General Data Protection Regulation Policy
Policy statement
GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018.
GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified,
explicit and legitimate purposes and that individual’s data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. Enchanted Lands Day Nursery is committed to protecting the rights and freedoms of individuals with respect to the processing of children’s, parents, visitors, and staff personal data.
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
We are registered with the ICO (Information Commissioners Office). Certificates are on display on the parent’s information boards.
GDPR includes 7 rights for individuals.
1. The right to be informed
This nursery is a registered Childcare provider with Ofsted and as so, is required to collect and manage certain data. We need to know parent’s/guardian’s names, addresses, telephone numbers, email addresses, date of birth and National Insurance numbers. We need to know children’s’ full names, addresses, date of birth and Birth Certificate number (when registering at our nursery, we need a copy of the certificate). For parents claiming the free nursery entitlement we are requested to provide this data to the Local Authority; We use funding loop as an administration system for managing the requirements of data required by the local authority.
We are required to collect certain details of visitors to our nursery. We need to know visitor’s names, telephone numbers, addresses and where appropriate company name. This is in respect of our Health and Safety and Safeguarding Policies.
As an employer we are required to hold data on its employees; names, addresses, email addresses, telephone numbers, date of birth, National Insurance numbers, photographic ID such as passport and driver’s license, bank details, relevant childcare qualifications. This information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK. This information is sent via a secure file transfer system to UKCRBs for the processing of DBS checks. For further information please refer to our employee policies.
We often take photographs of the children during their time at nursery to help document their progress and development. Occasionally we may wish to use these photographs for other purposes. As part of our registration process parents/guardians will be asked to give specific consent for the use of photographs. In addition to photographs of children we also display photographs of our staff team within the nursery.
2. The right of access
At any point an individual can make a request relating to their data and we will need to provide a response (within 1 month). We can refuse a request, if we have a lawful obligation to retain data i.e. from Ofsted in relation to the EYFS, but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.
3. The right to erasure
You have the right to request the deletion of your data where there is no compelling reason for its continued use. However, we have a legal duty to keep children’s and parent’s details for a reasonable time, (please refer to annex 1). This data is archived securely and shredded after the legal retention period.
4. The right to restrict processing
Parents, visitors and staff can object to us processing their data. This means that records can be stored but must not be used in any way, for example reports or for communications.
5. The right to data portability
We are required to transfer data from one IT system to another, such as from our nursery system to the Local Authority and funding loop. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.
6. The right to object
Parents, visitors and staff can object to their data being used for certain activities like marketing or research.
7. The right not to be subject to automated decision-making including profiling.
Automated decisions and profiling are used for marketing-based organisations. We do not use personal data for such purposes.
Storage and use of personal information
All paper copies of children’s and staff records are kept in the nursery office. Members of staff can have access to these files, but information taken from the files about individual children is confidential and apart from archiving, these records remain on site at all times.
Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children’s names, date of birth and sometimes address. These records are shredded after the relevant retention period.
We collect a large amount of personal data every year including; names and addresses of those on enquiries and waiting lists. These records are shredded or archived if the child does not attend or added to the child’s file and stored appropriately.
Information regarding families’ involvement with other agencies is stored both electronically and in paper format. The paper documents are kept in a locked filing cabinet. These records are shredded after the relevant retention period.
Upon a child leaving the nursery and moving on to school or moving to a new nursery, data held on the child may be shared with the receiving school.
We store personal data held visually in photographs or video clips or as sound recordings, unless written consent has been obtained no names are stored with images in photo albums, displays, on the website or on our social media sites.
Access to all office computers, Nursery Management system is password protected. When a member of staff leaves the company, these passwords are changed in line with this policy and our Safeguarding policy. Any portable data storage used to store personal data, e.g. USB memory stick, are password protected and/or stored in a locked filing cabinet.
GDPR means that we must;
Manage and process personal data properly
Protect the individual’s rights to privacy
Provide an individual with access to all personal information held on them.
Annex 1
| Children’s Records | Retention Period | Status | Authority |
|---|---|---|---|
| Children’s records - including registers, medication record books and accident record books pertaining to the children | A reasonable period of time after children have left the provision (e.g. until after the next Ofsted inspection) | Requirement | Statutory Framework for the Early Years Foundation Stage (given legal force by Childcare Act 2006) |
| Children’s records - including registers, medication record books and accident record books pertaining to the children | Until the child reaches the age of 21 - or until the child reaches the age of 24 for child protection records | Recommendation | Limitation Act 1980 Normal limitation rules (which mean that an individual can claim for negligently caused personal injury up to 3 years after, or deliberately caused personal injury up to 6 years after the event) are postponed until a child reaches 18 years of age |
| Records of any reportable death, injury, disease or dangerous occurrence | 3 years after the date the record was made | Requirement | The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (as amended) |
Annex 2
| Financial Records | Retention Period | Status | Authority |
|---|---|---|---|
| Accounting records | years from the end of the financial year for private companies, 6 years for public limited companies | Requirement | Statutory Framework for the Early Years Foundation Stage (given legal force by Childcare Act 2006) |
| 6 years for charities | Requirement | Charities Act 2011 |
Annex 3
| Administration Records | Retention Period | Status | Authority |
|---|---|---|---|
| Insurance certificates | 40 years from the date insurance commences or is renewed | Requirement | The Employers’ Liability (Compulsory Insurance) Regulations 1998 |
| 10 years from the date of the meeting for companies | Requirement | Companies Act 2006 | |
| Permanently | Recommendation | Chartered Institute of Personnel and Development |
