When you run your own childminding business in the UK, certain laws relating to data protection will apply to you. These set out your obligations in relation to any personal data your business may handle. For ease of reading we’ll refer to them as “GDPR”.
The laws are complex, but the UK’s data protection regulator, the Information Commissioner’s Office (ICO) has excellent, readable guidance, including some specifically written for sole traders and small businesses. For a fuller picture, you should read the ICO guidance.
We've condensed all the guidance down to some key information that you need to know in the below guide.
Words and definitions
There are some terms with will crop up whenever we talk about data protection with which you should get familiar as a business owner. Here we go:
Personal data: This means any information about an individual. For example, this might be their name, contact details or age, or details about a child’s dietary requirements or learning progress. In the UK, certain laws apply when you handle personal data.
Processing: This means any activity you might do with that personal data. For example, when you create Learning Journal entries, or send emails relating to your business, you are “processing” the personal data featured in those entries or emails.
Data subject: This means the individual person to whom the personal data relates, i.e. the parent/guardian, or child.
Data controller: The “controller” is a business owner like you, responsible for determining what personal data is handled in the course of your business and the reasons or 'purposes' for which it its handled. When you handle data relating to parents and children, in providing your childminding services, you’re acting as a 'data controller'.
Data processor: The “processor” is a company who only handles data for the purposes of another controller, without decision-making powers of its own. For instance, if you store your emails online using Microsoft 365, you’re a controller of the personal data in those emails and Microsoft is the 'processor'.
Fitting that all together: you’re the controller of personal data which you handle for your business, like the details of children and families. tiney is also a data controller in relation to personal data which it handles for its own business (which again includes details of children and families, and also of you, the childminders).
Your responsibilities as a data controller
When you handle personal information in the course of your business, you are a 'data controller'. You have many duties as a controller, but we’ve set out the main ones below.
Registering with the ICO as a controller, and paying the applicable data protection fee.
This first one is easy! If you haven't done so already as part of your registration with tiney, just go to the ICO website, fill in their form, and pay your fee. It’s only £40 per year.
For more information, we've written a separate guide for registering with the ICO.
Knowing and documenting what personal data you hold
You should consider and document what personal you hold, where you get it from and where it goes (including where you store it, and who you share it with). You should consider:
Personal data relating to children under your care, and their families;
Personal data relating to your employees and workers (if applicable);
Personal data relating to other individuals with whom you deal in the course of your business – like suppliers, referrers, inspectors or local council members.
Detailed guidance is available from the ICO website, and they also have some useful templates you can use. You may also find it useful to look at the privacy notice attached to the standard tiney Childminding Agreement, which gives some examples of the sorts of processing activities we would normally expect a childminder to undertake.
This will give you the basic information you need to compile an “Article 30 record” – a summary document which you are required to maintain under Article 30 GDPR. Some of the other information for your Article 30 record will arise in the context of your other controller responsibilities discussed below. The Article 30 record must contain:
The name and contact details of your business.
The purposes of your processing.
A description of the categories of individuals and categories of personal data.
The categories of recipients of personal data (e.g. service providers, tiney).
Details of your transfers to third countries (more on this below).
Retention schedules (more on this below).
A description of your security measures (more on this below).
Here’s how tiney can help: to help get you started, we’ve put together example Article 30 Records which you can make a copy of and tailor to your business.
Identifying the lawful basis of processing
Under applicable law, a business is not allowed to accumulate personal data “just because”. You are only permitted to process data for particular purposes: there is a list of six permitted “lawful bases” and you need to identify which one applies to your processing. The ICO website has detailed guidance.
For most of your processing, the relevant lawful bases will likely be:
Performance of contract: For example, if you have agreed to provide childcare services to a parent, you will need to have some personal data relating to that parent to provide those services (e.g. their name and contact details).
Compliance with legal obligations: For example, if you are required by law to maintain certain records (like accident books, or childcare information for the purposes of EYFS).
Your legitimate business interests: For example, if you correspond with suppliers you have a business interest in keeping records of that correspondence.
Consent: For some kinds of especially sensitive personal data, like information relating to health, sexuality or religion, consent to processing may be required and then the lawful basis of processing will be consent.
Obtaining consent for processing where necessary
If no other lawful basis is available, you may need to obtain consent to your processing. The ICO website has detailed guidance.
As a childminder, you may receive a range of especially sensitive data (the legal term is “special category data”) for which consent is required.
Here’s how tiney can help: to help you make sure you’ve obtained that consent, the standard tiney Childminding Agreement includes a consent box for parents to complete.
Providing privacy notices to the relevant data subjects
It’s your responsibility as a data controller to make sure that you tell people, in clear language, what you do with their personal data (or, where you are processing data relating to young children, that you tell their parents). You can do this by a “privacy notice”. The ICO website has detailed guidance.
Here’s how tiney can help: to help make sure you’ve informed parents and families about the processing you might undertake in providing childminding services, the standard tiney Childminding Agreement already includes a standard privacy notice which should be suitable for most childminders.
Respecting data subject rights
Data subjects have certain rights in relation to their personal data, which they can exercise by written notice. These right include the right to request access to, or deletion of, personal data.
Here’s how tiney can help: we can help you manage data subject requests in relation to any personal data hosted in our platform. Just contact us via Messenger in the app, and we’ll let you know what we can do.
The ICO website has more, detailed guidance on data subject rights. This is a really complex area, but one of the most important things is to respond promptly.
Managing information security risks
You need to make sure that any personal data in your care is kept securely. The GDPR refers to “technical and operational” measures, which means you should take into consideration not just technical settings (like using secure passwords and two-factor authentication) but also “real world” measures (like locked filing cabinets, or ensuring your assistants have signed written obligations of confidentiality). Detailed guidance is available on the ICO website.
Here’s how tiney can help: personal data stored in the tiney platform is kept secure. We use only secure, accredited data centres, and have our own internal information security practices.
Managing data breaches
If you lose or disclosure personal data to a person or organisation who should not receive it, or your data is stolen, then that is a “data breach”.
You need to keep a record of any data breaches which happen relating to any personal data that you control. If the data breach is sufficiently severe, then you may also need to notify either the affected data subjects or the ICO. The ICO website has detailed guidance.
Ensuring your contracts with processors meet legal requirements
As a data controller, you need to make sure that when you appoint a data processor (i.e. someone who handles data solely on your behalf and for purposes you determine) your contract with them meets certain minimum legal requirements. The ICO website has detailed guidance. Many large-scale cloud service providers (e.g. Microsoft, Google, Amazon Web Services) will have those legal requirements built into their standard terms.
Here’s how tiney can help: To the extent that tiney acts as a data processor, we incorporate the legally-required terms in our standard terms of service.
If you send personal data overseas, you may also need to ensure that your contract with the recipient includes appropriate safeguards. Again, large-scale providers may have these requirements built into their standard terms. The ICO website has detailed guidance.
Some childminders use domestic CCTV systems) in the course of their business. Some of these are external-facing (like Ring doorbells) while others might be internal and monitor communal areas like play areas. Any images or videos featuring identifiable individuals (people) are personal data, and subject to all the obligations described above. In particular, you need to make sure that you’ve told people (and parents/guardians especially) where any cameras are used, what they are used for, and what you do with any images or footage.
You also need to be especially careful about security, and safeguarding risks, and you need to make sure you do not retain any images or footage longer than is absolutely necessary. The ICO has detailed guidance about what you need to do if you use CCTV in a domestic setting, and further guidance on what you need to do when you use CCTV in a small business setting. This is obviously an especially sensitive area which you should consider carefully, perhaps by taking specific advice on your proposed setup. As general points, though:
You will need to make and document an assessment setting out why you think you need CCTV, and the steps you’re taking to minimise impact on privacy (e.g. by switching off audio recording if visual recording alone is sufficient for your purposes, by ensuring filming takes place only in communal areas rather than private ones, by clearly making cameras visible rather than hidden, by posting notices, by making sure parents are fully informed or your use of CCTV, etc.). This is called a “legitimate interests assessment” under GDPR.
You will need to write a CCTV policy, which sets out your reasons for using CCTV, staff responsibilities and approval lines for sharing any footage, security measures you’ve taken to keep footage secure (e.g. not allowing it to be remotely accessed, and limiting access to relevant workers, keeping it encrypted or password-protected, etc.), and how long you will keep footage. The ICO guidance may help you write this policy.
You should minimise the amount of footage created, and keep footage for no longer than is necessary for its intended purposes; and
While parental consent is not necessarily required by law, you should make sure you have specifically drawn all parents’ attention to the use of CCTV at your nursery, and made all children aware of the cameras as well