FSFRebecca Posted April 3, 2018 Posted April 3, 2018 As some of you lovely people know I also (as well as being part of the FSF team) have my own setting ... I thought it might be 'fun' to compare 'To Do' lists! I've done some of these things, but by no means all! GDPR Audit GDPR staff meeting #1 explaining to everyone why I'm rummaging through staff files etc. GDPR staff meeting #2 to update and discuss with staff what changes to policies and procedures we need to make: clear desk policy, amend close down and opening procedures as more items need to be locked away, remind of professional conduct, confidentiality, home working Write to all 3rd party providers to check their GDPR compliance status and keep a record of responses, consider changing providers if they are not going to be compliant Create letter listing staff data being held Write to all staff explaining what data I am holding about them and why. Get consent signed and dated Create letter listing child and parent data being held Write to all families explaining what data I am holding about them and why. Get consent signed and dated. Give parents option to complete new (GDPR compliant) enrolment form and destroy 'old' enrolment form Redo existing enrolment form to ensure compliance with GDPR, use with all new families and with existing families who wish to switch Upload new enrolment form to website Check locks/keys on filing cabinets Go through nursery emails and delete details from ex-families and contacts Run anti-virus checker on all computers Change all nursery passwords just to be sure that only staff who 'need to know', know Purchase and fit encryption keys for all computers and laptops Check displays and notice boards to ensure that only necessary data is displayed (if any) 2 1
zigzag Posted April 3, 2018 Posted April 3, 2018 Out of interest what is an encryption key and should I be getting one fir the laptop? 1
FSFRebecca Posted April 3, 2018 Author Posted April 3, 2018 An encryption key is a little usb thingy that you can use to provide an additional level of security on your computers. We have them here at FSF. Basically they are set so that your computer won't start without the usb in. Then if someone steals the PC they can't get to your data, even if they know your password - the pc just won't start. Once you have started your pc you lock the usb away in a different place to the pc (in the safe?). I'll ask one of the FSF tech genies to put a 'how to' guide up here. I think the usbs themselves cost about £7 each. 1
finleysmaid Posted April 3, 2018 Posted April 3, 2018 If you don't need to encrypt everything i found this info.... Right-click on the file or folder you want to encrypt – my example here is a folder called “Sensitive Documents” – and click on Properties. In the resulting dialog, on the General tab, click on Advanced. In the resulting “Advanced Attributes” dialog, make sure that “Encrypt contents to secure data” is checked. Click OK. 1
FSFRebecca Posted April 3, 2018 Author Posted April 3, 2018 Just now, finleysmaid said: If you don't need to encrypt everything i found this info.... Right-click on the file or folder you want to encrypt – my example here is a folder called “Sensitive Documents” – and click on Properties. In the resulting dialog, on the General tab, click on Advanced. In the resulting “Advanced Attributes” dialog, make sure that “Encrypt contents to secure data” is checked. Click OK. Yes, that works - this is more about the whole laptop - then you don't have to remember to put files in particular places, because the laptop just won't work 1
Rafa Posted April 3, 2018 Posted April 3, 2018 Can you tell me how the new GDPR compliant enrolment form would differ please Rebecca? -
FSFRebecca Posted April 3, 2018 Author Posted April 3, 2018 Yes, I'm going through it and making sure that I am only asking for things I need as part of the contract not things I'd just like to know (such as parents job for 'people who help us'). There will be a draft copy for you to see on here tomorrow afternoon - I'm also making an annotated copy that links to the stat framework so that I can 'prove' contract requirement. Basically I have 3 types of data I want to collect: Contractual - e.g. name and contact details for parents / carers - so that I can fulfil my statutory framework duty Consent - e.g. use of Tapestry - things that are not required according to statutory framework but which are non-negotiable by me (Basically, if you don't want me to use Tapestry for your child then this isn't the right setting for you) Permissions - e.g walks to the local environment - if parents don't give permission it doesn't really matter, we can work around it 2
finleysmaid Posted April 3, 2018 Posted April 3, 2018 the psla have done a few minor adjustments (but appear to say they are going to do some more) there are definitely changes i can see . No NHS number ...we are asked for this when we work with the health authority so that could be an issue for us. Religion is included but ethnicity is very much an 'OPT IN' only. As Rebecca say no occupation or personal data asked for but i assume you could put that in if it was made clear what you were going to use it for and by whom. ???? Application to join has also changed and has a reference to terms and conditions in it.
Tim Posted April 3, 2018 Posted April 3, 2018 Encryption is making information unreadable to those who do not have the right "key" to unlock it. Without the key, even if someone gets hold of your documents, they will just appear as nonsense. There are many ways to encrypt your documents using a range of different software packages. If you are using a Windows based PC, Windows 10 Pro and Enterprise versions come with BitLocker which can be used to encrypt your whole hard disk. As pointed out above, you can also encrypt selected folders in Windows, which also uses BitLocker. You will need to make some choices about how you want to unencrypt your information: Obviously, when you want to access your documents, you want them to be understandable again, so you need to create a key to unlock your data. Some modern PCs have a TPM chip, which will store your key for you - this means that anyone trying to access your documents from anywhere else (someone gaining access to your WiFi for example) will not be able to, but if someone were to get access to your actual computer they could still access your documents. So, as well as using a TPM chip, which is good practice if you have one, you can also setup either an additional password to use when you turn on your computer or, as I prefer, use a USB key. You can use any USB drive for this, and it simply needs to be inserted into a USB port when the computer is turned on. Once the computer is up and running, the USB key can be removed and should not be stored with the computer. There is a useful guide to BitLocker here: https://www.windowscentral.com/how-use-bitlocker-encryption-windows-10 but this is only one of many tools that you can choose from. Your anti-virus / anti-malware software may include drive encryption if you do not have a version of Windows that includes BitLocker. 4
Mouseketeer Posted April 3, 2018 Posted April 3, 2018 48 minutes ago, Rebecca said: Permissions - e.g walks to the local environment - if parents don't give permission it doesn't really matter, we can work around it How are you going to work around it? .....put them in the filing cabinet until you get back 2
finleysmaid Posted April 3, 2018 Posted April 3, 2018 29 minutes ago, zigzag said: I too was wondering how you could work around that😀 45 minutes ago, Mouseketeer said: How are you going to work around it? .....put them in the filing cabinet until you get back As a relatively small setting this has happened to us before and caused a huge amount of problems! we eventually worked out why the parent had such an issue and agreed that if we took her children out they would always hold a teachers hand until we got to the venue etc etc I think i would now say that this was part of their development and teaching programme and therefore was essential 2
FSFRebecca Posted April 3, 2018 Author Posted April 3, 2018 If it’s essential to your setting then you need consent. For us, permission is sufficient as we don’t all go out at once so there are always others still at Nursery. We go out very rarely as we have a huge garden.
finleysmaid Posted April 3, 2018 Posted April 3, 2018 there's a very fine line between consent and permission though in fact under definitions they are the same thing...or do you have some evidence that i haven't found yet for the difference?
Mouseketeer Posted April 3, 2018 Posted April 3, 2018 It was only tongue in cheek really, though in the very rare occasions it’s happened it is a problem for us, I find if you ask a parent again in a few weeks they are happy to give permission as they've built that trust in you as a setting, but now if planned walks I’d be saying fine ‘come with us or pick them up by’. 1
finleysmaid Posted April 3, 2018 Posted April 3, 2018 ok so from the ICO Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair. If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis. Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given. Therefore if you are asking for consent then you must be prepared for a no. Otherwise we need to ask under a different lawful process......sorry I'm thinking my way through this...i may be completely off track.
zigzag Posted April 3, 2018 Posted April 3, 2018 1 hour ago, finleysmaid said: ok so from the ICO Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair. If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis. Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given. Therefore if you are asking for consent then you must be prepared for a no. Otherwise we need to ask under a different lawful process......sorry I'm thinking my way through this...i may be completely off track. 😳🤪😟🤯😲😴🤨
Mouseketeer Posted April 4, 2018 Posted April 4, 2018 Thanks for the ‘To do List’, I’m sure you’ve added everything, regarding the 3rd party did you write to: County / funding/ EYA children’s services FSF/Tapestry suppliers other settings/schools you share info with bank payroll company (if using one) hmrc Salt, portage etc utility companies training companies used Who else? Did you just ask them to confirm they will be GDPR compliant or for more details like how they store your information? Have they replied? Was anyone offended? Has anyone asked you if you comply ?..no one has asked me Thank You My done list looks like this: 1 1
FSFRebecca Posted April 4, 2018 Author Posted April 4, 2018 51 minutes ago, Mouseketeer said: Thanks for the ‘To do List’, I’m sure you’ve added everything, regarding the 3rd party did you write to: County / funding/ EYA children’s services FSF/Tapestry suppliers other settings/schools you share info with bank payroll company (if using one) hmrc Salt, portage etc utility companies training companies used Who else? Did you just ask them to confirm they will be GDPR compliant or for more details like how they store your information? Have they replied? Was anyone offended? Has anyone asked you if you comply ?..no one has asked me Thank You My done list looks like this: We sent out these questions: "We are in the middle of assessing for the new GDPR which is due to come into effect in May and we are checking with our 3rd parties regarding any of our data held. Please could you advise the following so we can sign this off - How the data you process on our behalf will be handled? - Can you also confirm that you will be compliant with the new regulations when it comes into effect? - Can you confirm how the data is stored and whether this is shared with a 3rd party? - Lastly, how is the data deleted from your system when you no longer need it any more? " We sent it to most of the people on the list you have just thought of - there are a few there that I can see I need to add! No one was offended and one very large early years company was totally not compliant - but is now (not FSF or Tapestry)
Mouseketeer Posted April 4, 2018 Posted April 4, 2018 (edited) Thanks for the reply Rebecca and ideas for questions, to be honest I’m not too worried about offending companies but more don’t want to upset other settings and have them thinking ‘who does she think she is’ when it’s taken years to form those relationships and break down the barriers of being ‘in competition’. Edit - Just thought of insurance company to add, though they clearly just loose my info from one year to the next as every year they phone to ask what the building is constructed of and I have to bite my tongue and not say ‘the same thing it was built of last year’ Edited April 4, 2018 by Mouseketeer 2
FSFRebecca Posted April 4, 2018 Author Posted April 4, 2018 15 hours ago, finleysmaid said: ok so from the ICO Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair. If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis. Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given. Therefore if you are asking for consent then you must be prepared for a no. Otherwise we need to ask under a different lawful process......sorry I'm thinking my way through this...i may be completely off track. Yes, interesting. I think I tried to get it too simple! Thank you for checking me! 17 hours ago, Rebecca said: Yes, I'm going through it and making sure that I am only asking for things I need as part of the contract not things I'd just like to know (such as parents job for 'people who help us'). There will be a draft copy for you to see on here tomorrow afternoon - I'm also making an annotated copy that links to the stat framework so that I can 'prove' contract requirement. Basically I have 3 types of data I want to collect: Contractual - e.g. name and contact details for parents / carers - so that I can fulfil my statutory framework duty Consent - e.g. use of Tapestry - things that are not required according to statutory framework but which are non-negotiable by me (Basically, if you don't want me to use Tapestry for your child then this isn't the right setting for you) Permissions - e.g walks to the local environment - if parents don't give permission it doesn't really matter, we can work around it So ... really long and confusing conversations between Lauren and I this morning!! This where we are - anything that for your setting is non-negotiable is contract (these are things that if the parent didn't give you the data or say 'yes' to would prevent you from delivering your service) things that concern data but which parents have a choice over is consent (so, telling me your job so that I can contact you for 'people who help us' topic for example) Things that do not concern data but which parents have a choice over is a permission (so, can I take your child for a walk?) Phew ... I'm going for a lie down. GDPR 3
Lauren Posted April 4, 2018 Posted April 4, 2018 Hopefully that makes sense... It's totally nuts that everyone is now expected to be able to work all this out (or pay someone else to do it!) I'll send the bill for all the chocolate I'm going to have to feed Rebecca to coax her out from under her desk to whoever came up with this regulation! 3 1
Mouseketeer Posted April 4, 2018 Posted April 4, 2018 Well I just failed question 2 anyway as now apparently we won't need to be registered with ICO ...and am also confused by this: “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. If my committee are the 'controller', what are staff (employees) in relation to all this? I was thinking they and me would be the 'processors' as we handle the data?
Lauren Posted April 4, 2018 Posted April 4, 2018 I think you would count as a controller too Mouseketeer - sorry! The way I see it is it's about who is making decisions and controlling who has access to what data. So for example, you (as a setting), decide to send a parent a newsletter, you decide when you update their address, you decide where you store the data, you take photos of the children... so you're the controller. You might handle the data but not blindly and not only in the very specific ways the committee tells you to, right?
Mouseketeer Posted April 4, 2018 Posted April 4, 2018 At the rate I'm getting through chocolate and Easter biscuits all I'm going to be is the Fat Controller! Right so to clarify I (as manager) will be joint controller with the committee, so what are the other staff? they're not data processors as employed but they do handle a lot of the children's info through Tapestry (taking photos, progress tracking etc) 2 yr checks, getting to know me forms, some sen paperwork/reports. I bet you'll both be glad when we go back to work :-/ 1 1
Rafa Posted April 4, 2018 Posted April 4, 2018 5 hours ago, Mouseketeer said: Thanks for the ‘To do List’, I’m sure you’ve added everything, regarding the 3rd party did you write to: County / funding/ EYA children’s services FSF/Tapestry suppliers other settings/schools you share info with bank payroll company (if using one) hmrc Salt, portage etc utility companies training companies used Who else? Did you just ask them to confirm they will be GDPR compliant or for more details like how they store your information? Have they replied? Was anyone offended? Has anyone asked you if you comply ?..no one has asked me Thank You My done list looks like this: 5 hours ago, Mouseketeer said: May be a stupid question but why would you need to ask suppliers, utilities, if they are compliant? What data are you sharing with them? Apart from your own eg address and bank details??? sorry getting seriously confused with all this 🤔😳😩
Rafa Posted April 4, 2018 Posted April 4, 2018 (edited) Cannot even work this now! 😁 I said that.....not Mousekeeter ( is that contravening ...........)??? Edited April 4, 2018 by Rafa
Panders Posted April 4, 2018 Posted April 4, 2018 Do you think any other companies are going to have such confusing examples as we do? Is it peculiar to us because we are both controllers and processors? 1
playgroup1 Posted April 4, 2018 Posted April 4, 2018 How do we go about with the information we get from prospective parents when they go on a waiting list for places? Some parents send me their child's name, date of birth and their names, phone numbers and email addresses by email or text or fill in a form if they visit? They don't all end up taking up a place but I have their information anyway.
FSFRebecca Posted April 4, 2018 Author Posted April 4, 2018 If you have their information but they are not coming to you then you have no 'right' to keep it. You should delete it. For those that are coming to you, just not yet, they would be the same as your existing families. I will be contacting all of my families regarding GDPR and getting permission to keep the data I already have. I will offer them the option of completing my new GDPR compliant enrolment form if they would prefer and then I will destroy their old enrolment form.
Recommended Posts