Data protection and GDPR in nurseries are a tedious but necessary evil. Schools and nurseries rank a whopping second for organisations with the most data breaches. So, how do you stay GDPR compliant as a nursery, and just what is a data breach? Adam Hooper, Blossom’s Head of Customer and Privacy, shares all.
Meet the expert: Adam Hooper.
Meet Adam Hooper, Head of Customer and Privacy. Having worked across several companies, leading GDPR compliance projects from start to finish, Adam is the GDPR boffin at Blossom.
Any nursery manager or owner will unlikely want to read all 99 GDPR articles cover to cover; we don’t blame you. But, of course, you need to stay compliant; Adam shared his nursery-specific knowledge with us, helping you know about GDPR in nurseries.
What is GDPR in nurseries?
General Data Protection Regulation (GDPR) is a data protection law introduced in 2018 covering all European Union (EU) member states. The UK was part of the EU when GDPR came into effect, but post-Brexit (January 2020) UK GDPR legislation was brought in.
UK GDPR is essentially the same as EU GDPR regulations, apart from minor changes to fit the UK’s legal framework. The aim of GDPR for all companies (including nurseries and schools) is to protect individuals’ rights and privacy with their own personal data.
Like schools have Ofsted, and banks have the FCA, GDPR also has a regulator. The Information Commissioner’s Office (ICO) is the national data protection authority in the UK. The ICO can investigate GDPR in nurseries and their data protection processes if concerns are highlighted.
What are the GDPR principles?
The principles are to be followed by every organisation registered with the ICO (including nurseries and schools). They are designed as foundations for effective data handling and processing practices. These seven principles must be the foundation of policies and practices linked to GDPR in nurseries.
- Data is collected and processed in a lawful, fair and transparent way.
- The purpose of collecting the data is legitimate.
- Only necessary data is collected and processed.
- Data should be accurate, with every reasonable step taken to keep it current.
- Personal information should only be kept for as long as necessary.
- Data should be processed securely, protecting against accidental loss, destruction or damage.
- Nurseries (and all other organisations) are responsible for demonstrating compliance with GDPR principles and data protection regulations.
Psst: Blossom helps you keep your data safe and secure using the same data storage systems well-known banks use. It’s as safe as it gets.
GDPR in nurseries: how to stay compliant.
Nurseries need to follow a few key requirements to stay GDPR compliant. There can be a cross-over between what is required, what you will do in your everyday practice, and what is good practice. Let’s try to define the requirements for GDPR in nurseries:
- As nurseries are considered data controllers, they are responsible for protecting the data they collect and process. Adam encourages us to remember that processing data doesn’t necessarily mean doing anything with it; storing data is still processing.
- Most nurseries must appoint a Data Protection Officer (DPO) to oversee compliance and give advice. Does your nursery need a DPO? Check out the ICO guidance.
- Your nursery’s DPO needs to be aware of any GDPR changes for the early years and share this information with the nursery team.
- Your nursery or early years setting must follow the seven GDPR principles set out above.
- Your setting should have a data protection policy. This EYFS data protection policy should be regularly updated and reviewed, more of a working document than dusted off for an annual tick box exercise.
- Retention of personal information should be in line with your data protection policy.
What is a data breach in a childcare setting?
A data breach ultimately is a result of a lapse in security. It may result in unauthorised access to systems, information, or documents. Adam reminds us that this doesn’t have to be online; it can be through disclosing information that shouldn’t be shared via conversation.
It is thought that up to almost one-quarter of nurseries have experienced a data breach in the last 12 months. Data breaches can have serious consequences, including identity theft, fraud and reputational damage. The education sector measures second in the rankings for sectors most vulnerable to security incidents in the UK.
Most data breaches come from human error, sending an email to the wrong person, leaving important information visible and careless data processing practices.
Why are nurseries at high risk for data breaches?
The understanding of UK GDPR and data protection in schools and nurseries is growing. But there is no robust regulatory system like the FCA for banks for educational organisations. Nurseries have Ofsted to monitor the quality of education and provision (including GDPR and data protection processes). When preparing for an Ofsted inspection, nurseries and schools rarely place data protection and GDPR at the forefront of focus.
However, in-depth tech audits are almost unheard-of during inspections. Therefore, the knowledge of what ‘secure’ really is when handling different types of data is left to the discretion of the nursery. Without very clear guidelines, it can be challenging to know what secure data protection looks like in schools and nurseries.
Adam explains that it is the same as leaving an important door wide open without knowing what security looks like for different devices, processes, and data types. For example, having a secure password for any nursery practitioner’s tablet or iPad is one way to ‘close a door’.
What are the challenges of GDPR in nurseries?
There are many challenges nursery managers face when trying to keep their childcare setting GDPR compliant. Data protection in schools and nurseries can be a daunting topic. Let’s have a look at a few challenges together.
The rise of Instagram fraud and data protection.
Instagram fraud is on the rise. This is where scammers build a profile with personal information to pretend to be someone. They will collect images of the person’s family and hobbies to contact friends and network with scams.
Children’s nursery pictures can be used to build a lifelike profile. It is important that even if your parents consent to their child’s image being shared on your nursery’s Twitter or Facebook page, you are aware of the additional dangers. Using nursery software with a social media feel is a safer alternative. Parents log in to their Parent App to access images they have permission to view.
Lack of EYFS GDPR training.
With GDPR only being introduced in 2018, data protection for schools and nurseries is still a relatively new concept. Data protection training is mandatory in nurseries and schools. It can be delivered in various ways that suit your early years setting’s CPD journey.
A challenge for keeping data safe in nurseries is the need for more confidence in what a data breach is, what to do if you experience one, and what information you are required to share with parents, Adam explains. Additional and regular training is needed with your nursery staff team to answer those FAQs of GDPR in nurseries.
EYFS parent usage and data protection challenges.
Once you have shared images and information with parents, you cannot determine how they further use the data. A huge challenge for nursery managers can be how parents share the pictures you have worked hard to keep secure all over social media.
Adam reminds us that only essential images and information should be shared. You can also explain (and regularly revisit) your EYFS data protection policy, including your expectations of further sharing with parents.
Technology in the early years.
Tablets and iPads can help to capture golden milestones and help make EYFS observations easier for your practitioners. They are a great piece of kit; some are superior to others, of course! But with great technology comes great danger; knowing the main technological issues your practitioners will face can help you to be proactive.
As we know, human error is the leading cause of data breaches in education. Therefore, humans using technology might be a recipe for disaster.
Well, no, actually. It is far safer for your nursery records and information to be stored in secure cloud-based software than poking out of filing cabinets.
Adam does recommend that you audit your antivirus software and regularly check that your handheld devices are updated to the latest software. New software often means security updates.
It is worth noting that older devices, including security features, are not a priority for software updates. This can leave some doors creaking open for online hacking dangers.
Effective nursery data protection and GDPR practices.
So, we have covered the most likely ways your nursery will experience a data breach. So how do you proactively plan for effective GDPR and data protection practices in your nursery?
Nursery software that fits your needs.
Blossom uses Amazon Web Servers to store data; it is the best security you can get (it’s why well-known banks use it). Nursery managers and owners can be reluctant to replace paper-based filing systems.
Online nursery software is the way to go for safety, ease, and parent satisfaction. There’s so much more to us than being really secure; check out our other features.
EYFS data protection and GDPR policy.
As with all policies, you need to tailor your data protection policy to fit the needs of your setting. If you are a tech-savvy nursery, include all the types of devices you use, recognising the potential risks for each one. You may also want to detail your parent expectations and CPD training plan in your policy.
This should be one of the main policies your EYFS apprentices and inducted staff members read, so make it easily digestible.
Early years CPD for data protection.
There are many ways to engage your EYFS staff in quality CPD; not all require costly providers to deliver training. Data protection training is mandatory for all staff; it is important that you give your staff time to consider examples and scenarios they may experience.
Securely store devices overnight.
All your devices should be password protected, with each staff member having their own login to your nursery software. Take care where you leave these devices overnight. Adam highlights that these tablets hold a lot of information and keep them securely locked away at the end of the nursery day.
Password protect EYFS devices.
And we don’t mean nursery1234 here. A robust password that isn’t the same for each device is needed for all software that contains data. If you give your password to someone you shouldn’t (which is anyone, really!), then reset your password immediately. Blossom can see if the compromised password has been used to give you total peace of mind.
A handy time-out feature for inactive users can cover any nursery practitioners who have left a tablet, laptop, or iPad logged into the Blossom system. Keeping all special data safe and for your eyes only.
Securely back up your nursery data.
Cloud-based back up processes are the safest way to keep your data secure. This also allows for any duplicate pictures to be erased once uploaded to your back up system or Blossom software. Now that couldn’t be done with paper copies!
If you’d like to learn more about how to make your nursery safer, contact one of our customer service team. They’d be thrilled to hear from you.
Subscribe to receive expert advice and tips from seasoned professionals in the early years sector.