GDPR Obligations for Parents

As a nanny’s employer, you have to keep their personal data safe. We do most of this for you, but there are some simple precautions you should bear in mind when receiving your nanny’s details.

The essentials:

  • Minimise what personal information you collect from your nanny. Typically, you’ll only need their name, email, and mobile. Koru Kids handles the rest for you.
  • Securely store your nanny’s personal details. E.g. use strong and unique passwords across your devices and shred any paper notes you make.
  • Don’t share your nanny’s details with anyone else, without their permission.
  • Delete your nanny’s contact details at the end of their time with you (unless they give you permission to keep them).
  • Breach procedure: if your devices are lost/stolen/hacked, you should swiftly notify your employee. Tell them which of their details may be compromised and what, if any, the implications might be. E.g. if your email address is hacked, you should (1) secure the account immediately by resetting the password, (2) text/speak to your nanny to warn them of potential phishing messages that might come from your account, and (3) agree a separate channel for verifying ambiguous messages (e.g. phone call).

Those are the basics you need to know. Stick to that, and you should be fine.

Hungry for more GDPR? Some additional information is below. It doesn’t require any action on your part. Could be good for dinner parties, though.*

The nitty gritty…

  • When you become a nanny’s employer (or if you interview them), we share the nanny’s details with you, as per our privacy policy. If you become the nanny’s employer, you become a controller of those details, and are responsible for handling them securely (as above).
  • You only handle a small amount of your nanny’s personal data because Koru Kids securely processes the rest on your behalf (e.g. National Insurance number, address, DBS checks)
  • We collect data processing permission from all Koru Kids nannies when they sign up with us. This is why we don’t have a joint controller agreement with you.
  • You’re obliged to tell your employee how you’ll process their data. Handily, we’ve covered that for you in the ‘Sharing of data’ section in our privacy policy, which both you and your nanny agreed to when you signed up with us. We’ve also put it in your parent-nanny employee handbook, so you don’t need to tell them separately.
  • You need a legal basis to collect and store your nanny’s personal data. As their employer, you’ll typically be relying on legitimate interest and contractual fulfillment.
  • As you’re only processing data for a core business purpose (staff administration) you don’t need to register with the ICO.
  • You don’t need to appoint a Data Protection Officer.
  • Your data processing (based on the details above) is unlikely to result in a high risk to the rights and freedoms of a data subject (your nanny), so a Data Protection Impact Assessment is not required.
  • You may wish to keep a copy of this page to demonstrate your compliance efforts with data protection law.

Please note: nothing on this page constitutes legal advice. The information above is provided as a suggestion only. If you have concerns or questions, please refer to the Information Commissioner’s Office guidelines on GDPR, or seek specialist advice.

Sources: Sparqa Legal, ICO.

*Depending on who you dine with.

GDPR guide for parents employing nannies v1.0

Updated 23/08/19