The new General Data Protection Regulations (GDPR) to be introduced next month could mean unexpected costs for early years providers, according to the Alliance.
The Information Commissioner’s Office (ICO), the body responsible for enforcing GDPR, has confirmed to the Alliance that it will regard anyone either actively using or storing electronic data as a ‘data controller’ under the new law. This means that childcare providers are subject to ICO's annual registration fee for as long as they do so.
ICO registration fees are set to be split into three tiers, based on annual turnover or the number of employees an organisation has.
For tier 1 organisations, with a maximum turnover of up to £632,000 or with fewer than 10 employees, the proposed fee is £40 a year.
This rises to £60 per year for small or medium organisations with a maximum turnover of £36 million or fewer than 250 members of staff, and £2,900 for large organisations.
Many insurance companies recommend that childcare providers store some data, such as accident logs and safeguarding notes, for up to 21 years, until a child turns 21 years and three months, and later in some cases, such as child protection, special educational needs and disabilities (SEND) records, health care plans and safeguarding documents.
This means that early years providers storing data electronically may have to continue to pay an annual ICO registration fee even after they have left the profession or retired.
The ICO confirmed that providers with securely stored, paper-based records that are not intended to be uploaded to a computer will not be subject to registration fees.
A spokesperson for the ICO said guidance to assist organisations in securing the personal data they hold will be produced as the ICO works to update existing guidance to reflect new GDPR provisions.
Melanie Pilcher, the Pre-school Learning Alliance’s quality and standards manager, said, ‘It’s positive to have secured this confirmation from the ICO because we know that many childminders and smaller providers have been seeking clarity on this issue for months. That said, we’re clear that an exemption recognising the unique position childcare providers are in would have been a more effective response than the sticking plaster that this compromise represents.
‘There’s no doubt that the most secure and efficient way for providers to store data is electronically and so it’s disappointing that the ICO cannot ensure the GDPR makes a provision for that. The ICO’s compromise – to ensure that records are paper-based, securely-stored and not uploaded to a computer - may mean providers don’t have to pay a registration fee but could leave some storing reams upon reams of paper.’
Sarah Neville of Knutsford Childminding, who first raised the issue with the Alliance, said that she was concerned that the length of time insurers recommend that providers keep some records could mean digital media would be inaccessible. She also pointed out that providers could have been retired for several years.
While it was reassuring that providers would not have to pay for storing paper records, she added, this was only 'for those providers who have unlimited printer ink, don’t use digital systems and are happy to keep storage boxes full of paperwork in cupboards or lofts for years to come.
‘However, please spare a thought for those providers who are using online systems, believing themselves to be “paperless” and “eco-friendly” and who will now be forced to spend hours printing – or, of course, continue paying ICO in perpetuity.’
An ICO spokesperson said, ‘GDPR doesn’t represent a change from the position under the Data Protection Act where early years provider data protection fees are concerned. As data controllers, early years providers still have to comply with the law and should still pay a fee to the ICO if they continue to hold children’s records in electronic form.
‘They should consider how long is an appropriate period to retain the records for and, if they are retaining records, should ensure they are kept appropriately secure and that parents are made aware that records will be held. The exemption for paper-based records is set out in the current law, as well as in the new law, and was agreed by Parliament, not the ICO.’