Extended digital risks to children increase importance of nursery school GDPR data compliance
It should be obvious, or a matter of universal agreement, that children constitute one of the most vulnerable groups of people. Historically, there has been focus on children’s physical and mental wellbeing. In recent years, there has been increased focus on the extended risks that result from not protecting children’s data adequately.
Are you looking for advice on how to protect children's data?
Contact us now for guidance and support, and check out compliance for the education sector.
What makes children vulnerable?
Children are vulnerable because they do not choose the social and physical environments in which they grow up. Plus, the voices and interests of children are often not heard or not taken entirely seriously in the wider adult world.
So far as the privacy rights of children are concerned, data protection has become a growing concern among welfare organisations such as UNICEF.
In April 2023, UNICEF chaired a discussion alongside the UK Information Commissioner’s Office, the Irish Data Protection Commission, and Apple, discussing why all data protection compliance processes should consider children’s data. The aim was to reach a wider audience of privacy professionals who may not always think about children in their work, and convince them that they must.
Education sector and nursery schools experience high number of data breaches
The education sector is second in the rankings for sectors most vulnerable to security incidents in the UK.
According to a 2023 survey, almost 25% of nurseries experienced a data breach in the preceding 12 months. The survey identified risks of theft and fraud, and reputational damage to nurseries.
There is a heightened duty of care placed on nursery schools to protect the data of their charges.
Young children cannot understand the importance of data privacy or how breaches and, potentially, targeted content can affect their well-being and behaviours.
How do nurseries stay data privacy compliant?
UK GDPR is a law that requires all organisations, including nurseries and schools, to protect individuals’ rights and privacy. The Information Commissioner’s Office (ICO) regulates GDPR and can investigate nurseries and their data protection processes if concerns are highlighted.
The ICO provides seven principles as the foundation of policies and practices regarding personal data, which applies to nurseries as much as to any company or organisation.
Data must be collected and processed in a lawful, fair and transparent way.
The purpose of collecting the data must be legitimate.
Only necessary data should be collected and processed.
Data must be accurate.
Personal information should only be kept for as long as necessary.
Data should be processed securely and protected against accidental loss, destruction or damage.
Compliance must be demonstrated with GDPR principles and data protection regulations.
It is vital to create a safe learning environment for early years children, which includes making sure that information held about them is used properly, shared appropriately and kept safe.
ICO updates guidance with advice for early years settings
In November 2023, the ICO updated its advice in order to create a safe learning environment for early years children.
The ICO’s tips included ‘Know what to do with your CCTV footage’ as it acknowledges that CCTV is now commonly used to monitor staff, manage health and safety, and to detect and prevent crime.
The ICO cautions that CCTV is likely to capture personal information, such as people’s faces or movements, so operators need to comply with data protection rules.
“As with other types of personal information, people can make a request for the footage of themselves or, in some situations, on behalf of a child. If this footage contains images of other people, you should only disclose the footage if you have the third party’s consent to do so, or if it’s reasonable to do so without their consent. Where this isn’t the case, you should redact the footage to remove or disguise the third parties wherever possible.”
The ICO also places emphasis on regularly training staff about their data protection obligations and confidentiality in and out of the workplace.
Need help with understanding SARs and compliance laws?
Download our essential toolkit for the education sector which has everything you need to get you started.
Recognising data and reporting data breaches
Day nurseries, pre-schools and nursery schools must all be mindful of data protection compliance. In the first instance that means knowing what ‘personal data’ is.
Any information that identifies someone, either directly or indirectly, is classified as ‘personal data’, whether it relates to staff, suppliers, parents and carers, or to children. Personal data can take the form of electronic records, such as on computer systems, CCTV footage, images on the internet, or hard copy, such as paper documents, printed brochures or photographs.
Under GDPR, schools have a maximum of 72 hours to report a data breach to the ICO, or schools can face censure, sanctions or fines.
Nursery schools need to be aware of:
What information they hold and in what formats
Why data is held and for how long it needs to be kept
How to keep data safe
How to share data compliantly
The last point about sharing data relates to the rights that people have over their personal information, which includes being able to ask for a copy of the information held about them.
A request for personal information is known as a subject access request (SAR). The nursery must ensure that it is appropriate for the requester to see the information, and that any personal data relating to all but the subject is removed (redacted) before the information is shared. Accidentally breaching other pupils’ privacy rights when sharing data in documents or video footage constitutes a GDPR breach.
Common data breaches in schools and potential consequences
The most common cause of data breaches – generally, not just in schools – is failure to use blind carbon copy (BCC) when sending emails. Failure to use BCC results in sensitive information, such as medical, financial and legal information, being shared with unintended and unauthorised viewers.
Other examples of accidental data breaches include:
Sending personal data to the wrong person via a letter or email.
A primary school mistakenly sent a confidential email discussing the redundancy of a member of staff to parents, which included the staff member’s name and home address.
A primary school accidentally sent a list of children entitled to free Christmas lunches to every parent.
Revealing a pupil’s medical information to members of their class.
Unauthorised staff members gaining access to filing cabinets or electronic records that contain sensitive information.
The potential consequences for pupils whose privacy is breached include bullying and discrimination, and for a member of staff professional ruin.
Stay updated
Sign up to our newsletter to receive updates on recent developments in privacy and compliance
Extreme consequences that can result from inadequate child data protection
Compared to most adults, children are unlikely to have the means or understanding to protect their data.
Marketers, political activists, criminals and sexual predators are usually adults with developed motives and the resources to exploit children’s data. These adults generally want to change children’s behaviours to benefit their own economic, political or sexual exploitation agendas.
Professionals use any digital means to achieve their goals. Social media has regrettably become a fertile environment for exploitation. Children’s data is used to identify potential victims and those who are easily influenced and susceptible to social engineering.
Social media fraud is also on the rise. For example, Instagram scammers build a profile with personal information to pretend to be someone. They collect images of the person’s family and hobbies to contact friends and network with scams.
Children’s nursery pictures can be used to build a lifelike profile, which means, even with parental consent to their child’s image being shared on social media pages, nurseries should be aware of potential dangers.
Related articles
FERPA compliance provides useful insights for UK schools
Learn to avoid FERPA violations
One of the biggest risks of GDPR violations occurs when data is shared with third parties. Complete our enquiry form to find out about Facit’s compliance tools for education which enable nurseries and schools to manage privacy compliance by automatically removing personal data prior to releasing information.