Nannies and the GDPR

GDPR – General Data Protection Regulation – applies as of the 25 May 2018 across the EU, to information concerning any citizen of the EU. It replaces the Data Protection Act and is designed to be ‘technology neutral’. This means it applies to both paper and electronic records, and any other futuristic ways we have of storing data. It also goes further than the Data Protection Act. We have been in close contact with the ICO about the specific requirements relating to nannies and the GDPR, for both employed and self-employed nannies.

For the time being we are deliberately erring on the side of caution with regards to nannies and the GPDR. We believe it is better to be safe and hold personal information securely, particularly when it concerns people as vulnerable as children.

What data do you hold?

As part of your GDPR preparation it is a good idea to construct a data register. This may include:

  • Children’s and parents’ names
  • Children’s dates of birth
  • Parents’ contact details
  • Parents’ employment/professional details
  • Contact details for other family members
  • Physical and mental health information
  • Contact details for other care providers (school, nursery, GP, dentist…)
  • Contact details for friends of the children
  • Photographs and video recordings of children, and possibly their friends
  • Learning journals, records of development and observations
  • Consent forms
  • Accident records


Why do you have it? Is it necessary for you to hold it or could it be held by your employers and accessed by you?

You should only be holding information which is necessary for you to do your job. Some of this information may not need to be held by you (i.e. stored on your phone or computer).

How long do you have to hold it for?

Most of this information is only needed as long as you are employed by the family.

Employed nannies and the GDPR

This applies if you employed by a family, agency or mobile crèche. It DOES NOT apply to work sourced through apps, websites or agencies which do not act as the employer.

The information remains the property and responsibility of your employer. They should set out what data you hold, why you have it and what you may do with it in your contract. You do not need to register with the ICO.

You may have certain separate permission letters or forms relating to medical acts or transport, for example. These are not yours to keep, they are related to your employment. When you leave a position you no longer need them and they can be destroyed. Any permission forms should simply reinforce what is in your contract.

Your insurance company may require you to keep copies of any accident records in case a claim is made in the future. These forms must be stored securely either on paper e.g. in a locked filing cabinet or electronically as scans in a password protected file.

You probably take photographs of your charges for your employers. You may ask permission to use these as observations for externally assessed work. The course provider should have their own policy on how the data is handled, but you should also be careful to anonymise your charges in written work.

Suggested contract clauses:

Under duties

  • Administer medication and first aid as required
  • Take [Name] to pre-arranged appointments with healthcare professionals
  • Undertake regular observations and if necessary record development

The consent form for medication, first aid and consulting a medical professional is then an extension of this clause. This means you don’t need to take your contract with you to visit the doctor.


Under privacy

  • The Employee is permitted to take photos of the children for their own personal records and for the Employers’ use. The Employee must have the permission of the Employer if they at any time need to show photos of the children for training etc.  The Employee is prohibited from distributing images of the children without the Employer’s specific prior consent including via social media networks.
  • The Employee agrees to delete all contact numbers, images and personal information acquired during the course of their employment relating to the Employer’s family or any friends or relatives stored on mobile or electronic devices and to hand over paper records unless explicit, written consent is given at the end of the employment period.

At the end of your employment you can suggest to your employer that they sign the following release:


I ………………………….. hereby authorise ……………………. to retain for his/her personal use:

My address

My telephone number

My email address

The dates of my children’s birthdays

Photographs of my children taken by him/her during his/her employment

I also agree to provide a written reference with my contact details for use in future employment services which may be distributed to introduction or employment agencies and future employers.


Your employer should also be informing you what data they hold about you!


Running a childcare business - Self-employed nannies and the GDPR

Our interpretation of correspondence is that you need to register with the ICO. This costs £35 a year if you pay by direct debit. We do not know if you need to continue to register until all the records have been destroyed or only the time that you are using (rather than storing) the information.

You will need to automatically destroy client records once they are no longer needed (these can be stored for a maximum of 2 years) unless the client requests that they be destroyed before this or they are required for financial or insurance reasons. HMRC require that invoices and related documents be stored for 6 years.

The GDPR means you can no longer use previous email contacts as a marketing list e.g. to advertise your availability unless they specifically opt in to receiving information from you.


  • Minimise the amount of data you personally hold – information about children can be written down by clients and stored inside the Red Book, for example. Any observations or learning journals can be left at the client’s house. Any photographs can be sent and then deleted.


  • Add these clauses to your terms of business:

I collect and process information about children in my care in order to enable me to effectively care for and support them, including:

Their name and date of birth

Relevant physical and mental health details, such as allergies

Names of other care providers such as their school or nursery, GP and dentist

Religious practices

This information is kept confidential and stored securely as per my privacy policy. With your consent it may be shared with other care providers. Where necessary it may be shared with the police, social services or Ofsted. You have a right to see what information I hold about your child at any time, and it will be deleted at your request or when it is no longer needed for my records. NB Deleting such information means I will no longer be able to provide care for your child.


I request your permission (see consent form xxxxx) to take photographs and video recordings of children in my care. Unless you specifically sign the consent form mentioned above I will not take photographs or video recordings of your child(ren). Any photographs or video recordings are kept securely and not shared without your prior permission.


  • Create an updated photograph consent form. You can download a suggestion here.
  • Create a separate privacy notice. You can download a suggestion here.
  • Add a sentence to your complaints policy to cover what happens if you share information about a parent or a child without their consent
  • At the end of the contract you can suggest to your client that they sign the following release:

I ………………………….. hereby authorise ……………………. to retain for his/her personal use:

My address

My telephone number

My email address

The dates of my children’s birthdays

Photographs of my children taken by him/her during his/her contract

I also agree to provide a written reference with my contact details for use in future employment.