GDPR

The General Data Protection Regulation (GDPR) is a new EU law that came into effect on 25th May 2018, replacing the current Data Protection Act 1998. It gives individuals greater control over their own personal data.

As a childcare provider it is necessary for us to collect personal information about the children who attend as well as staff and parents/carers. Our businesses are registered with the Information Commissions Office, ICO.

GDPR condenses the Data Protection Principles into 8 areas, which are referred to as the Privacy Principles. They are:

  • You must have a lawful reason for collecting personal data and must do it in a fair and transparent way.

  • You must only use the data for the reason it is initially obtained.

  • You must not collect any more data than is necessary.

  • It must be accurate and there must be mechanisms in place to keep it up to date.

  • You cannot keep it any longer than required.

  • You must protect the personal data.

  • You must have appropriate measures against unauthorised or unlawful processing or personal data and against accidental loss or destruction/damage to personal Data.

  • Personal Data shall not be transferred to any outside agency or country within the EU that does not comply with the new General data protection regulation.

The GDPR provides the following rights for individuals:

  • The right to be informed.

  • The right of access.

  • The right to rectification.

  • The right to erase.

  • The right to restrict processing.

  • The right to data portability.

  • The right to object.

  • Rights in relation to automated decision-making and profiling.

There are two main roles under the GDPR, the data controller and the data processor. As a childcare provider, we are data controllers. The data is our data that we have collected about the children and their families. We have contracts with other companies to process data, which makes them the data processor. The two roles have some differences but the principles of GDPR apply to both. We have a responsibility to ensure that other companies we work with are also GDPR compliant.

There is a lawful basis for processing personal data. We must have a lawful basis for processing all personal data within our organisation and this is recorded on our Information audit for all the different information we collect. The six reasons as follows:

  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

  • Legal obligation: processing is necessary for you to comply with the law (not including contractual obligations).

  • Vital interests: processing is necessary to protect someone’s life.

  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

  • Legitimate interests: processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

  • For the majority of data we collect, the lawful basis for doing so falls under the category of ‘legal obligation’ such as names, date of birth and addresses as we have a legal requirement to obtain this data as part of the Statutory Framework for the Early Years Foundation Stage.

Some data we collect, for example, photographs, requires parents to give consent for us to do so. Where this is the case, parents will be required to sign a consent form to ‘opt in’ and are made aware that they have the right to withdraw their consent at any time. We may also be required to collect data as part of parent’s contract with the setting or local authority, for example, for us to claim government funding.

Data retention:

We will hold information about individuals only for as long as the law says and no longer than necessary. After this, we will dispose of it securely. Business records will be retained for 7 years.

Accident reports until the child is 21 years and 3 months old. Safeguarding records and causes for concern until the child is 25 years old.

Security:

We keep data about all individuals secure and aim to protect data against unauthorised change, damage, loss or theft. All data collected is only accessed by authorised individuals. All paper forms are kept locked away and all computers and tablets are password protected.

Privacy notices:

All parents and staff are provided with privacy notices which inform them of our procedures around how and why we collect data, information sharing, security, data retention, access to their records and our commitment to compliance with the GDPR act 2018.

Ensuring compliance:

The member of staff responsible for ensuring that the setting is compliant are Charlotte Adcock and Maxine Maurissen. Their main duties are:

  • Ensure that the provision is compliant with GDPR.

  • Audit all personal data held.

  • Ensure all staff are aware of their responsibilities under the law, this may include delivering staff training.

  • Undertake investigations when there is a breach of personal data and report to the Information Commissions Office, ICO.

  • Keep up to date with the legislation.

Legal framework:

The General Data Protection Regulation (2018) Human Rights Act 1998

E-mail messages:

We will not send emails to you unless you have given us your consent or have requested information from us. Emails will be sent via the FAMLY system or via our nursery email. On leaving the nursery your email address will be removed.

You have the right to request a copy of the information that we hold about you. We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.

Cookies:

Information and data may be automatically collected through the use of cookies. Cookies are small files stored within your web browser from our website. Cookies do not collect personal information about you, nor do they allow us to access your computer in any way. All information is collected lawfully and in accordance with the Data Protection Act 1998 and after 25th May 2018 with the General Data Protection Regulation (GDPR). We use tracking cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website to tailor it to customer needs. We only use this information for statistical analysis purposes and no personally identifiable information is stored.

You can choose to accept or decline cookies. All web browsers automatically accept cookies, you can modify your browser security settings to block Cookies although you should be warned that changing Cookie settings can adversely affect the performance of our website.

Complaints and concerns

We have an open-door policy and we welcome parents in at all times. We constantly strive to provide a continuously improving environment that operates at a high standard. To that end, we work in partnership with parents and outside agencies, and we welcome any comments or suggestions that will help us to improve. 

We understand that from time to time, there may be occasions when issues become sufficiently important that escalation is required. Any issues that require escalation can be discussed with the key person, a room manager, Nursery Manager or escalated to the Director. If you are not happy with the response from the team and you are still unhappy with the outcome, complaints may also be escalated to Ofsted.