Preparation for the GDPR (#7 of 12)

[FSFRebecca]

Following on from a forum question I thought it might be helpful to go through some of the issues that you might need to take into consideration in preparation for the GDPR that comes into effect next year.
I have been using this document as the basis of this piece: Preparing for the General Data Protection Regulation (GDPR). 12 steps to take now [ ICO. V.20 201700525]
Thing you need to know:
•    GDPR stands for: General Data Protection Regulation
•    The new regulation comes into effect from 25th May 2018
•    Much of it is the same as the current Data Protection Act requirements - however some things are different, and you need to know about them!
Something you need to do first: Work out who in your team will be able to help make sure you're compliant. It's probably good to have at least a couple of you working together so you can help each other out. 

You may also want to designate a Data Protection Officer. They will be able to advise you and check that you have done everything you need to. Not every setting will need this though - we'll come back to whether you do in post #11.
This is what early years settings might like to think about in preparation. 
•    Use the '12 steps to take now' document to audit what they already do to meet data protection requirements. 
•    Use the audit sheet to document the audit process
•    Collate details from 'To Do' list - make action plan 
•    Complete action plan!
This is #7 of 12 threads which will help you think about what you need to do to be ready for 25th May

7.    Consent

The 7th aspect you need to take into account when working to ensure GDPR compliance is the issue of consent.
This is from the ICO website “Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.  The requirement for clear and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.”
This means that you must be sure that you are clear and concise when you explain to people what data you are collecting and why. If you are relying on consent as a lawful basis to have and to use that data, you must make it easy for people to withdraw consent and tell them how.
In early years, you are likely to be collecting data to enable you to contact parents or to allow you to measure children’s progress – you will have worked out why you are collecting data as part of your audit in #2. For some data you will be collecting because of a legal obligation (to meet Statutory Framework requirements) e.g. name and address of every parent and/or carer (SF 3.72) and if a parent really doesn’t want you to collect that, they won’t be able to send their child to you, so they won’t be able to ask you to delete it without ending their contract with you. There are some things though that wouldn’t prevent you providing your services to the child, but might affect aspect of it. For example, if a parent refuses to give consent for you to share their child’s details with the local authority you would not be able to claim early years education entitlement.
So, whilst some of the data you process will be based on a a legal obligation or contract, there are things that you will need consent to collect and keep data about, for example data about their religion or anything you’ll be using for the purposes of marketing (although you might be able to argue legitimate interest). If you are relying on consent, you will need to clearly and concisely explain to parents why you need that data and be prepared not to collect if they withhold their consent. If a parent wishes to withdraw their consent this must be easy for them to do at any point.
 
The ICO is developing further specific guidance on children’s privacy. It will include more detail on identifying an appropriate lawful basis for processing children’s data, and issues around age verification and parental authorisation.

[MarshaD]

Hi I have been looking for the thread where people have said how long they keep various bits of paperwork for but I can't find it.  Can anyone signpost me please?

[ashcrouch]

I would be interested in knowing how long to keep various bits of paperwork as well if anyone has any links?

[FSFRebecca]

30 minutes ago, ashcrouch said:

I would be interested in knowing how long to keep various bits of paperwork as well if anyone has any links?

This is the most recent thread about this matter - there is a link within the thread that has the PLA's record retention document. Hope that helps 

[Laura_Normington]

Has step 8 been published yet?  Working my way through the checklist and have realised I'm keeping far too much!  Once we know what we are keeping and why is the next step to send out  / attach a copy of what data we keep/for how long/why to all the service users as part of our policies?  

[FSFRebecca]

#8 will be published next week - well done for keeping up! 

Yes, the next step is to make everyone aware of what you are collecting, keeping and why and then gather consent from all of them.

[louby loo]

Only just seen this 

Now I need to go and find 1-6 

[bordenvillagepreschool]

OMG How much am I keeping unnecessarily   .... the shredder is going into overdrive! 

 

This is the link to how long we are supposed to keep records in Kent, I'm assuming that this will be updated in line with the GDPR?

http://www.kelsi.org.uk/__data/assets/pdf_file/0004/58603/Toolkit-for-Early-Years-Version-1.1-March-2016.pdf