Latest News

How should early years providers respond to requests to access personal data?

What is classed as personal data?

Personal data is defined as any information, in any form, which could be used to identify an individual. An individual’s rights include the right to ask a company to delete or stop using, update or correct, or provide copies of, their personal data.

The most commonly exercised right is the right to make a data subject access request (SAR), which means a request for copies of an individual’s personal data held by an organisation. The information held by early years care providers such as the contact details of parents and children, as well as specific details relating to the care of a child, are likely to amount to personal data.

SARs can be made verbally, or in writing (including via social media). Older children who understand their rights can make SARs, but SARs made in respect of pre-school children must be made by a parent or guardian.

You must respond to a SAR within one month. In most cases, organisations cannot charge a fee.

Are there any exemptions?

Some personal data is exempt from a SAR, and in such cases a provider may refuse to disclose all or some of the requested information, depending on the circumstances. For early years care providers, the most common exemption is when disclosing information would identify another individual. This means that such data must be withheld, or redacted.

Another exemption is where there are concerns around safeguarding or child protection. Data relating to such concerns can be withheld even from parents and guardians if doing so is in the best interests of the child.

What if a provider does not comply?

The Information Commissioner’s Office may take action against a controller or processor if they fail to comply with a SAR.

For more advice, contact Rhys ap Gwent on 01792 277857 or [email protected]