Cookie consent

This site uses cookies that need consent. Learn more

Skip to content
Facit Data Systems
Insights

Data protection and GDPR in nurseries: Everything you need to know

GDPR in nurseries.
Nursery schools, like any other organisation, must comply with data protection regulations, including the General Data Protection Regulation (GDPR). Here's an overview of what nursery schools in the UK need to know about data protection and GDPR
Posted in: Articles, Compliance, Video redaction, Document redaction

Data protection and GDPR in nurseries: Everything you need to know

in the UK, nursery schools, like any other organisation, must comply with data protection regulations, including the General Data Protection Regulation (GDPR).

Here is an overview of what nursery schools in the UK need to know about data protection and GDPR.

Data protection guidance for nurseries

  1. Understanding GDPR
    The GDPR is a regulation implemented to protect the privacy and personal data of individuals. It applies to all organisations that process personal data.

  2. Personal data
    Nursery schools process various types of personal data, including student information, parents' contact details, medical records, and sometimes even biometric data for access control or identification purposes. All of this data is subject to GDPR regulations.

  3. Lawful basis for processing
    Nursery schools must have a lawful basis for processing personal data under GDPR. For schools, this basis often includes the necessity of processing data for the performance of a contract (education services), compliance with legal obligations (such as safeguarding requirements), or legitimate interests (such as ensuring the safety of students).

  4. Consent
    While consent is one lawful basis for processing personal data, it is not always appropriate or practical in the context of nursery schools, especially when dealing with children. In most cases, schools rely on other lawful bases for processing, such as necessity for the performance of a contract or legal obligations.

  5. Data protection principles
    Nursery schools must adhere to the data protection principles outlined in the GDPR, which include principles such as lawfulness, fairness, and transparency in data processing; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability.

  6. Data security
    Nursery schools must implement appropriate technical and organisational measures to ensure the security of personal data. This may include measures such as encryption, access controls, staff training, and regular security assessments.

  7. Data subject rights
    Under the GDPR, individuals have rights regarding their personal data, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object to processing. Nursery schools must be prepared to facilitate these rights when requested by data subjects (students or parents).

  8. Data breach notification
    Nursery schools are required to report certain types of data breaches to the relevant supervisory authority (such as the Information Commissioner's Office in the UK) without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

  9. Privacy notices and policies
    Nursery schools should provide clear and comprehensive privacy notices to parents and guardians, informing them about the types of personal data collected, the purposes of processing, and their rights under the GDPR. Schools should also have data protection policies in place to guide staff on how to handle personal data securely and in compliance with the law.

  10. Data processing agreements
    If nursery schools engage third-party service providers (such as cloud storage providers or software vendors) to process personal data on their behalf, they must have appropriate data processing agreements in place to ensure that the third parties comply with GDPR requirements.

It is important for nursery schools to stay informed about data protection regulations and review and update their policies and procedures to regularly to ensure compliance with the GDPR and other relevant laws.

Digital risks to children increase GDPR importance

Children constitute one of the most vulnerable groups of people. Historically, there has been focus on children’s physical and mental wellbeing. In recent years, there has been increased focus on the extended risks that result from not protecting children’s data adequately.

What makes nursery children vulnerable?

The voices and interests of children are often not heard or not taken entirely seriously in the wider adult world.

So far as the privacy rights of children are concerned, data protection has become a growing concern among welfare organisations such as UNICEF.

In April 2023, UNICEF chaired a discussion alongside the UK Information Commissioner’s Office, the Irish Data Protection Commission, and Apple, discussing why all data protection compliance processes should consider children’s data.

The aim was to reach a wider audience of privacy professionals who may not always think about children in their work, and convince them that they must.

Education sector and nursery schools: data breaches

The education sector is second in the rankings for sectors most vulnerable to security incidents in the UK.

According to a 2023 survey, almost 25% of nurseries experienced a data breach in the preceding 12 months. The survey identified risks of theft and fraud, and reputational damage to nurseries.

There is a heightened duty of care placed on nursery schools to protect the data of their charges.

Young children cannot understand the importance of data privacy or how breaches and, potentially, targeted content can affect their well-being and behaviours.

ICO updates guidance with advice for early years settings

In November 2023, the ICO updated its advice in order to create a safe learning environment for early years children.

The ICO’s tips included ‘Know what to do with your CCTV footage’ as it acknowledges that CCTV is now commonly used to monitor staff, manage health and safety, and to detect and prevent crime.

The ICO cautions that CCTV is likely to capture personal information, such as people’s faces or movements, so operators need to comply with data protection rules.

“As with other types of personal information, people can make a request for the footage of themselves or, in some situations, on behalf of a child. If this footage contains images of other people, you should only disclose the footage if you have the third party’s consent to do so, or if it’s reasonable to do so without their consent. Where this isn’t the case, you should redact the footage to remove or disguise the third parties wherever possible.”

The ICO also places emphasis on regularly training staff about their data protection obligations and confidentiality in and out of the workplace.

Recognising data and reporting data breaches

Day nurseries, pre-schools and nursery schools must all be mindful of data protection compliance. In the first instance that means knowing what ‘personal data’ is.

Any information that identifies someone, either directly or indirectly, is classified as ‘personal data’, whether it relates to staff, suppliers, parents and carers, or to children. Personal data can take the form of electronic records, such as on computer systems, CCTV footage, images on the internet, or hard copy, such as paper documents, printed brochures or photographs.

Under GDPR, schools have a maximum of 72 hours to report a data breach to the ICO, or schools can face censure, sanctions or fines.

Nursery data subject access requests

A request for personal information is known as a subject access request (SAR). The nursery must ensure that it is appropriate for the requester to see the information, and that any personal data relating to all but the subject is removed (redacted) before the information is shared.

Accidentally breaching other pupils’ privacy rights when sharing data in documents or video footage constitutes a GDPR breach.

Common data breaches in nurseries and consequences

The most common cause of data breaches – generally, not just in schools – is failure to use blind carbon copy (BCC) when sending emails. Failure to use BCC results in sensitive information, such as medical, financial and legal information, being shared with unintended and unauthorised viewers.

Other examples of accidental data breaches include:

  • Sending personal data to the wrong person via a letter or email.

  • A primary school mistakenly sent a confidential email discussing the redundancy of a member of staff to parents, which included the staff member’s name and home address.

  • A primary school accidentally sent a list of children entitled to free Christmas lunches to every parent.

  • Revealing a pupil’s medical information to members of their class.

  • Unauthorised staff members gaining access to filing cabinets or electronic records that contain sensitive information.

The potential consequences for pupils whose privacy is breached include bullying and discrimination, and for a member of staff professional ruin.

FERPA compliance provides useful insights for UK schools

Learn to avoid FERPA violations

What is data anonymisation?

How to protect nursery school data

One of the biggest risks of GDPR violations occurs when data is shared with third parties.

Complete our enquiry form to find out about Facit’s video redaction and document redaction tools that enable nurseries and schools to manage privacy compliance by automatically removing personal data prior to releasing information.

Related Insights

CCTV and privacy. Security or Big Brother.
Articles

CCTV and Privacy

Read Article
How to respond to a DSAR.
Articles

How to respond to a Data Subject Access Request

Read Article
Articles

The history of CCTV in the UK

Read Article