We tend to think of data protection in relation to corporations, however all data controllers and data processors must uphold the standards of the Data Protection Act 2018 (DPA 2018) – this is the UK’s implementation of the General Data Protection Regulation (GDPR).
A data controller is any individual or organisation who owns, controls, and is responsible for personal information about data subjects; data processors are any persons or organisation that processes data on the data controller’s behalf. If you are a childminder, you act as the data controller, as you will collect information about the children in your care, e.g., their parents’ contact information, home addresses and so on; you will then determine the purpose for which this information is used and the means by which it will be processed.
As data controllers under the DPA 2018 and GDPR, you are held responsible for, and must be able to demonstrate compliance with, the principles of data protection. These are: lawfulness, fairness and transparency, data minimisation, accuracy, storage limitation and integrity, and confidentiality of personal data.
Protecting Children’s Data
A separate set of restrictions surround child data protection in order to safeguard children. Childminders must ensure they understand and comply with these requirements to protect the children in their care and defend themselves against data breaches. Only parents/carers with parental responsibility can provide personal data on the behalf of a child and issue consent for this data to be collected. Childminders are required to make reasonable efforts to ensure that the person providing this data does in fact hold parental responsibilities for the child. Once over the age of thirteen years old children can give their consent directly for the processing of their personal data. It is important to recognise that children have the same rights as adults over their personal data. These rights include: access, correction, erasure, processing restriction, portability, objection to processing, information on processing and rights relating to automated decision making.
Special Category Data
Childminders belong in a group of professionals who are likely to access personal information that falls into the ‘special data’ category, e.g. health information such as allergies, medications, and so on. This data is regarded as highly sensitive, so those who control it must comply with the GDPR’s ten conditions for processing special category data in Article 9 (2).
Privacy Notices
With an increased focus on transparency under the DPA 2018, childminders are now required to issue privacy notices. These notices will explain how and why personal data will be processed and should be made readily accessible to parents and children. Any correspondence addressed to children should be simple and easy to understand.
Sharing Personal Data
Sometimes childminders will be required to share the personal data that they hold with others, for example with other care providers, emergency back-up childminders, or other professionals working with the child. A GDPR Data Sharing Agreement is required for information sharing in these situations.
Why is Data Protection Important for Childminders?
Data protection is important for all data controllers, but especially for childminders given the nature of sensitive data that they will process/store about children. The rigorous data protection requirements surrounding both children’s data and special category data means that good data protection training is a necessity for all childminders. The absence of data protection awareness and policy implementation can result in data breaches. Breaches can have unprecedented effects on individuals, often resulting in emotional, physical, and financial damage.