GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individuals data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. We are committed to protecting the rights and freedoms of individuals with respect to the processing of children’s, parents, visitors and staff personal data.

The Data Protection Act (1998)gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. We registered with the ICO (Information Commissioners Office) under registration reference: ZA122552.  Certificates are on display on the entry notice board.

GDPR Includes 7 Rights for Individuals

1) The Right to be Informed

We are a registered Childcare provider with Ofsted and as so, is required to collect and manage certain data. We need to know parent’s names, addresses, telephone numbers and email addresses. We need to know children’s’ full names, addresses, date of birth.  

We are required to collect certain details of visitors to our setting. We need to know visits names, telephone numbers, addresses and where appropriate company name. This is in respect of our Health and Safety and Safeguarding Policies.

As an employer we are required to hold data on our employees; names, addresses, email addresses, telephone numbers, date of birth, National Insurance numbers, photographic ID such as passport and driver’s license, bank details. This information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK. This information is sent via a secure file transfer system to UKCRBs for the processing of DBS checks.

2)The Right of Access

At any point an individual can make a request relating to their data andwe will need to provide a response (within 1 month). We can refuse a request, if we have a lawful obligation to retain data i.e. from Ofsted in relation to the EYFS, but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.

3)The Right to Erasure

You have the right to request the deletion of your data where there is no compelling reason for its continued use. However we have a legal duty to keep children’s and parents details for a reasonable time:

  • We retain these records for 3 years after leaving pre-school,
  •  children’s accident and injury records for 19 years (or until the child reaches 21 years)
  • and 22 years (or until the child reaches 24 years) for Child Protection records.
  • Staff records must be kept for 3 years after the member of leaves employment, before they can be erased.

4)The Right to Restrict Processing

Parents, visitors and staff can object to us processing their data. This means that records can be stored but must not be used in any way, for example reports or for communications.

5)The Right to Data Portability

These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.

6)The Right to Object

Parents, visitors and staff can object to their data being used for certain activities like marketing or research.

7)The Right not to be subject to Automated Decision-Making Including Profiling.

Automated decisions and profiling are used for marketing based organisations. We does not use personal data for such purposes.

Storage and Use of Personal Information

All paper copies of children’s and staff records are kept in a locked office. Members of staff can have access to these files but information taken from the files about individual children is confidential and apart from archiving.  These records are shredded after the retention period.

Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children’s names, date of birth and sometimes address. These records are shredded after the relevant retention period.

We collect personal data every year including; names and addresses of those on the waiting list. These records are shredded if the child does not attend or added to the child’s file and stored appropriately.

Information regarding families’ involvement with other agencies is stored both electronically on an external hard drive and in paper format, this information is kept in a locked office.  These records are shredded after the relevant retention period.

Upon a child leaving and moving on to school or moving settings, data held on the child may be shared with the receiving school. Such information will be sent via a secure file transfer system.

No names are stored with images in photo albums, displays, on the website or on social media sites.

Any portable data storage used to store personal data, e.g. USB memory stick, are password protected and/or stored in a locked filing cabinet. GDPR means that we must;

* Manage and process personal data properly

* Protect the individual’s rights to privacy

* Provide an individual with access to all personal information held on them.

We take your privacy seriously, and in accordance with the General Data Protection Regulation, We will commit to the following:

We will be asking you for personal data about you and your child/ren in order to deliver a childcare service to you. We must have a legal basis for collecting this data, and there are six lawful bases:

(a) Consent:

The individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract:

The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation:

The processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests:

The processing is necessary to protect someone’s life.

(e) Public task:

The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests:

The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

I will be processing your data under the following bases: Consent, Contract, Vital interests

Where I require consent, I will provide an “opt in” sheet that will allow you to positively make a decision about the information that you make available and how this is shared.  

This information will be collected as part of the child’s induction to the setting. I/We will be asking for this data verbally at our initial meeting and recording it on paper forms/digitally. I/We will ask for this information at regular intervals to ensure it is up to date. I/We will do this by asking you to complete and return a data form.

The information that we require will be:

  • Child’s name
  • Child’s date of birth
  • Child’s age
  • Child’s address
  • Parents’ names, addresses, contact numbers
  • Who has parental responsibility for the child
  • Emergency contact names, addresses and contact number
  • Child’s doctor’s name and contact number
  • Any allergies/medical history/ requirements
  • Information about immunisations
  • Whether the child has any special educational needs or disabilities

I am required to hold and use this personal data in order to comply with, Ofsted and my local authority early years team.  This data will be used to:

  • support your child’s development
  • monitor and report on your child’s progress
  • share information about activities in our setting
  • contact named people in an emergency
  • share with other professionals in accordance with legislation
  • ensure a contract of service is delivered and maintained
  • ensure that this setting receives the statutory funding for which it is eligible.

With your permission this data may be, when necessary, shared with: Ofsted.