top of page

General Data Protection Regulation (GDPR)

 We now need to inform you of the data we hold on our service users, as we hold personal data about you and your child/ children. These are such as addresses, date of birth, national insurance numbers, phone numbers, medical information.  This information is kept securely both a written form in the locked office and on settings computer which is password protected. Information is only shared with others when we need to complete local authority census, funding forms, activate Tapestry accounts or in the event of a safeguarding concern.

​

General Data Protection Regulation Policy Statement

​

GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018. GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individuals data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. We are committed to protecting the rights and freedoms of individuals with respect to the processing of children's, parents, visitors and staff personal data. The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.

​

 We are registered with the ICO (Information Commissioners Office) under registration reference: ZA045623 and has been registered since April 2014. Certificates are on display on the parent’s information boards. GDPR includes 7 rights for individuals

​

1) The right to be informed:- we are a registered Childcare provider with Ofsted and as so, is required to collect and manage certain data. We need to know parent’s names, addresses, telephone numbers, email addresses, date of birth and National Insurance numbers. We need to know children’s’ full names, addresses, date of birth and Birth Certificate number. For parents claiming the free nursery entitlement we are requested to provide this data to Isle of Wight Council; this information is sent to the Local Authority via a secure electronic file transfer system. We are required to collect certain details of visitors to our pre-schools. We need to know visitors names, and company name. This is in respect of our Health and Safety and Safeguarding Policies. As an employer we are required to hold data on its employees; names, addresses, email addresses, telephone numbers, date of birth, National Insurance numbers, photographic ID such as passport and driver’s license, bank details. This information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK. This information is sent via a secure file transfer system to UKCRBs for the processing of DBS checks.

 

2) Right of access :- At any point an individual can make a request relating to their data and we will need to provide a response (within 1 month).We can refuse a request, if we have a lawful obligation to retain data i.e. from Ofsted in relation to the EYFS, but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.

 

3) The right to erasure:- you have the right to request the deletion of your data where there is no compelling reason for its continued use. However We have a legal duty to keep children’s and parents details for a reasonable time*, We  retain these records for 3 years after leaving pre-school, children's accident and injury records for 19 years (or until the child reaches 21 years), and 22 years (or until the child reaches 24 years) for Child Protection records. Staff records must be kept for 6 years after the member of leaves employment, before they can be erased. This data is archived securely offsite and shredded after the legal retention period. They will be destroyed on the premises. A copy of this Risk Assessment can be provided upon request.

 

4) The right to restrict processing Parents, visitors and staff can object to us processing their data. This means that records can be stored but must not be used in any way, for example reports or for communications.

 

5) The right to data portability where we require data to be transferred from one IT system to another; such as from us to the Local Authority, to shared settings and to Tapestry' Online Learning Journal. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.

 

6) The right to object Parents, visitors and staff can object to their data being used for certain activities like marketing or research.

 

7) The right not to be subject to automated decision-making including profiling. Automated decisions and profiling are used for marketing based organisations. We do not use personal data for such purposes.

​

Storage and use of personal information

All paper copies of children's and staff records are kept in a locked office and a locked filing cabinet. Members of staff can have access to these files but information taken from the files about individual children is confidential and apart from archiving, these records remain on site at all times. These records are shredded after the retention period*. Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children's names, date of birth and sometimes address. These records are shredded after the relevant retention period *.  

We collect personal data every year including; names and addresses of those on the waiting list. These records are shredded if the child does not attend or added to the child’s file and stored appropriately. Information regarding families’ involvement with other agencies is stored both electronically on an external hard drive and in paper format; this information is kept in a locked office. These records are shredded/deleted after the relevant retention period*. Upon a child leaving and moving on to school or moving settings, data held on the child may be shared with the receiving school.  We hold visually in photographs or video clips or as sound recordings, unless written consent has been obtained beforehand. No names are stored with images in photo albums, displays, on the website. Access to all Office computers and Tapestry Online Learning Journal is password protected. When a member of staff leaves the company these passwords are changed in line with this policy and our Safeguarding policy. Any portable data storage used to store personal data, e.g. USB memory stick, are password protected and/or stored in a locked filing cabinet.

​

GDPR means that we must;

  • Manage and process personal data properly

  • Protect the individual’s rights to privacy

  • Provide an individual with access to all personal information held on them.

​

​

Policy review date: August 2023* please see attached Preschool Learning Alliance Retention periods for records.

next review august 2025

​

​

​

​

​

Retention of information 

https://www.pre-school.org.uk/sites/default/files/retention_periods_for_records_may_2018.pdf

​

bottom of page