We've been receiving many enquiries about the GDPR and out of school clubs, so we have listed the most commonly asked ones here.
- Do I need to get the parents' permission to contact them?
- Do I need to get parents' to confirm that they have read our privacy notice?
- So why is there a confirmation section in your template privacy notice?
- Will the ICO hit me with a huge fine if I get something wrong?
- What lawful processing condition do I need to use for DBS checks?
- Can I still let parents sign their children out?
Do I need to get the parents' permission to contact them?
No, you don't. Under the GDPR your lawful basis for processing (ie using) their data is 'performance of a contract'. In other words, because you already have an ongoing relationship with them as a customer of your services, you don't need to separately ask their permission to use their data, including contacting them.
However this lawful basis only applies so long as you are using their data for the purpose of providing the agreed service (childcare). You cannot use their email address to contact them about something totally unrelated to your business relationship with them, unless they give you permission. So you can email parents to tell them about your new opening hours next term, or about a planned outing, or that you're collecting cardboard boxes for an activity at the club; you can't email them to tell them about the fab new softplay centre that your friend is opening, or to invite them to your BodyShop party.
If you want to be able to contact parents about other matters beyond your business relationship, then you would need to get their permission in advance. If you think this is something that you will want to be able to do, you just need to add a separate, explicit checkbox to this effect on your registration form, or standard permissions form, or similar, so that parents can actively opt-in to receiving communications about other topics from you.
Do I need to get parents to confirm that they have read our privacy notice?
No, this is not a requirement of the GDPR. For new customers, you need to ensure that they are aware of your privacy notice at the point at which they first give you their personal data. If you use online registration, you could include a prominent link to your privacy notice at the start of the registration form. If you use paper registration forms, you could include a paper copy of the privacy notice in with the bundle of registration documents that you give to new parents.
For existing customers, you just need to make them aware that you have a new (or updated) privacy notice. This could be via a link or an attachment in an email message, or as a paper copy given out when they collect their children, or similar. It's not enough just to add it to your website and wait for people to find it, you do need to actively inform your existing customers.
So why is there a confirmation section in your template privacy notice?
We included the confirmation section at the end of our template privacy notice in case you, as a business, wanted to be able to prove at a future date that a parent had seen the privacy notice. This is not a GDPR requirement, but might be useful for your internal processes. If you don't want to include this, you can just delete it.
As it seems to have caused some confusion, and was only included to be helpful, we have removed the confirmation section from more recent versions of our template privacy notice.
Will the ICO hit me with a huge fine if I get something wrong?
Almost certainly not. The ICO has publicly stated that for the first year at least, they will be taking an advisory rather than a punitive approach to any organisations that are found to be not fully compliant with the GDPR. If they find that an organisation's processes or documentation aren't entirely up to scratch, they will be working with them to help them get things right, rather than prosecuting them.
What they want to see is that all organisations that process personal data are aware of their responsibilities under GDPR and are doing their best to meet the requirements. They won't be coming down on you like a ton of bricks if your paperwork isn't quite correct. Obviously if you are flagrantly and deliberately ignoring data protection regulations that is a different story!
What lawful process condition should I use for DBS checks?
Some organisations that provide DBS checks (for example TMG) are asking applicants to specify what 'lawful processing condition' applies to their DBS disclosure application. As it is a legal requirement for (almost all) staff who work at an out of school club to have an enhanced DBS check, the 'lawful processing condition' in this instance is 'legal obligation'.
Can I still let parents sign their children out?
We had so many queries from people asking whether it was still OK to let parents use sign-out sheets, as those sheets contained the names of other children, that we contacted the ICO to ask them. They confirmed that whilst a name on a sheet was, very strictly speaking, personal data, the use of typical sign-in or sign-out sheets was not an area in which they would have any data protection concerns. Their opinion was that the use of sign-out sheets was a very common and very well understood practice, and parents could not be surprised that you were using their or their child's data in this fashion. Obviously you still need to keep the sign-out sheet secure - in the sense of preventing anyone from walking off with it, or taking a photograph of it, as well as keeping old sign-out sheets somewhere safe.
The only circumstance in which there would be an issue would be if you had been notified about a safeguarding concern regarding a child which meant that their name (or their parent's name) should not be seen by other parents. In this situation you would need to come up with an alternative method for the parent or carer to sign the child out - for example, by getting them to sign out on a separate sheet, or using just initials for the child on the public sheet, etc.
Related articles
GDPR: Overview
GDPR: Subject Access Requests (SARs)
GDPR: Implementation guide