Rebecca Reilly-Cooper, senior policy officer at the Information Commissioner’s Office, clears up some common data protection myths in this piece, which originally featured in the Alliance's membership magazine Under 5.
The Information Commissioner’s Office (ICO) is responsible for regulating, advising and providing guidance on the new enhanced data protection laws, the General Data Protection Regulation (GDPR), that came into force on 25 May. We know that childcare professionals have had a lot of questions about what this means for them in terms of processing the data of children in their care.
The message in the run up to 25 May was and still is: don’t panic. 25 May wasn’t a deadline, so if you have been taking steps towards getting ready for the GDPR, then you are doing the right thing. It’s important to remember that this is an evolution of existing data protection laws under the Data Protection Act 1998, so if you have been processing information correctly already, there is no need to invest in new, expensive systems or start from scratch.
I want to set the record straight on some of the myths that have sprung up within the childcare sector.
Myth: GDPR has changed the rules for registering with the ICO
Fact: Under the new legislation, organisations that determine the purpose for which personal data is processed (controllers) must pay the ICO a data protection fee, unless they are exempt. These fees fund our data protection work.
The new data protection fee replaces the requirement to ‘notify’ or register, which was included in the Data Protection Act 1998. We have the power to enforce the 2018 Regulations and serve monetary penalties on those who refuse to pay their data protection fee.
Although the 2018 Regulations came into effect on 25 May 2018, this doesn’t mean that everyone has to pay the new fee from that date. Controllers who have a current registration, or notification, under the 1998 Act do not have to pay the new fee until their existing registration has expired.
Myth: Not-for-profit organisations do not have to register with the ICO
Fact: There is an exemption that means some not-for-profit organisations are not required to pay the data protection fee. But this applies only in very limited certain circumstances.
If you are processing personal data solely for the purposes of establishing or maintaining membership or support of a non-for-profit organisation, or to administer the activities of your members – and if you do not process any other personal data – then you are exempt from paying the fee.
But this is unlikely to apply to not-for-profit childcare providers, who will be processing the personal data of the children they look after. Therefore a not-for-profit childcare provider would still need to pay the fee to the ICO.
Myth: There are now different rules for paper and electronic databases
Fact: If none of your processing is carried out on a computer, then you do not have to pay the data protection fee. This includes any type of computer – laptop, desktop, tablet or cloud computing. It also includes other types of equipment which, although not normally described as computers, have some ability to process automatically. Examples include automatic retrieval systems for audio and visual systems, electronic flexi-time systems, telephone logging equipment, CCTV systems and smartphones.
In other words, if the only data you process is manual data – held on paper and not stored electronically – then you do not have to pay a fee to the ICO. But if any of your data is stored or processed electronically, then you will be required to pay the fee.
This has not changed under GDPR, a similar exemption existed for manual processing under the 1998 Act.
Myth: Small settings and childminders don’t need to pay the fee
Fact: If you are processing personal data for anything other than personal, family or household affairs, then you must pay the fee to the ICO, no matter how small the organisation or how few people you employ. This means that small settings and childminders, even if operating out of their own homes, must pay the appropriate fee.
There are three different tiers of fee, based on how many members of staff you have and your annual turnover. Micro-organisations – those with a turnover of less than £632,000 per year and no more than 10 members of staff – are in Tier 1, which means their fee is £40 a year.
Myth: Data protection legislation requires settings to hold on to data until a child turns 18 or 21
Fact: The GDPR does not set specific time frames on how long personal data must be retained. The law states that data must be retained for no longer than is necessary for the purpose for which it was collected. This leaves it open to organisations to determine for themselves how long it is necessary for them to hold on to data.
You will need to take into account any other legislation you might be subject to, as well as the advice of professional associations. Insurance companies may also have requirements or recommendations about how long you need to retain records.
Whatever retention period you decide upon, you should record this and inform data subjects in your privacy notice how long you plan to keep their data for.
Myth: You must ask for consent before sharing data with your Local Child Safeguarding Board
Fact: Sharing data with third parties does not always require the consent of the data subject. When it comes to safeguarding children, there are times when having to get the consent of the child, or the child’s parents, would be counterproductive. The Data Protection Bill contains a safeguarding provision that allows for data to be shared without consent in these circumstances.
This provision allows for data processing – which would include sharing – where necessary to protect a child from neglect and physical, mental or emotional harm or to protect the child’s physical, emotional or mental wellbeing.
Myth: Early years providers are going to be hit with huge fines
Fact: It is true that under GDPR, the ICO will have the power to impose much bigger fines than before.
But it is scaremongering to suggest that we will be making early examples of organisations for minor infringements, or that maximum fines will become the norm. The ICO prides itself on being a fair and proportionate regulator and this will continue under the GDPR. Our commitment to guiding, advising and educating organisations about how to comply with the law will not change.
Visit the ICO’s website for more information, including a FAQs and self-assessment checklists as well as a dedicated advice line for small organisations. You can also sign up to the ICO’s newsletter for regular updates on guidance and details of their latest webinars.
Alliance members can now also read the latest issue of Under 5 online by logging in to their members' area, here