GDPR for nurseries: top tips

There was a lot of worry and concern about the GDPR (that came into effect on 25 May 2018). Here, Gayle Seekins, NDNA’s Head of IT, explores GDPR for nurseries.

Can you believe it’s been over five years since GDPR and the Data Protection Act 2018 was introduced? And unfortunately, there is still a cause for confusion among some businesses. The Data Protection and Digital Information (no.2) Bill is currently working its way through Parliament and will bring further changes in 2024 if passed. 

A number of organisations, including nurseries, thought the implementation of GDPR was just another annoyance and policy change to make life difficult. But it is law, and cannot be ignored. 

If you attended the NDNA’s GDPR workshops in 2018, you’ll have had lots of tips on being ready for GDPR. However, remember that GDPR is not just a one-time admin task, which can now be forgotten about. GDPR compliance needs upkeep. 

Upkeep doesn’t necessarily need to cost money, but I’m sure you know that it will cost staff time. Keeping up to date now will ensure you are better prepared for any future changes. Hopefully, with my top tips, you’ll save time and confusion! 

Why is it important? 

How we hold and manage our nursery data has changed massively over the past 20 years, with the introduction of the World Wide Web, emails and smartphones. 

The ability to share sensitive data instantly across the world in just a matter of seconds is a new thing and a potential threat to your nursery safeguarding obligations. 

You’ll already know that it is incredibly difficult to instantly lose your nursery paper records en mass. However, one electronic malfunction and years of your nursery data, that may have a legislative need to be kept, can be gone in an instant. 

Our financial security also needs measures in place. And GDPR compliance (although a legal obligation) is a great way to ‘keep stock’ of all your data. 

So how can you ensure your nursery is compliant five years on? 

  1. Complete another data audit. 
    Revisit your audit six-monthly or yearly to ensure you know what data you hold, why you hold it and how long you should hold it for. Identify if you have a legislative need to hold the data. Download NDNA’s free GDPR Audit for nurseries template (.xlsx) here
  2. Do a Risk Assessment. 
    As part of your audit, you should be identifying what data you hold of a sensitive nature. You should be able to demonstrate why you share data in certain ways and if it is appropriate in your setting. I advise that you link your risk assessment to your safeguarding needs. Do you have looked after children or children with particularly unusual names that need additional protection? 
  3. Remember, health and safety always comes first. 
    If lists of allergies or menu advice needs to be readily available, as part of your audit, have you demonstrated that the benefit of having that list on display to staff, outweighs the risk of staff not knowing to the child? Find a location that is clear to staff but not on view to every visitor where possible. 
  4. Safeguarding takes priority. 
    If you believe there is a safeguarding risk to a child then you can share the information with the appropriate people without fear of breaching GDPR. Just ensure you can evidence the concern and the actions taken. The wellbeing of the child should always be the priority.  
  5. Keep staff knowledge and training up-to-date. 
    Ensure your staff training and policies on data protection and management, social media usage and confidentiality are up-to-date and being followed. 
  6. Make sure you have a clear policy on email use, 
    Ensure you BCC group emails, delete unnecessary emails and that sensitive details in emails are only sent to the appropriate person by checking the address. Delete emails that you receive in error too.
  7. Keep consent up-to-date. 
    Consent is needed for all data that you hold and share for children and staff in your setting, that does not have a legislative need. All consent for use of information such as photos and learning journeys should be kept up-to-date. 
  8. Review contact information. 
    Review your contact information and password systems regularly to ensure they are current and up-to-date. 
  9. Keep on top of deleting unnecessary data. 
    Make sure you delete data that you no longer need. File it to store it by the date/year you can destroy rather than by individual names. 
  10. Revisit NDNA’s top tips on GDPR for nurseries. 
    Make sure you revisit NDNA’s top tips on GDPR for nurseries regularly for a refresher.

For more support, see our GDPR for nurseries factsheet, or GDPR Privacy Notice for England, Scotland and Wales nurseries, free for NDNA members. Not yet an NDNA member? Join here.

Similar Articles

How nurseries can support children with cerebral palsy

NDNA spoke to Founder and Director of Policy of Action Cerebral Palsy, Amanda Richardson MBE,…
Read more
Child with Cerebral Palsy from Action for Cerebral Palsy

Intent, implementation and impact in the EYFS

An Ofsted inspection can be a worrying time even for the best of practitioners. The…
Read more