GDPR For Out of School Clubs Using Kids Club HQ
Disclaimer: The information provided in this article does not constitute advice and is not a comprehensive statement of GDPR obligations or ICO requirements on organisations.
Any decisions you make must be based on the GDPR and guidance given by the ICO https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
In the day to day running of your out of school club, you will be handling "Personal Information" relating to Parents, Carers, Children, Staff, Volunteers etc… and you have a legal duty to keep that information secure. This applies to whether you store the information digitally or on paper.
The General Data Protection Regulations (GDPR) come into force on 25th May 2018 and these regulations place new obligations on organisations that process personal information. Detailed guidance is available on the Information Commissioners website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
If you already use Kids Club HQ then it’s likely that most of the information you hold will be stored digitaly on our secure platform.
Whilst Kids Club HQ systems are secure, there are some things you need to check to minimise the risk of data breach or loss of paper or digital data from your premises or via your session leaders. For example:
- Keep personal data in locked cabinets with limited access (maybe record who accessed it and when).
- Have strong passwords on all; phones, laptops, tablets, terminals and servers used to access personal data.
- Encourage Staff, Session leaders and Parents/Carers to password lock their; phone, tablet and laptop as well as having a strong password to access Kids Club HQ (and your own systems if they contain personal information).
- Set terminals, laptops etc… to close screens and require fresh login if unattended for a specified period of time.
- Do not position screens where they can easily be overlooked
- Consider access control to your premises and/or the room(s) where these systems are used.
- Reduce the data you collect and hold to the minimum needed to provide your services whilst complying with Ofsted rules.
- Ensure that your staff and volunteers only have access to the information they need to do their job.
Your Organisation will be the point of contact for individuals using your services should they wish to: obtain a copy, amend or delete personal information relating to themselves or their children.
Kids Club HQ provides the platform for your digital interaction with your customers, we do not anticipate being directly approached by your customers for these actions but the Kids Club HQ system will provide you with the tools to discharge these duties securely online.
- Provide Kids Club HQ with your latest Privacy Notice (updated for GDPR as necessary) This will be included into Kids Club HQ booking system and we will add a "positive consent" tick-box for when new customers register.
- Advise Kids Club HQ who to contact in the event of a data breach. If your organisation has a Data Protection Officer then that is the person we should contact.
GDPR Compliance Preparations Quickcheck
The following may help you towards compliance with GDPR as it is likely to affect Kids Club HQ clubs with less than 250 employees. It follows the headings used by ICO guidance.
You may want to set up a directory on your system or paper folder to hold a record of the activities you undertake to demonstrate compliance.
Awareness - advise all of your officers, employees and volunteers of the GDPR deadline and requirements.
Information Audit – record; What information you hold, Where it is obtained, Who you share it with.
Privacy Notice – state: Who you are, How you will use the information you collect, Who you share it with, obtain Positive Consent to collection and processing of data.
Individual Rights – to be informed of processing activities (online via your Privacy Notice on Kids Club HQ), access to data (online via Kids Club HQ), rectification of incorrect data (update online via Kids Club HQ), Erasure of data (update online via Kids Club HQ). Note: you may need to keep some data 3-5 years or more for; HMRC purposes, Personnel records, Incidents and Attendance.
Subject Access Request (SAR) – If you are only holding information that your customer provided, you may not need to supply a copy of the information they already have. If you hold additional information, you have only one month to comply with a request for a copy of personal data held. You may not charge unless requests are frequent or unreasonable.
Lawful Basis – normally you will obtain "Positive Consent" to collect and process personal data as stated in your Privacy Notice (online via Kids Club HQ).
Consent - normally you will obtain Positive Consent to your Privacy Notice (online via Kids Club HQ) Note: subject must tick an empty check-box for their consent to be "positive".
Children's Consent – the Kids Club HQ booking system is for Parents and Carers to make bookings. Kids Club HQ does not allow for children to provide consent (GDPR proposes that consent may be given by children 13 years old for services provided directly to children).
Data Breach – ICO must be informed within 72 hours of a data breach which could result in; discrimination, reputational damage, financial loss, loss of confidentiality or economic or social advantage. You must monitor for breaches and have a procedure for informing ICO and parties you share information with (e.g. Kids Club HQ) and the Subject if it is a serious breach.
Data Protection by Design – Kids Club HQ designs its systems to be secure. You need to ensure that any digital or paper personal records you hold are kept secure.
Data Protection Officer (DPO) – it is unlikely you will need to appoint one unless you are a public authority or have over 250 employees.
International – Kids Club HQ keeps it's processing and storage activities within the EU. You will need to consider whether any of your processing activities (e.g. payment systems) are undertaken outside the EU and if so ensure they comply with the GDPR.