DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR for Childminders: A Simple Guide to Handling Children's Data Compliantly

#gdpr #education #privacy #childcare

If you're a self-employed childminder, GDPR probably isn't something you think about often. You're busy caring for children, managing parents' schedules, and keeping Ofsted happy. Data protection legislation might feel like something designed for large companies with legal teams — not for someone running a small childcare business from home.

But childminders collect some of the most sensitive personal data there is: health information about children, home addresses, medical conditions, and details about vulnerable families. That's precisely why GDPR applies to you, and precisely why getting it right matters.

This guide is designed to make GDPR straightforward for childminders. No legal jargon. Just practical steps you can actually implement.

What Data Do Childminders Collect?

Before thinking about compliance, it helps to understand what you're dealing with. As a childminder, you typically hold:

Basic identifying information:

  • Child's full name and date of birth
  • Home address
  • Parental contact details (phone numbers, email addresses)
  • Names and contact details of authorised adults who can collect the child
  • Emergency contact information

Health and medical information:

  • Allergies (including severity and action plans)
  • Medical conditions (asthma, diabetes, epilepsy, etc.)
  • Medication requirements and administration records
  • Dietary requirements, including those linked to medical or religious needs
  • GP and health visitor details

Safeguarding and operational records:

  • Observation notes and learning journals
  • Accident and incident forms
  • Attendance records
  • Ofsted registration details
  • Any concerns or referrals made to safeguarding services

Some of this is straightforward personal data. But health information — allergies, medical conditions, dietary requirements linked to health — falls into a special category under GDPR Article 9. Special category data carries stricter rules because of its sensitivity.

Your Lawful Basis for Processing

GDPR requires you to have a legal reason — a "lawful basis" — for processing personal data. For childminders, you'll typically rely on three:

1. Contract with Parents

When a family signs a childcare agreement with you, you have a lawful basis to process the data necessary to fulfil that contract. This covers names, contact details, attendance records, and most of the administrative information you need to do your job.

2. Legal Obligation

Certain data processing is required by law — specifically your safeguarding duties as an Ofsted-registered childminder. If you have a safeguarding concern and need to make a referral, you're processing data under a legal obligation. This also applies to maintaining accident records, which Ofsted expects to see.

3. Explicit Consent for Health Data

For special category data like health information and medical conditions, you generally need explicit consent from parents or guardians. This means written, informed consent — not a checkbox buried in a three-page contract. Parents need to understand what health information you're collecting, why you need it, and how it will be used.

In practice, your registration forms should include a clear section where parents provide explicit consent for you to hold and process health and medical information about their child.

ICO Registration: A Legal Requirement for Most Childminders

One of the most commonly overlooked compliance requirements for childminders is ICO registration. The Information Commissioner's Office (ICO) is the UK's data protection regulator, and most childminders are legally required to register with them.

The exemption you might be thinking of only applies to organisations that process personal data solely for personal, family, or household purposes — which doesn't apply to childminders running a business.

ICO registration costs a small annual fee (currently £40 for most small businesses). You can register at ico.org.uk, and the process takes around 15 minutes. Failure to register when required is a criminal offence, so this is one compliance step you shouldn't skip.

If you're unsure whether you need to register, the ICO has an online self-assessment tool that will tell you definitively.

Keeping Written Records

Childminders are expected to keep a range of written records, both for Ofsted purposes and good practice:

Observation notes and learning journals document a child's development and progress. These are personal data and should be kept securely — ideally in a locked filing cabinet or password-protected digital folder. Parents have the right to see records about their child, so be prepared to share these on request.

Accident and incident forms must be completed whenever a child is injured or involved in a significant incident in your care. Parents should sign these to confirm they've been informed. Keep copies securely — you may need them for insurance purposes or an Ofsted inspection.

Daily attendance records help you demonstrate your working hours for tax purposes and provide an audit trail if questions arise.

Digital Learning Journals and Apps

Many childminders now use digital platforms like Tapestry, Learning Stories, or Famly to share observations and updates with parents. These are convenient, but they come with data protection considerations:

  • Check the provider's GDPR compliance before using any app. Look for a privacy policy that explains how data is stored, whether it's processed outside the UK or EU, and what security measures are in place.
  • You may need a data processing agreement with the app provider, as they will be processing personal data on your behalf.
  • Parents should be informed that you use a third-party platform and what data is shared on it.
  • Don't over-share — only upload photos and observations relevant to that child's care. Avoid sharing images that include other children without their parents' consent.

Safeguarding Records and Special Retention Rules

Safeguarding records deserve special attention. If you've ever had a concern about a child's welfare — whether or not you made a formal referral — those records need to be kept for longer than standard childcare records.

Standard records (registration forms, attendance, observations): typically keep until the child turns 21, or for a minimum of three years after they leave your care — whichever is longer.

Safeguarding records: keep until the child turns 25, or for 10 years after the last entry — again, whichever is longer. This extended retention exists because safeguarding concerns from childhood may only come to light years later.

These retention periods override any general GDPR principle about not keeping data longer than necessary. Your legal obligation to support safeguarding investigations takes precedence.

When records are no longer needed, dispose of them securely — shred paper records and permanently delete digital files.

Sharing Information: Schools, Health Visitors, and Other Professionals

As a childminder, you'll sometimes need to share information about the children in your care with other professionals — teachers, health visitors, speech therapists, or social workers.

With consent: For most routine sharing (such as transition reports to nurseries or schools), you should have parents' prior consent. Include this in your registration forms: a clear statement that you may share developmental information with other childcare or education providers with parents' agreement.

Without consent — safeguarding: If you have a safeguarding concern, you may share information without parental consent if doing so is necessary to protect a child's welfare. The child's safety takes priority over data protection. However, document your decision and the reasons for it.

What to share: Apply the principle of data minimisation — share only what the recipient needs for the specific purpose. Don't send a child's full medical history to a teacher when all they need to know is that the child has a nut allergy.

Marketing Your Services: Social Media and Finding New Clients

Childminders often use social media to market their services and attract new families. GDPR doesn't stop you from doing this, but a few rules apply:

Photos of children: Never post photos of children in your care on social media without explicit written consent from their parents. Even then, think carefully — parents may consent initially and change their mind.

Parent testimonials: If you want to share reviews or quotes from parents, get written permission first.

Your own website: If you have a childminding website that collects enquiry forms or uses cookies, you'll need a privacy policy and possibly a cookie consent banner. Tools like Custodia can scan your website and identify what data it's collecting.

Email enquiries: When prospective parents email you, you can use their contact details to respond. If you want to add them to a mailing list, you'll need their consent.

Your Privacy Notice

Every childminder who processes personal data should have a privacy notice — a clear, readable document that explains to parents:

  • What information you collect about their child
  • Why you collect it and what lawful basis you're relying on
  • How long you keep it
  • Who you might share it with
  • Parents' rights (to access, correct, or request deletion of their data)
  • How to make a complaint to the ICO

You don't need a lawyer to write this — it just needs to be honest, accurate, and written in plain English.

GDPR Compliance Checklist for Childminders

Registration and legal obligations:

  • [ ] Registered with the ICO (or confirmed you're exempt)
  • [ ] Privacy notice written and shared with all families

Data you hold:

  • [ ] Registration forms collect only necessary information
  • [ ] Explicit written consent for health and medical data
  • [ ] Explicit written consent for photos and social media
  • [ ] Consent for sharing data with schools and other professionals

Security:

  • [ ] Paper records stored in a locked cabinet
  • [ ] Digital records password-protected or encrypted
  • [ ] Device screen lock enabled (phone, tablet, laptop)
  • [ ] Digital learning journals — provider's GDPR compliance checked

Records management:

  • [ ] Retention schedule in place (standard and safeguarding records)
  • [ ] Secure disposal process for records no longer needed
  • [ ] Accident and incident forms signed by parents

Ongoing:

  • [ ] New families provided with privacy notice on registration
  • [ ] Data reviewed periodically and updated as needed
  • [ ] Website privacy policy in place (if you have a website)

You Don't Have to Get It Perfect Overnight

GDPR compliance isn't about achieving perfection on day one. The ICO is primarily concerned with whether you've made a genuine effort to understand your obligations and put reasonable measures in place.

Start with the checklist above. Sort ICO registration if you haven't already. Update your registration forms to include explicit consent for health data. Write a simple privacy notice.

And if you have a website, scan it for free with Custodia to check what data it's collecting and whether you need to take further steps.

This guide provides general information about GDPR as it applies to childminders in the UK. It does not constitute legal advice. Your specific obligations depend on your individual circumstances. For advice tailored to your situation, consult a qualified data protection professional or contact the ICO's helpline.

Top comments (0)