The ICO is the Information Commissioner’s Office. You need to register with the ICO as part of GDPR and, depending on the way you store the personal information you collect, may already be registered with them. Find out more about them here

Yes, there is a fee for registering with the ICO. You can find more information about this from the ICO in their fee guide. If you have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff, the fee is £40. 

Additionally, in terms of current registration requirements, if a childminder (or any other data controller) has absolutely no electronic processing of personal data for their business then they would not need to register.  Remember that would mean not only no computer, but no smartphone, social media or digital camera too.   Even where a childminder may not need to register, they will of course need to continue to comply with the data protection act. If you are unsure please do call the ICO helpline (0303 123 1113) and select the option for ‘Registration’ where expert colleagues will be happy to help.

GDPR is the ‘General Data Protection Regulation’. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR) and is designed to improve upon and strengthen the way in which you process personal data

When not being used, all paper files should be kept securely in a lockable cupboard and always kept locked, with the keys securely stored.

You’re using data whenever you collect or use information about a child. For example, filling out accident forms, recording activities or completing your daily register. You need to assess your setting and understand how and where you use, gather and process data. Our data audit template will help, which can be found within the GDPR practice guide 

• Encrypt your computer, laptops and USB sticks
• Always use secure passwords, with upper/lower case letters, digits and special characters (e.g. £$%&*)
• Always keep your anti-virus software up to date
• Make sure any laptop, computer or mobile phone/tablet has auto lock enabled after one minute of no use.

Find further support on PACEY’s GDPR practice guide and support video in MyPACEY

The ICO also has support specifically about encryption of your devices.

If you use a family computer, make sure you have a separate log in for your work which should be securely password protected. The computer should also be encrypted.

Delete files once the use for those files has been fulfilled. You should also delete any information from your computer ‘recycle bin’ or ‘trash’. If in paper form, use a cross-cut shredder to dispose of the paperwork safely. Consider having a “data cleanse” day on a quarterly basis.

You will need to contact any third party suppliers of any online systems or apps that you use and make sure they are complying with GDPR and have their own processes in place.

• A privacy/confidentiality policy
• Communication preferences document (if you’re using direct marketing)
• A process for reporting and investigating security incidents
• A process for dealing with subject access requests
• Staff training – if you are a childminder, childminding assistant, nanny or nursery, all staff should undergo induction training and renew training every two years
• Retention of data policy.

You will need to make sure that you have a data protection policy in place with parents, as well as a sample privacy notice to tell parents about the changes, the reasons why you collect data, and what you do with their data.

Download PACEY’s sample data protection policy, sample privacy notice and confidentiality policy in MyPACEY.

You need to make sure you have procedures and policies in place to demonstrate that you have done everything you can to prevent the situation from arising and data being compromised as a result. Take a look at ealier questions for more support.

If you do not comply with these changes, the ICO can issue warnings and fines.

• Data Protection Policy – use this policy as a template for your setting and give to all parents to sign and date. You can regularly review your policies if changes are made 
• Confidentiality Policy – if you are a practitioner in Wales, there will be specific support for you within this policy
• GDPR practice guide – this practice guide will consider areas of best practice when processing data in line with GDPR and it also includes a data audit template
• Sample privacy notice – use this template to tell parents the reasons why you need to collect data, and what you do with the data you have
• Communications preferences template – use this to collect data from parents, and regularly review personal data to make sure it is relevant and necessary

You collect and process data on contracts, child record forms and similar in order to provide the services requested by parents. Under your existing data protection and confidentiality good practice, you won’t be sharing information unless you are required to do so by law or have the agreement of parents.

Use the GDPR resources that PACEY has produced including the sample privacy notice and the communications preferences template to help parents understand how they can obtain access to the information you hold about them, or alternatively, how they can request a copy if they are unable to obtain access.

We have had PACEY’s contracts assessed in detail by our legal team and they are fully compliant with the GDPR regulations. Using PACEY’s GDPR resources in conjunction with your contracts will help you meet the regulations.

If you are a childminder, childminding assistant, nanny or nursery, all staff should undergo induction training and renew training every two years.

The ICO has a full guidance on the use of cloud computing. You should also query this with your supplier and they will be able to support you.

There is no prescribed format for attendance registers. The requirement is that you need to be able to evidence the dates and times a child is with you and keep the data for as long as needed. PACEY would advise, along with the format of our own attendance register, that you have one child per page.

Retention of records is discussed in our record keeping practice guide.

Storing data including emails that contain personal information needs to be included in your audit process, i.e. what is the data, why do I need it, how is it received, who has access to it, how long do I keep it. Any personal data no-matter what format follows the same process.   

The GDPR practice guide talks about asking these questions, and safe deletion, and includes a data audit template. 

In this case, we would suggest looking at the record keeping practice guide for reference to photos, how to store, keep and use them on social media and build this in as part of the agreement with parents. Within the agreement, state that you will not use photos from the date that a parent revokes permissions and/or from the date a child leaves.

If you are still holding personal data electronically after you have retired from or stopped childminding, you will still need to be registered with the ICO. If however you are no longer holding the data electronically you will no longer need to be registered.

Please contact the ICO for more information on whether or nor you should still be registered with them.

Public Liability insurance is generally written on a “claims occurring basis”; this means that it will, in theory, meet claims arising from incidents which have that have occurred during the policy period irrespective of when the claim is made (which might be some years later).

As always, this is subject to policy wording and complying with notification requirements, and to the claimant having a valid and legally enforceable claim.

The claim may be made after the policy expires, subject to legal considerations (for example the time limits within the Limitation Act); however, cover should not be needed to be taken out after childminding has ended as no new claims can arise.

Some policies are issued on a “claims made basis” which means that cover needs to be in place when a claim is made. Professional liability policies are usually like that, but that should not affect your member. “Claims made” is the opposite of “claims occurring”.

You do not need to get in touch with the emergency contacts parents have nominated and let them know that you as a childminder, have their details. This responsibility lies with the parent who gave the emergency contact details.

We would suggest that you state this within your policy, stating that you will hold this information only during the time that the child linked to the emergency contact is in your care. Once leaving the setting the information held about the emergency contact will be destroyed. 

So long as you have consent of the person whose number you are passing on that’s fine.  Consent doesn’t have to be written, so long as the person has given a positive affirmation that’s what they want you to do.  Ideally keep a note of that consent, and that you shared the info, but take care not to record any unnecessary personal data.

With regards to registration the best way forward is to complete the self-assessment toolkit on ICO’s registration page to see whether you would need to register as a member.

The pages also provide a link to ICO’s registration helpline if you still feel unsure.

There is no requirement to keep ELI certificates for a certain time. PACEY would strongly recommend that they are kept forever just in case however having them electronically is fine.