Data protection and GDPR in nurseries: Everything you need to know to keep data secure
In the UK, nursery schools, like any other organisation, must comply with data protection regulations, including the General Data Protection Regulation (GDPR) and the Data Protection Act.
GDPR principles
GDPR is a comprehensive data protection law that outlines principles for processing personal data to ensure the privacy and protection of individuals' information. Here are the key principles of GDPR:
At the core of GDPR principles are ‘lawfulness’, ‘fairness’ and ‘transparency’, which address the lawful bases for collecting data and mandate that data subjects be informed about how their data is being used.
Other GDPR principles include ‘purpose limitation’, ‘data minimisation’ and ‘storage limitation’ which are intended to limit processing and ensure that data is deleted when no longer required.
Personal data must be accurate and kept up to date and processed in a secure manner that includes protection against unauthorised access.
Compliance with GDPR principles involves not only following principles but also demonstrating adherence through documentation and data protection practices.
Here is an overview of what nursery schools in the UK need to know about data protection and GDPR.
Data protection guidance for nurseries
Understanding GDPR
GDPR is a regulation implemented to protect the privacy and personal data of individuals. It applies to all organisations that process personal data.Personal data
Nursery schools process various types of personal data, including student information, parents' contact details, medical records, and sometimes even biometric data for access control or identification purposes. All of this data is subject to GDPR regulations.Lawful basis for processing
Nursery schools must have a lawful basis for processing personal data under GDPR. For schools, this basis often includes the necessity of processing data for the performance of a contract (education services), compliance with legal obligations (such as safeguarding requirements), or legitimate interests (such as ensuring the safety of students).Consent
While consent is one lawful basis for processing personal data, it is not always appropriate or practical in the context of nursery schools, especially when dealing with children. In most cases, schools rely on other lawful bases for processing, such as necessity for the performance of a contract or legal obligations.Data protection principles
Nursery schools must adhere to the data protection principles outlined in the GDPR, which include principles such as lawfulness, fairness, and transparency in data processing; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability.Data security
Nursery schools must implement appropriate technical and organisational measures to ensure the security of personal data. This may include measures such as encryption, access controls, staff training, and regular security assessments - this will reduce the risk of a data breach.Data subject rights
Under the GDPR, individuals have rights regarding their personal data, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object to processing. Nursery schools must be prepared to facilitate these rights when requested by data subjects (students or parents).Data breach notification
Nursery schools are required to report certain types of data breaches to the relevant supervisory authority (such as the Information Commissioner's Office in the UK) without undue delay and, where feasible, within 72 hours of becoming aware of the breach.Privacy notices and policies
Nursery schools should provide clear and comprehensive privacy notices to parents and guardians, informing them about the types of personal data collected, the purposes of processing, and their rights under the GDPR. Schools should also have data protection policies in place to guide staff on how to handle personal data securely and in compliance with the law.Data processing agreements
If nursery schools engage third-party service providers (such as cloud storage providers or software vendors) to process personal data on their behalf, they must have appropriate data processing agreements in place to ensure that the third parties comply with GDPR requirements.
It is important for nursery schools to stay informed about data protection regulations, and review and update their policies and procedures regularly to ensure compliance when processing data inline with GDPR and other relevant laws.
Digital risks to children increase GDPR importance
Children constitute one of the most vulnerable groups of people. Historically, there has been focus on children’s physical and mental wellbeing. In recent years, there has been increased focus on the extended risks that result from not protecting children’s data adequately.
What makes nursery children vulnerable?
The voices and interests of children are often not heard or not taken entirely seriously in the wider adult world.
So far as the privacy rights of children are concerned, data protection has become a growing concern among welfare organisations such as UNICEF.
In April 2023, UNICEF chaired a discussion alongside the UK Information Commissioner’s Office, the Irish Data Protection Commission and Apple, discussing why all data protection compliance processes should consider children’s data.
The aim was to reach a wider audience of privacy professionals who may not always think about children in their work, and convince them that they must.
Education sector and nursery schools: data breaches
The education sector is second in the rankings for sectors most vulnerable to security incidents in the UK.
According to a 2023 survey, almost 25% of nurseries experienced a data breach in the preceding 12 months. The survey identified risks of theft and fraud, and reputational damage to nurseries.
There is a heightened duty of care placed on nursery schools to protect the data of their charges.
Young children cannot understand the importance of data privacy or how breaches and, potentially, targeted content can affect their well-being and behaviours.
ICO updates guidance with advice for early years settings
In November 2023, the ICO updated its advice in order to create a safe learning environment for early years children.
The ICO’s tips included ‘Know what to do with your CCTV footage’ as it acknowledges that CCTV is now commonly used to monitor staff, manage health and safety, and to detect and prevent crime.
The ICO cautions that CCTV is likely to capture personal information, such as people’s faces or movements, so operators need to comply with data protection rules.
“As with other types of personal information, people can make a request for the footage of themselves or, in some situations, on behalf of a child. If this footage contains images of other people, you should only disclose the footage if you have the third party’s consent to do so, or if it’s reasonable to do so without their consent. Where this isn’t the case, you should redact the footage to remove or disguise the third parties wherever possible.”
The ICO also places emphasis on regularly training staff about their data protection obligations and confidentiality in and out of the workplace.
Recognising data and reporting data breaches
Day nurseries, pre-schools and nursery schools must all be mindful of data protection compliance. In the first instance that means knowing what ‘personal data’ is.
Any information that identifies someone, either directly or indirectly, is classified as ‘personal data’, whether it relates to staff, suppliers, parents and carers, or to children. Personal data can take the form of electronic records, such as on computer systems, CCTV footage, images on the internet, or hard copy, such as paper documents, printed brochures or photographs.
Under GDPR, schools have a maximum of 72 hours to report a data breach to the ICO, or schools can face censure, sanctions or fines.
Nursery data subject access requests
A request for personal information is known as a subject access request (SAR). The nursery must ensure that it is appropriate for the requester to see the information, and that any personal data relating to all but the subject is removed (redacted) before the information is shared.
Accidentally breaching other pupils’ privacy rights when sharing data in documents or video footage constitutes a GDPR breach.
Common data breaches in nurseries and consequences
The most common cause of data breaches – generally, not just in schools – is failure to use blind carbon copy (BCC) when sending emails. Failure to use BCC results in sensitive information, such as medical, financial and legal information, being shared with unintended and unauthorised viewers.
Other examples of accidental data breaches include:
Sending personal data to the wrong person via a letter or email.
A primary school mistakenly sent a confidential email discussing the redundancy of a member of staff to parents, which included the staff member’s name and home address.
A primary school accidentally sent a list of children entitled to free Christmas lunches to every parent.
Revealing a pupil’s medical information to members of their class.
Unauthorised staff members gaining access to filing cabinets or electronic records that contain sensitive information.
The potential consequences for pupils whose privacy is breached include bullying and discrimination, and for a member of staff professional ruin.
Related articles
How to respond to a data subject access request
What's the cost of data processing and data privacy?
How to protect nursery school data
One of the biggest risks of GDPR violations occurs when data is shared with third parties.
Complete our enquiry form to find out about Facit’s video redaction and document redaction tools that enable nurseries and schools to manage privacy compliance by automatically removing personal data prior to releasing information.
