FSFRebecca Posted March 20, 2018 Posted March 20, 2018 Following on from a forum question I thought it might be helpful to go through some of the issues that you might need to take into consideration in preparation for the GDPR that comes into effect next year. I have been using this document as the basis of this piece: Preparing for the General Data Protection Regulation (GDPR). 12 steps to take now [ ICO. V.20 201700525] Thing you need to know: • GDPR stands for: General Data Protection Regulation • The new regulation comes into effect from 25th May 2018 • Much of it is the same as the current Data Protection Act requirements - however some things are different, and you need to know about them! Something you need to do first: Work out who in your team will be able to help make sure you're compliant. It's probably good to have at least a couple of you working together so you can help each other out. You may also want to designate a Data Protection Officer. They will be able to advise you and check that you have done everything you need to. Not every setting will need this though - we'll come back to whether you do in post #11. This is what early years settings might like to think about in preparation. • Use the '12 steps to take now' document to audit what they already do to meet data protection requirements. • Use the audit sheet to document the audit process • Collate details from 'To Do' list - make action plan • Complete action plan! This is #8 of 12 threads which will help you think about what you need to do to be ready for 25th May 8. Children Point #8 of the ICO 12 steps guidelines asks us to think about the data we hold pertaining to children. Working in early years education as we do, the majority of our data concerns children. With the audit conducted at #2 you will already have thought through what data you are holding, why you are holding it and what you are going to do with it etc. Consequently, many of the requirements of #8 have already been covered. Point #8 asks data controllers to ensure that they have permission to hold and use children's data. For the purposes of GDPR, until a child reaches the age of 13 they cannot give their own consent for their data to be processed, a person with parental responsibility must do that. This is because children may not fully understand the consequences of giving consent for their data to be held. Consequently, parental permission for the children in your care will be required as part of your enrolment process, you do this already as it is part of the statutory framework. The ICO have further detail regarding consent for the collection and use of data about children, you can read it here.
AnonyMouse_13453 Posted April 1, 2018 Posted April 1, 2018 Another really good piece. These are wonderfully clear! I've been asked to give a presentation at the church PCC about GDPR and I'm getting some very useful pointers from here! Thank you. I've enrolled in the Futurelearn course as well!
AnonyMouse_7120 Posted April 2, 2018 Posted April 2, 2018 Thanks Rebecca, like Cait I’m following with interest and making notes for each section as they appear, I think this is the section that I’m finding most confusing in conjunction with section 7 (consent), Is it going to be best to just get parent consent for the forms we ask them to fill in with their child’s details ? My understanding is we have to make them aware they can withdraw consent, apart the problems this would raise with the information we have to hold (eyfs requirements) what happens if we get to the end of their time and then the parent says they withdraw consent to retain the information yet our requirements are we hold it for 21yrs, can we just say sorry but we are keeping it under ‘legal obligation’ or would it have been better not to have asked for consent in the first place? 1
AnonyMouse_8282 Posted April 2, 2018 Posted April 2, 2018 2 hours ago, Mouseketeer said: Thanks Rebecca, like Cait I’m following with interest and making notes for each section as they appear, I think this is the section that I’m finding most confusing in conjunction with section 7 (consent), Is it going to be best to just get parent consent for the forms we ask them to fill in with their child’s details ? My understanding is we have to make them aware they can withdraw consent, apart the problems this would raise with the information we have to hold (eyfs requirements) what happens if we get to the end of their time and then the parent says they withdraw consent to retain the information yet our requirements are we hold it for 21yrs, can we just say sorry but we are keeping it under ‘legal obligation’ or would it have been better not to have asked for consent in the first place? Interesting one. I guess the information we legally need to hold is just the child's information, therefore technically we are safeguarding the holding of information for them [the child] to reach the age of consent for them to decide? (well what I've just written makes sense in my head)
AnonyMouse_12845 Posted April 25, 2018 Posted April 25, 2018 As part of our registration forms we ask for permission to put their child's photo on our facebook site as well as our website and other marketing materials. Parents can select yes or no by ticking a box then signing the form at the end. Is this adequate enough?
FSFRebecca Posted April 25, 2018 Author Posted April 25, 2018 You need to ask for consent for each thing separately, you can't put them all in one
Recommended Posts