf of a child is to consider what’s in the child’s best interests. If you’re not sure how to respond, contact us – we’re here to help.

Tip three: Know what to do with your CCTV footage

Lots of small businesses use CCTV for staff monitoring, health and safety, or for the detection and prevention of crime. If you have CCTV, you’re likely to be capturing personal information, such as people’s faces or movements, so you’ll need to comply with data protection rules.

As with other types of personal information, people can make a SAR for footage of themselves or, in some situations, on behalf of a child. If this footage contains images of other people, you should only disclose the footage of other people if you have their consent to do so, or if it’s reasonable to do so without their consent. Where this isn’t the case, you should redact the footage to remove or disguise the third parties wherever possible.

If your CCTV system doesn’t have the functionality to redact footage, you could consider providing stills with the identity of third parties blanked out where appropriate. Contact us if you’re unsure.

Tip four: Share data when needed

In an early years setting, you’re likely to share information with the relevant regulatory authorities and other early years providers. Data protection doesn’t prevent you from doing this where it’s relevant and necessary to do so.

Your staff should also be given regular training about their data protection obligations...

Sometimes the information may relate to safeguarding. In these cases, you must decide what information you need to share in the interests of protecting children. To help with this, we’ve produced a guide to sharing information to safeguard children, which can be found on our website.

Tip five: Keep data secure for the time you hold it

Whether keeping personal information electronically or in hard copy, you must make sure the information is safe. Some data may contain potentially sensitive information such as safeguarding details or health information, which will need a higher level of protection.

Your filing cabinets should be locked, and computer should be password protected. When sending sensitive information you should apply extra measures, such as restricting who can see it and encrypting emails. Your staff should also be given regular training about their data protection obligations and confidentiality both in and out of the workplace. Be aware of timescales for keeping the different types of information you work with because you must only keep information for as long as you need it.

The Information Commissioner’s Office offers data protection advice, guidance and services. You can find the latest up-to-date information about protecting children’s information on their website: ico.org.uk. You can also talk with one of their team via their live chat, or give them a call on 0303 123 1113.