We receive a lot of enquiries about data protection and out of school clubs, so here are the questions that come up most often.
Do I need parents’ permission to contact them?
No. Your lawful basis for using their data is “performance of a contract”; because you already have a relationship with them as a customer of your childcare service, you do not need separate permission to contact them about that service. So you can email parents about next term’s opening hours, a planned outing, or collecting junk materials for an activity.
This basis only covers communications about the service you provide. You cannot use a parent’s email address for something unrelated to your business relationship (for example promoting a friend’s new soft play centre, or inviting them to a party you are hosting) unless they have opted in. If you want to contact parents about wider matters, add a clear, separate opt-in checkbox to your registration or permissions form.
Do parents need to confirm they have read our privacy notice?
No, this is not a legal requirement. For new families, you need to make sure they are aware of your privacy notice at the point they first give you their personal data; for example, a prominent link at the top of an online registration form, or a paper copy in your registration pack. For existing families, you just need to actively make them aware of a new or updated notice, by email or a paper copy; it is not enough to put it on your website and wait for people to find it.
So why is there a signature line on some privacy notice templates?
A signature is not a data protection requirement. If you include one, it is simply so you can show, if you ever needed to, that a parent had seen the notice. If you use one, make sure it is clearly framed as confirming that the person has read the notice, not as consent to your processing; most of your processing relies on contract and legal obligation, not consent, and blurring the two can cause confusion later. If you would rather not include a signature at all, you can leave it out.
Will the ICO hit me with a huge fine if I get something wrong?
Almost certainly not. The headline figures you may have seen (up to £17.5 million or 4% of turnover for the most serious cases) are aimed at large organisations and at deliberate, reckless or seriously harmful failures. The ICO takes a proportionate, risk-based approach and focuses its enforcement on the worst cases. What it wants to see is that you understand your responsibilities and are making a genuine effort to meet them. A small club that makes an honest mistake, fixes it promptly and is open about it is very unlikely to be fined. That is not a reason to be complacent; it is a reason to get your foundations in place and review them regularly.
Someone wants to complain about how we handled their data. What do we do?
Since 19 June 2026 you must give people a way to complain to you directly about how you have handled their personal data, acknowledge the complaint within 30 days, and respond without undue delay. Your privacy notice should tell people about this right, and point them to your complaints process. Only after they have complained to you, and remain dissatisfied, would they take it to the ICO. Our [Data Protection Complaints Policy template] sets this out in full.
What lawful processing condition do I use for DBS checks?
Because it is a legal requirement for almost all staff at an out of school club to have an enhanced DBS check, the lawful basis for processing a DBS disclosure application is “legal obligation”.
Do I still need to pay the ICO data protection fee?
Yes, in almost all cases. If your club processes personal data (which it does), you must pay the ICO’s annual data protection fee unless a specific exemption applies. For most clubs the fee is £52 a year (£47 if you pay by direct debit), because you are a micro organisation. You can check the exact amount using the ICO’s fee self-assessment tool. Not paying the correct fee can itself lead to a penalty.
Can I still let parents sign their children out?
Yes. When we checked this with the ICO, they confirmed that ordinary sign-in and sign-out sheets are not an area of data protection concern; the practice is common and well understood, and parents would not be surprised by it. You do still need to keep the sheets secure (preventing anyone from walking off with them or photographing them, and storing old ones safely).
The one exception is where you have been told of a safeguarding concern that means a child’s or parent’s name should not be visible to other parents. In that situation, use an alternative method for that family; a separate sheet, or initials only on the shared sheet, for example.
Related articles
GDPR: Overview
GDPR: Subject Access Requests (SARs)
GDPR: Implementation guide
