It struck us the other day, as we were moving carefully sealed boxes of records from our office space, that event organisers well versed in GDPR may not be aware of their duty of care to the records they, or their childcare provider, are allowed to record and/or keep when it comes to children.
The ICO (Information Commissioner’s Office) explains that “children have the same rights as adults over their personal data”. While you are entitled to capture personal data of children, there are additional obligations. The ICO provides a clear guide to ‘Children and the GDPR’ which I recommend reading.
As an event organiser, whether running a creche, Stay & Play, Entertainment or Lost Child Points your (or your childcare provider’s) obligations include:
• Being clear about why you are keeping records about children, how long you need to keep them and your policy for destroying data when this period ends.
• Carefully compiling, labelling and securely storing all information (e.g. encryption & password) with access limited to a ‘need to know’ basis.
• Ensuring only DBS checked individuals have access to the files – including operational staff transporting them.
• Keeping a log of who and when people have accessed confidential files.
• Informing individuals about what information you hold about them, why you need it, how it is stored, when it will be deleted, who you might share the information with, highlight any risks and the safeguards you have put in place, let them know their right to erase and the process to do this and to provide a contact person.
• Presenting information in a clear, age-appropriate way.
• Ensuring your privacy policy is written to educate the child about their need to protect their personal data.
Those final two points are of particular note because “A child may exercise [their] rights on their own behalf as long as they are competent to do so”.
While Scotland is clear that children aged 12 or over are ‘competent to do so, in England. Wales and Northern Ireland competence is assessed on level of understanding. Therefore, regardless of whether a parent is providing consent for their child’s data to be processed or whether they are providing their own consent, you are required to provide clear and accessible information to both the adult and the child.
The crux of the matter is that a childcare provider needs to be transparent in the data they hold, how they store it and the records they keep. They not only need to be secure, contained and only accessible by authorised team members, but written in such a way that a child can understand and, of course, available to ensure a child’s needs are properly met while at creche.
Which brings me back to my opener where the team were carefully transporting our records to our latest conference… as an event organiser you not only need to be safe in the knowledge that your childcare provider is doing all of the above without you needing any touch point on the data, but you need to partner with a company that is transparent in how it does so.
Compliance isn’t just a legal obligation, it’s about respect, safeguarding and the rights of the children we look after. In the same way that creating a safe environment for children at your event is not just about hiring a provider, it’s about partnering with the right provider.
