Data Protection Policy

Since 2008, childminders in England have been expected to keep more detailed records about individual children’s development as part of the Early Years Foundation Stage and it is more than likely that, if these are kept on a computer, I will need to notify as a Data Controller with the ICO,

The notification costs £35 a year and I can either complete notification form online at or request a draft notification form based on the nature of the business by calling the Notification Helpline on 01625 545740.  There is a template specifically for childminders (N943) which will be listed under ‘services’.

The Data Protection Act 1998 defines the rules which protect the personal data of an individual.  As a childminder I need to be aware of regulations which apply to keeping information on children or parents.

The Information Commissioners Office (ICO) is the UK’s independent public body set up to uphold information rights in the public interest promoting openness by public bodies and data privacy for individuals.  The ICO enforces and oversees the Data Protection Act.

Notification is a legal requirement and all businesses (including childminders) who are processing personal information must notify, unless exempt.  If a childminder processes personal information electronically for the provision of childcare, notification is necessary.

If records are kept on paper I will not need to notify, however, I am obliged to comply with the Data Protection Act.

If I keep only basic personal information such as names and addresses of children and parents for the purpose of billing the parent to ensure that necessary payments are made, I will not be required to notify.

If I keep more extensive records, or information of a more sensitive nature, for example, about children’s health, behaviour or development, on a computer then I will be required to notify.

Processing personal information also includes taking photographs of the children in my care using a digital camera.  Therefore, if I am going to be carrying out this activity, I will be required to notify.

I can protect myself by never giving out:

  • personal information or financial details
  • details of the children I care for, even if the caller claims to be from Ofsted unless I have contacted Ofsted myself using their main telephone numbers.

The Data Protection Act contains eight ‘data protection principles’.  These specify that personal data must be:

  1. Processed fairly and lawfully
  1. Obtained for specified and lawful purposes
  1. Adequate, relevant and not excessive
  1. Accurate and up-to-date
  1. Not kept any longer than necessary
  1. Processed in accordance with the ‘data subject’s (the individual’s) rights
  1. Securely kept (for example, password-protected for data held in a computer file, under lock and key for paper records)
  1. Not transferred to any other country without adequate protection in situ.

When handling, collecting, processing or storing personal data, I will ensure that:

  • All personal data is accurate and up-to date
  • Errors are corrected effectively and promptly
  • The data is securely destroyed (shredded) when it is no longer needed
  • The personal data is kept secure at all times
  • The Data Protection Act is considered when setting up new systems or when considering use of the data for a new purpose (note that this may affect the existing registration with the ICO.
  • Written contracts are used when external bodies process/handle the data explicitly specifying the above requirements with respect to the data (contracts can be purchased at

It is equally important NOT to:

  • Process personal data that I do not need for my work
  • Use the data for any purpose it was not explicitly obtained for
  • Process data that is inaccurate
  • Store/process/handle sensitive personal data (see below) unless I have the individual’s explicit consent or I can meet a condition listed in Schedule 3 of the Data Protection Act.

Policy Created – 14.1.18
Reviewed Date – 1.1.2022