General Data Protection Regulation (GDPR)

Information about the General Data Protection Regulation (GDPR). Please note: You will have to login to view this content.

GDPR - Policies and Procedures User Guide

GDPR - Key Terms

GDPR - Raising Awareness in your Service

GDPR - Privacy Rights

GDPR – Access Requests

GDPR - Communicating privacy information

GDPR - Legal basis for processing data and consent

GDPR - Data Breaches

GDPR - Case Studies

Communications with staff – 28 August 2018

Case Study: 
A new staff member has joined your service and is about to start their induction training. As a member of the team in the ECCE room, they will have access to a certain level of personal data relating to the children. They have also provided their own personal data as an employee, for example their bank details, their address etc. You want to ensure that they understand the service’s data protection policies and procedures.


What should I do: 
You provide the new staff member with the following documents as part of their induction pack:

  • Personal Data Protection Policy – This policy will inform the staff member about the service’s process for handling personal data of parents, children, supplies and other individuals. It will outline their responsibilities as an employee when handling this personal data.
  • Employee Data Protection Policy – This policy will inform the staff member how you, as the employer, will manage personal data relating to staff.
  • Privacy Notice for Parents – This notice will explain what personal information is collected from parents and children, why it is collected, how it is used and how it is protected.
  • Privacy Notice for Employees – This notice will explain what personal information is collected from staff members, why it is collected, how it is used and how it is protected.

You also ask the staff member to complete ECI’s 40-minute online training as part of their induction programme. You file the certificate with the certificates of the other staff members to show the new staff member has also completed the training.

During the new staff member’s tour of the building, you highlight the importance of ensuring that personal data is locked away. In each room, you keep a folder of important information relating to the children in that room, for example contact details of parents and details of any allergies or medical conditions. This personal data is always kept in a locked cupboard to ensure it is kept safe at all times.

You let the staff member know that if they notice that any personal data in the service is lost or compromised, they should let you know as soon as possible so that you, as the owner/manager can implement the Data Breach Procedure.

All staff members know that they can ask questions in relation to the service’s data protection policies or procedures at any stage.




Communications with parents – 20 August 2018

Case Study: It’s September and the new term has just begun. As part of the Induction Pack for new children and parents, you have provided all policies and procedures relating to your service. This pack also includes all policies and procedures relating to the General Data Protection Regulation (“GDPR”). Over the summer, you spent some time brushing up on your obligations under GDPR. The Induction Pack includes the Data Protection Policy as well as the Privacy Notice for Parents. You downloaded these documents from Early Childhood Ireland’s website and amended them to ensure they were applicable to your service. You presented parents with your Privacy Notice, so they are informed about what personal data and sensitive personal data you collect about their child. The Privacy Notice informs them why you collect this data, who you share it with, where it is processed, how long you keep the data for and what their rights are in relation to the data. As part of the registration process, all parents have completed an up to date Child Record Form which includes a section on consents as you know that Consent is a key principle of GDPR.

In November, a parent approaches you and requests that you provide all information that you hold in relation to their child. You are unsure of what to do.


What should I do: Recital 63 of the GDPR states that “a data subject should have the right of access to personal data which has been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

Knowing this information, you consult your “Data Subject Access Request Procedure” (template available from Early Childhood Ireland’s website). You direct the parent to complete the “Data Subject Access Request Form” as this is the first step to ensure you have sufficient information to be able to respond to the request. According to GDPR, you know that you must respond to a data subject access request within 30 days. The parent submits the request form to you and you send them an acknowledgement of their form.

You think about the areas in which you hold the child’s personal data;
– Their child record form
– Any accident or incident that may have occurred during the child’s time in your service will mean that there will be an accident or incident form on the child
– Photographs
– Sleep Logs or Nappy Logs
– Attendance Record
– Observations on the child

You gather all the applicable information together in one place. If there is any personal data relating to other children, you ensure that this is removed from the documents. In the attendance record, you blacken out the lines which contain the names of other children. The parent has specified that they would like to receive the information by post. You send the documents to the parent by registered post to ensure that the information is transferred securely.

Once this final step is completed, you archive the subject access request form and the matter is considered complete.




Policies and Procedures – 14 August 2018

Case Study: It’s summer time and you are preparing for September. A few months ago, you heard about the General Data Protection Regulation (“GDPR”) which came into effect on 25 May 2018. You wondered whether this could have an impact on your service as you know that your service holds lots of personal details about children and parents. You are a member of Early Childhood Ireland and know that they have supports available for members like you to help you to comply with GDPR. You decide to investigate the matter further.


What should I do: On Early Childhood Ireland’s website, you go to the GDPR page where the template policies and procedures are available for free to download. Each template has a brief explanation to show what the purpose of it is. You download all the template policies and procedures and update them so that they include the name of your service. You make amendments to the policies to ensure they are applicable to your service. You include copies of the Data Protection Policy, Data Retention Policy, the Data Subject Access Request Procedure and the Privacy Notice for Parents in the pack of policies that you will distribute to parents of new children starting in September. You also distribute copies of the Employee Privacy Notice and Employee Data Protection Policy to staff so that they understand how you will manage and protect their own personal data.



Training – 14 August 2018

Case Study: Your staff team is preparing for the return of children in September. All staff have access to different amounts of personal data related to the children, for example, their address, parents phone numbers, details of any medical conditions etc. You would like staff to understand the importance of holding the personal data of children in order to ensure that this personal data is protected.

What should I do: Article 39 of the GDPR outlines that staff awareness raising and training is required. Having your staff trained will mean that the risk of a breach will be reduced. It is also important to document that employees have been trained so that if a breach does occur, you can prove that you took appropriate steps to prevent a data breach from occurring. Early Childhood Ireland offers online training for both Owner/Managers and staff. The training consists of a 40-minute module. The first 30 minutes covers the general principles of GDPR and your obligations under the regulations. The last 10 minutes covers a sector specific example of a childcare setting. Once the course is completed, employees receive a certificate of completion. You, as the employer, can hold these certificates on file.

Site maintained and developed by Cloud Nine