Compliance Analysis

Assessment of Legal, Digital and Data Protection Requirements for a National Childminding Register

Date: 17 March 2026 Prepared for: Scottish Government Context: Assessment of requirements for implementing a national register of children placed with childminders in Scotland

1. Background

1.1 The Claimed Barriers

It has been argued that while a national register of children attending childminding settings "could increase transparency," there are "significant legal, digital and data protection barriers" to implementing one. It has further been argued that a register would not prevent malpractice because a childminder "could maintain a legitimate entry on the national register, whilst delivering care to additional children."

1.2 What the Register Would Do

The purpose of a register is specific and limited: a register that enables the Care Inspectorate to cross-reference the number of children a childminder claims to be caring for against their registered capacity limits. Under the Requirements for Care Services (Scotland) Regulations 2011 (SSI 2011/210), childminders in Scotland may care for a maximum of 8 children under 16, with no more than 6 under 12 and no more than 3 of pre-school age, including the childminder's own children. If the number of children registered to a specific childminder through a central system exceeds those limits, an automatic flag would be raised.

Cases have demonstrated that childminders can care for significantly more children than their registered capacity permits, sometimes without detection between inspection visits. The existing self-reporting model provides no independent mechanism to verify compliance.

1.3 Purpose of This Assessment

This document assesses each category of claimed barrier -- legal, digital, and data protection -- against:
  • The applicable UK and Scottish legislation
  • Existing Scottish Government and public body practice
  • A working prototype of a Child-Minder (Child-Minder) built to test these claims
This assessment also addresses the argument that a register would be ineffective because it cannot prevent deliberate fraud. By that logic, we would not bother with MOT certificates because some drivers still use unroadworthy cars, or with food hygiene ratings because some restaurants still cut corners. No regulatory tool is perfect; the question is whether it meaningfully raises the baseline of accountability.

---

2. Assessment of "Legal Barriers"

2.1 Lawful Bases Available Under UK GDPR Article 6

Any processing of personal data requires a lawful basis under Article 6(1) of the UK General Data Protection Regulation (UK GDPR). Three lawful bases are clearly available for a childminding register.

Article 6(1)(c) -- Legal Obligation

Processing is necessary for compliance with a legal obligation to which the controller is subject.

The Requirements for Care Services (Scotland) Regulations 2011 (SSI 2011/210) already impose a legal obligation on childminders to maintain records of all children in their care. Regulation 4(1)(a) requires care service providers to keep a record of the personal details of each person using the service, including "name, date of birth, address and, where the service is provided to a child, the name and address of the child's parent." These records must be kept and made available to the Care Inspectorate.

A national register that aggregates data the regulated sector is already legally required to collect does not create a new legal obligation -- it provides a mechanism for verifying compliance with an existing one. The lawful basis under Article 6(1)(c) is well-established for this type of regulatory compliance processing.

Article 6(1)(e) -- Public Task

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The Care Inspectorate's statutory function under the Public Services Reform (Scotland) Act 2010 is to regulate care services, including childminding services. Part 5 of the 2010 Act sets out the Care Inspectorate's inspection and enforcement powers. Section 51 gives the Care Inspectorate the function of furthering improvement in the quality of care services. Section 53 requires it to inspect regulated care services. A register that enables cross-referencing of capacity compliance is a direct exercise of these statutory functions.

The "public task" basis is the most commonly used lawful basis across Scottish public bodies for regulatory data processing. It is the basis on which the Care Inspectorate already processes data about childminders, their services, and their conditions of registration.

Article 6(1)(f) -- Legitimate Interests

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

If the register were operated by a body other than a public authority (for example, a third-sector organisation or a social enterprise), legitimate interests would be available as a lawful basis. The legitimate interest -- safeguarding children from being placed in over-capacity childminding settings -- is clear and compelling. A balancing test under Article 6(1)(f) would weigh this interest against the rights of the data subjects (parents submitting their own data voluntarily, and childminders whose registration data is already public). Given the minimal nature of the data processed and the voluntary participation model, the balance clearly favours processing.

Note: Article 6(1) explicitly states that subparagraph (f) "shall not apply to processing carried out by public authorities in the performance of their tasks." If the Care Inspectorate operates the register, Article 6(1)(e) (public task) is the appropriate basis, not legitimate interests.

2.2 Special Category Data Under Article 9

Article 9 of the UK GDPR imposes additional conditions on the processing of "special categories" of personal data, defined as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a person's sex life or sexual orientation.

The Child-Minder prototype collects no special category data whatsoever. The register holds:
  • Parent email address (for authentication)
  • Child birth year and month (not full date of birth, not name, not address)
  • A system-generated pseudonymous child reference (e.g., "Child-Minder-A7K9M2")
  • Childminder registration number (already published on the Care Inspectorate website)
  • Placement start and end dates
None of these data points falls within any special category under Article 9. No health data, no developmental information, no ethnicity, no religion, no photographs, no biometric data. The Article 9 conditions are therefore not engaged. Even if special category data were required (which it is not), the Data Protection Act 2018 provides explicit conditions:
  • Schedule 1, Condition 18 -- Safeguarding of children and individuals at risk: Processing is necessary for the purposes of protecting children or individuals at risk from neglect, physical, mental or emotional harm. This condition explicitly contemplates the type of processing a childminding register would involve.
  • Schedule 1, Condition 2 -- Health or social care purposes: Processing is necessary for health or social care purposes. Childminding is a registered care service under Scottish law.
Both conditions require an Appropriate Policy Document, which is a standard compliance document (discussed further in Section 4).

2.3 The Named Person Ruling

The Named Person ruling is frequently raised in Scottish policy discussions about children's data. It merits direct address.

In Christian Institute v Lord Advocate [2016] UKSC 51, the UK Supreme Court struck down provisions of the Children and Young Persons (Scotland) Act 2014 that would have required Named Persons to share information about children's "wellbeing." The Court held that the information-sharing provisions were not "in accordance with law" because they lacked sufficient precision about:
  • What information would be shared
  • With whom it would be shared
  • Under what circumstances sharing would occur
  • What safeguards applied
The Court was clear: it was not ruling that maintaining records about children is unlawful, or that information-sharing for child protection purposes is impermissible. It was ruling that the specific legislative provisions at issue were too imprecise. Paragraph 105 of the judgment states: "The aim of the legislation is legitimate and benign." The deficiency was in precision of drafting, not in the underlying objective. This is a design constraint (be precise about data access rules), not a legal barrier to creating a register. The Child-Minder prototype directly addresses this constraint. Data access rules are encoded in Row-Level Security (RLS) policies at the database level:
  • Parents can only see their own children's records and placements
  • Inspectors can see capacity data for all active childminders, but cannot see which parent registered which child
  • No child names are stored at any level
  • Every data access is logged in an audit table with timestamps, user identification, and the operation performed
The Named Person ruling requires precisely the kind of technical specificity that the prototype demonstrates. It is evidence that the constraint is achievable, not that the objective is unlawful.

2.4 Children (Scotland) Act 2020

The Children (Scotland) Act 2020, which received Royal Assent on 1 October 2020, strengthened information-sharing provisions for children's wellbeing. Part 2 of the Act reformed the Children's Hearings system and introduced new provisions for the sharing of information relevant to the wellbeing and protection of children. The Act was drafted with the Named Person ruling in mind, incorporating the precision that the Supreme Court required.

The 2020 Act represents the Scottish Parliament's considered response to the Named Person judgment. It demonstrates that the Scottish Parliament has already legislated for information-sharing about children in a manner consistent with the UKSC ruling and with data protection law. A childminding register that shares aggregate capacity data (not individual children's personal details with multiple agencies) is substantially less intrusive than the information-sharing framework that the 2020 Act enables.

2.5 Conclusion on Legal Barriers

Multiple lawful bases exist under UK GDPR Article 6 for the processing that a childminding register requires. No special category data is involved, but even if it were, the DPA 2018 provides explicit safeguarding conditions. The Named Person ruling is a design constraint about precision, not a prohibition on maintaining records. The Children (Scotland) Act 2020 demonstrates that the Scottish Parliament has already legislated for more intrusive information-sharing about children. The legal framework actively supports, rather than hinders, processing data to protect children.

There is no legal barrier to creating a Child-Minder. What exists is a set of legal requirements -- lawful basis selection, privacy notices, data access rules -- that are standard compliance steps, well-precedented, and straightforward to implement.

---

3. Assessment of "Digital Barriers"

3.1 Existing Digital Infrastructure

The claim that digital barriers exist must be assessed against what Scottish public bodies already operate.

Care Inspectorate CI Digital Portal

The Care Inspectorate already operates a digital portal at portal.careinspectorate.gov.scot for the registration, variation, and management of care services including childminding. Childminders submit applications, report changes to their registration, and file annual returns through this portal. The digital infrastructure for interacting with childminding services already exists within the Care Inspectorate.

Adding a parent-facing registration function -- "I am placing my child with childminder registration number X" -- is an incremental extension of an existing digital system, not the construction of a new one.

SEEMiS

SEEMiS Group LLP, owned jointly by Scotland's 32 local authorities, operates the schools management information system used across approximately 2,500 schools and 2,000 early learning and childcare (ELC) settings. SEEMiS processes far more data about far more children than a childminding register would require: full names, dates of birth, addresses, health information, attendance records, attainment data, and pastoral notes. The system has operated at national scale for over a decade.

If Scotland's local authorities can operate a system processing sensitive data for hundreds of thousands of children across thousands of settings, a register processing minimal data for approximately 22,000 children across approximately 3,000 childminders is not a digital challenge.

NHS Child Health Information Services (CHIS)

NHS Scotland maintains digital health records for every child born in Scotland from birth through childhood immunisation, developmental screening, and school health assessments. The Child Health Information Services system processes the most sensitive category of personal data -- health records -- for every child in the country. It has done so for decades.

Other Scottish Government Digital Services

  • Police Scotland's PVG (Protecting Vulnerable Groups) scheme processes disclosure checks digitally
  • HMRC's Real Time Information system processes payroll data for every employer in Scotland
  • Social Security Scotland's digital platform processes benefit applications and payments
  • Revenue Scotland operates digital systems for Land and Buildings Transaction Tax

3.2 The Prototype as Evidence

A working prototype of the Child-Minder was built in approximately two to three days using commodity open-source technology.

Technology stack:
  • Next.js (open-source web framework, MIT licence)
  • Supabase (open-source database platform, Apache 2.0 licence)
  • PostgreSQL (open-source relational database, PostgreSQL licence)
Infrastructure cost: Zero to twenty-five pounds per month. Both Supabase and Vercel offer free tiers sufficient for the scale of Scottish childminding (approximately 3,000 providers, approximately 22,000 children). Even at production scale with paid tiers, costs would be measured in tens of pounds per month, not thousands. Database schema: Approximately 400 lines of SQL across 7 migration files, implementing:
  • 6 tables (user profiles, childminders, children, placements, capacity alerts, audit log)
  • Row-level security policies with role-based access control
  • Automated capacity checking with breach and warning alerts
  • A comprehensive audit trail with timestamps, user identification, and operation logging
  • Pseudonymous child references (system-generated, e.g., "Child-Minder-A7K9M2")
No custom hardware. No bespoke procurement. No lengthy vendor selection. No mainframe. No proprietary software. The entire system runs on commodity cloud infrastructure available from dozens of providers.

3.3 Comparison with Analogous Government Digital Services

SystemOperatorUsersData VolumeTechnology
SEEMiS32 local authoritiesThousands of staff~700,000 pupil recordsBespoke MIS
NHS CHISNHS ScotlandNHS staff Scotland-wideEvery child in ScotlandNHS Digital systems
PVG SchemeDisclosure ScotlandEmployers + individualsMillions of checksDigital platform
CIS (HMRC)HMRCConstruction contractorsMillions of subcontractorsHMRC digital
CI Digital PortalCare InspectorateCare service providers~12,000 registered servicesWeb portal
Child-Minder RegisterCare Inspectorate~3,000 childminders + parents~22,000 child recordsOpen-source web app
The Child-Minder Register is the smallest, simplest system in this comparison by every measure: fewest users, least data, simplest technology, lowest cost.

3.4 Conclusion on Digital Barriers

No digital barrier exists. The technology required is commodity, well-understood, and already deployed at far greater scale and complexity across Scottish public services. A working prototype was built in days, not months, using freely available open-source tools. The Care Inspectorate already operates a digital portal for childminding services. The claim that digital barriers are "significant" is not supported by the evidence.

---

4. Assessment of "Data Protection Barriers"

4.1 What the Register Actually Collects

The following table compares the data held by the Child-Minder Register against data that existing systems already collect about children in Scotland.
Data PointChild-Minder RegisterChildminder's Own Records (legally required under SSI 2011/210)SEEMiS (Schools)NHS CHIS
Child's full nameNoYesYesYes
Child's date of birthYear and month onlyFull DOBFull DOBFull DOB
Child's addressNoYesYesYes
Health data (allergies, conditions)NoSome (allergies, medications)SomeFull medical records
Developmental informationNoNoYes (attainment)Yes (screening)
Parent/guardian nameNoYesYesYes
Parent/guardian full contact detailsEmail onlyFull details (phone, address)Full detailsFull details
Emergency contactsNoYesYesYes
EthnicityNoNoSometimesSometimes
ReligionNoNoSometimesNo
PhotographsNoNoSometimesNo
GP detailsNoSometimesNoYes
Financial informationNoNoFree school meals statusNo
Safeguarding concernsNoSomeYesYes
The Child-Minder Register collects the absolute minimum data required for its purpose: matching children to childminders for capacity checking. It collects less personal data than any other children's data system in Scotland, and less than a childminder is already legally required to maintain in their own records.

4.2 No Special Category Data

The register holds no data classified as special category under Article 9 of the UK GDPR. This is by design. The prototype implements what data protection law calls "data minimisation" (Article 5(1)(c)) and "data protection by design and by default" (Article 25).

Specifically:
  • No child names: Children are identified by system-generated pseudonymous references (e.g., "Child-Minder-A7K9M2"). The register never asks for, stores, or displays a child's name.
  • No child addresses: Not collected. Not needed for capacity checking.
  • No health data: Not collected. Not needed for capacity checking.
  • Partial date of birth only: The register stores birth year and month, not the full date of birth. This is sufficient to calculate the age bracket (under 5, under 12, under 16) required for capacity limit checking. It is not sufficient to identify a specific child.
  • No parent names: Parents authenticate with an email address. Their name is never requested.

4.3 ICO Age Appropriate Design Code

The ICO's Age Appropriate Design Code (also known as the Children's Code) sets out 15 standards of age-appropriate design for "information society services" (ISS) likely to be accessed by children.

The Code is unlikely to apply to a childminding register operated by the Care Inspectorate, for three reasons:
  1. Not a commercial service: The Code applies to ISS as defined in the Electronic Commerce (EC Directive) Regulations 2002. An ISS must be provided "normally for remuneration." A public authority register operated as a regulatory function is not provided for remuneration.
  1. Not accessed by children: The Code applies to services "likely to be accessed by children." A childminding register is used by parents (adults) and inspectors (adults). Children do not access or interact with it.
  1. Public authority exemption: Even if the Code applied, it provides that public authorities exercising their official functions should consider the standards. The Care Inspectorate's statutory regulatory functions are not ISS.
Even if the Code did apply, the Child-Minder prototype's data-minimisation-first design would satisfy its requirements. Standard 8 (Data Minimisation) requires that only the minimum amount of personal data necessary is collected. Child-Minder collects no names, no addresses, and no health data. Standard 10 (Geolocation) is not engaged -- no location data is collected. Standard 12 (Profiling) is not engaged -- no profiling takes place.

The Age Appropriate Design Code is not a barrier. It is unlikely to apply, and if it did, the prototype's design would comply.

4.4 Data Protection Impact Assessment (DPIA)

Article 35 of the UK GDPR requires a Data Protection Impact Assessment where processing is "likely to result in a high risk to the rights and freedoms of natural persons." Processing involving children's data at scale may meet this threshold, making a DPIA advisable.

A DPIA is a document, not a barrier. It requires:
  1. A systematic description of the processing operations and their purposes
  2. An assessment of the necessity and proportionality of the processing
  3. An assessment of the risks to data subjects' rights and freedoms
  4. The measures envisaged to address the risks
The Scottish Government has already completed DPIAs for comparable or more complex processing:
  • ELC 2-year-old data sharing project: DPIA for sharing children's data between HMRC, DWP, the Scottish Government, and local authorities to identify eligible 2-year-olds for funded childcare. This involved sharing full names, dates of birth, addresses, and benefits data -- substantially more sensitive than anything Child-Minder would process.
  • Children (Scotland) Bill DPIA: Prepared during the passage of the Children (Scotland) Act 2020. Addressed information-sharing about children across multiple agencies.
  • NHS Scotland DPIAs: Routinely produced for processing children's health data.
  • Social Security Scotland DPIAs: Produced for benefit processing systems that handle data about families with children.
The Child-Minder prototype's risk profile is low due to extreme data minimisation. No names, no addresses, no health data, no special category data. The DPIA for Child-Minder would be one of the simplest child-related DPIAs a Scottish public body has ever been required to produce.

A separate document (see `dpia-outline.md`) provides a draft outline of what a DPIA for Child-Minder would contain.

4.5 Appropriate Policy Document (APD)

Where processing relies on a substantial public interest condition under DPA 2018 Schedule 1, an Appropriate Policy Document is required. This is a standard document that sets out:
  • The lawful basis for processing
  • The condition relied upon
  • How the controller complies with the data protection principles
  • Retention periods
APDs are produced routinely by Scottish public bodies. The ICO provides template guidance. An APD for Child-Minder would be straightforward given the minimal data processed and the clear lawful basis.

4.6 Privacy Notice

Articles 13 and 14 of the UK GDPR require a privacy notice to be provided to data subjects, explaining what data is collected, why, the lawful basis, retention periods, and their rights. This is a standard requirement for every data controller in the United Kingdom.

A draft privacy notice for Child-Minder is provided in a separate document (see `privacy-notice.md`).

4.7 Data Retention

A data retention policy is a standard requirement. For Child-Minder, a suggested approach is:
  • Active placements: Retained while the placement is active
  • Ended placements: Retained for 3 years after the child leaves the childminding setting (consistent with regulatory record-keeping requirements and limitation periods for civil claims)
  • After retention period: Pseudonymise or delete. Since child records already use system-generated pseudonymous references and contain no names or addresses, deletion of the placement record itself is straightforward.

4.8 Conclusion on Data Protection Barriers

The data protection requirements for a childminding register are standard compliance measures that every Scottish public body routinely addresses. They consist of:
  • A DPIA (a document the Scottish Government has produced for more complex children's data processing)
  • A privacy notice (required for every data controller)
  • A retention policy (standard practice)
  • An APD (if relying on a Schedule 1 condition, which is likely unnecessary given that no special category data is processed)
  • ICO registration (standard for all data controllers)
The Child-Minder's extreme data minimisation -- no names, no addresses, no health data -- makes it one of the lowest-risk children's data systems conceivable. It processes less personal data than a childminder is already legally required to maintain in their own paper records. Describing these routine compliance steps as "significant barriers" to protecting children from being placed in over-capacity care settings is not a proportionate characterisation.

---

5. Comparison with Existing Systems Processing Children's Data

The following table places the Child-Minder Register alongside existing Scottish systems that process children's data, all of which operate with full legal compliance.
SystemOperatorData HeldApproximate ScalePrimary Lawful Basis
SEEMiS32 local authoritiesFull name, DOB, address, health notes, attainment, attendance, pastoral notes, free school meal status~2,500 schools + ~2,000 ELC settings; ~700,000 pupilsPublic task (Art 6(1)(e))
NHS CHISNHS ScotlandFull medical records from birth: immunisation, developmental screening, health visitor notes, GP detailsEvery child born in ScotlandHealth/social care (Art 9(2)(h)) + public task
Social Work Case ManagementLocal authoritiesHighly sensitive safeguarding data: risk assessments, family circumstances, child protection plans, court ordersThousands of children across 32 authoritiesSubstantial public interest (Art 9(2)(g)) + legal obligation
ELC Data Sharing (2-year-olds)SG + HMRC + DWP + LAsNames, DOBs, addresses, benefits data, eligibility assessmentsAll eligible 2-year-olds in ScotlandRegulations under Digital Economy Act 2017
PVG SchemeDisclosure ScotlandCriminal records, vetting information, barred list statusAll individuals working with children/protected adultsLegal obligation (Art 6(1)(c)) + substantial public interest
Childminder's Own RecordsIndividual childmindersFull name, DOB, address, parent details, emergency contacts, health/allergy info, attendanceAll children in each setting (legally required under SSI 2011/210)Legal obligation (Art 6(1)(c))
Child-Minder RegisterCare InspectorateEmail, birth year/month, pseudonymous child ref, placement dates, childminder reg number~3,000 childminders; ~22,000 childrenLegal obligation / Public task
Every system above Child-Minder in this table processes more sensitive data about more children with greater complexity than Child-Minder would require. All operate lawfully. All have completed the compliance steps (DPIAs, privacy notices, retention policies, APDs) that have been cited as barriers. The Child-Minder Register collects the least data of any children's data system in Scotland.

---

6. What IS Actually Required (The Compliance Checklist)

The following items are genuine requirements for deploying a childminding register. None of them is a barrier. All are routine, well-precedented, and achievable within weeks -- not months or years.

6.1 Data Protection Impact Assessment

Status: Required under Article 35 UK GDPR where processing is likely to result in high risk. Advisable in any case for processing involving children's data. Precedent: The Scottish Government has completed DPIAs for the ELC 2-year-old data sharing project, the Children (Scotland) Bill, and numerous NHS Scotland and Social Security Scotland projects -- all involving more sensitive data than Child-Minder. Effort: A DPIA for Child-Minder would be one of the simplest child-related DPIAs produced by a Scottish public body, given the extreme data minimisation. An outline is provided in `dpia-outline.md`.

6.2 Appropriate Policy Document

Status: Required under DPA 2018 Schedule 1 if relying on a substantial public interest condition. Likely unnecessary for Child-Minder since no special category data is processed, but advisable as good practice. Precedent: Standard document produced by every Scottish public body that processes personal data under a public interest condition. Effort: Template available from ICO. Straightforward to complete for Child-Minder.

6.3 Privacy Notice

Status: Required under Articles 13/14 UK GDPR for all data controllers. Precedent: Every data controller in the UK publishes a privacy notice. A draft for Child-Minder is provided in `privacy-notice.md`. Effort: Half a day to draft; standard legal review.

6.4 Data Retention Policy

Status: Required as part of the accountability principle (Article 5(2) UK GDPR). Precedent: Standard across all data controllers. Effort: Decision on retention periods (suggested: 3 years post-placement), documented in a standard policy.

6.5 Lawful Basis Selection and Documentation

Status: Required under Articles 5 and 6 UK GDPR. Precedent: Article 6(1)(c) (legal obligation) and Article 6(1)(e) (public task) are the two most commonly relied-upon bases across Scottish public bodies. Effort: Straightforward selection and documentation. The analysis in Section 2 of this document provides the reasoning.

6.6 Technical Security Measures

Status: Required under Article 32 UK GDPR (security of processing). Precedent: Row-level security, encryption at rest, audit trails, and pseudonymous identification are all standard technical measures. The Child-Minder prototype already implements:
  • Row-level security policies ensuring parents can only access their own children's records
  • Role-based access control separating parent and inspector access
  • A comprehensive audit trail logging every data operation with user identification and timestamp
  • System-generated pseudonymous child references (no names stored)
  • Encryption at rest (provided by the database platform)
  • Enforcement of the unique active placement constraint (a child cannot be registered to the same childminder twice simultaneously)

6.7 ICO Registration

Status: Required for all data controllers under the Data Protection Act 2018, section 25. Effort: Online registration form. The Care Inspectorate is already registered with the ICO.

6.8 Summary

RequirementTemplate/Precedent AvailableEstimated EffortStatus in Prototype
DPIAYes (ELC project, ICO template)1-2 weeksOutline drafted
APDYes (ICO template)2-3 daysNot required (no special category data)
Privacy NoticeYes (ICO guidance)1-2 daysDraft provided
Retention PolicyYes (standard practice)1-2 daysArchitecture supports it
Lawful Basis DocumentationYes (Article 6(1)(c)/(e))1-2 daysAnalysis provided
Technical SecurityYes (prototype demonstrates)Already builtRLS, audit trails, pseudonymous IDs
ICO RegistrationAlready registeredUpdate existing entryN/A
Total estimated compliance effort: 2-4 weeks of work, with templates and precedents available for every item.

---

7. Conclusion

The characterisation of legal, digital, and data protection requirements as "significant barriers" to a Child-Minder is not supported by the evidence.

On legal barriers: Multiple lawful bases exist under UK GDPR Article 6. The Data Protection Act 2018 explicitly provides safeguarding conditions. The Named Person ruling is a design constraint about precision, not a prohibition. The Children (Scotland) Act 2020 enables more intrusive information-sharing than a childminding register would require. The legal framework supports, rather than hinders, the creation of such a register. On digital barriers: The technology is commodity and open-source. A working prototype was built in days. The Care Inspectorate already operates a digital portal for childminding services. SEEMiS, NHS CHIS, and multiple other Scottish systems process more data about more children at greater scale. There is no digital frontier to cross. On data protection barriers: The compliance requirements are a standard checklist: DPIA, privacy notice, retention policy. Every item has templates and precedents from existing Scottish Government work. The Child-Minder's extreme data minimisation -- no names, no addresses, no health data, no special category data -- makes it one of the simplest children's data compliance exercises conceivable.

What has been described as significant barriers is, in substance, a compliance checklist of routine items that Scottish public bodies address regularly for systems that process far more sensitive data. The real question is not whether these compliance steps can be completed -- they self-evidently can -- but whether there is the political and administrative will to complete them.

Experience has demonstrated that childminders can exceed their registered capacity limits without detection under the current self-reporting model. A register of the type described in this assessment -- minimal data, automated capacity checking, pseudonymous child identification -- would have flagged this breach. The technology exists. The law permits it. The compliance steps are routine. The only barrier is the decision to proceed.

---

References

Legislation

  • UK General Data Protection Regulation (UK GDPR), retained EU law
  • Data Protection Act 2018, c. 12
  • Public Services Reform (Scotland) Act 2010, asp 8
  • Requirements for Care Services (Scotland) Regulations 2011, SSI 2011/210
  • Children and Young Persons (Scotland) Act 1937, c. 37
  • Children (Scotland) Act 2020, asp 16
  • Children and Young People (Scotland) Act 2014, asp 8
  • Digital Economy Act 2017, c. 30

Case Law

  • Christian Institute v Lord Advocate [2016] UKSC 51

Regulatory Guidance

  • ICO, "Data Protection Impact Assessments" (guidance), ico.org.uk
  • ICO, "Lawful Basis for Processing" (guidance), ico.org.uk
  • ICO, "Age Appropriate Design Code" (2020), ico.org.uk
  • ICO, "Children and the UK GDPR" (guidance), ico.org.uk

Scottish Government / Public Body Sources

  • Care Inspectorate, "Early Learning and Childcare Statistics 2024"
  • Care Inspectorate, CI Digital portal (portal.careinspectorate.gov.scot)
  • SEEMiS Group LLP (seemis.gov.scot)
  • Scottish Government, "Getting It Right for Every Child (GIRFEC)" framework