Nannies and the GDPR

GDPR – General Data Protection Regulation – applies as of the 25 May 2018 across the EU, to information concerning any citizen of the EU. It replaces the Data Protection Act and is designed to be ‘technology neutral’. This means it applies to both paper and electronic records, and any other futuristic ways we have of storing data. It also goes further than the Data Protection Act. We have been in close contact with the ICO about the specific requirements relating to nannies and the GDPR, for both employed and self-employed nannies.

For the time being we are deliberately erring on the side of caution with regards to nannies and the GPDR. We believe it is better to be safe and hold personal information securely, particularly when it concerns people as vulnerable as children

What data do you hold?

It is a good idea to construct a data register. This may include:

  • Children's and parents' names
  • Children's dates of birth
  • Parents' contact details
  • Parents' employment/professional details
  • Contact details for other family members
  • Physical and mental health information
  • Contact details for other care providers (school, nursery, GP, dentist...)
  • Contact details for friends of the children
  • Photographs and videos of the children and possibly their friends
  • Learning journals, records of development and observations
  • Consent forms
  • Accident records

Why do you have it? Is it necessary for you to hold it or could it be held by your employers and accessed by you?

You should only be holding information which is necessary for you to do your job. Some of this information may not need to be held by you (i.e. stored on your phone or computer).

Most of this information is only needed as long as you are employed by the family.

You can make the following modifications to your contract.

This content is for registered users only. Please login.

Your employer should also be informing you what data they hold about you!

Running a childcare business - Self-employed nannies and the GDPR

Our interpretation of correspondence is that you need to register with the ICO. This costs £35 a year if you pay by direct debit. We do not know if you need to continue to register until all the records have been destroyed or only the time that you are using (rather than storing) the information.

You will need to automatically destroy client records once they are no longer needed (these can be stored for a maximum of 2 years) unless the client requests that they be destroyed before this or they are required for financial or insurance reasons. HMRC require that invoices and related documents be stored for 6 years.

The GDPR means you can no longer use previous email contacts as a marketing list e.g. to advertise your availability unless they specifically opt in to receiving information from you.


Minimise the amount of data you personally hold – information about children can be written down by clients and stored inside the Red Book, for example. Any observations or learning journals can be left at the client’s house. Any photographs can be sent and then deleted.

Add these clauses to your terms of business:

This content is for registered users only. Please login.