Data Protection

In order to provide a quality early years and childcare service and comply with legislation, I will need to request information from parents about their child and family. Some of this will be personal data and some may be classed as special category data.

I take families’ privacy seriously, and in accordance with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), I will process any personal data according to the seven principles below:

1. I must have a lawful reason for collecting personal data, and must do it in a fair and transparent way. I will be clear about what data I am collecting, and why.

2. I must only use the data for the reason it is initially obtained. This means that I may not use a person’s data inappropriately or to market a product or service to them that is unconnected to the reasons for which they shared the data with me in the first place, unless required to do so by law.

3. I must not collect any more data than is necessary. I will only collect the data I need in order to provide appropriate childcare services and abide by relevant laws.

4. I will ensure that the data is accurate, and ask parents to check annually and confirm that the data held is still accurate.

5. I will not keep data any longer than needed. I must only keep the data for as long as is needed to complete the tasks it was collected for and in compliance with relevant laws.

6. I must protect the personal data. I am responsible for ensuring that I, and anyone else charged with using the data, processes and stores it securely.

7. I will be accountable for the data. This means that I will be able to show how I (and anyone working with me) am complying with the law.

I have registered with the Information Commissioner’s Office, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

I expect parents to keep private and confidential any sensitive information they may accidentally learn about my family, setting or the other children and families attending my setting, unless it is a child protection issue.

I will be asking parents for personal data about themselves and their child/ren in order to deliver a childcare service (see privacy notice). I am required to hold and use this personal data in order to comply with the statutory framework for the Early Years Foundation Stage, Ofsted, Department for Education and my local authority.

Subject access

Parents/carers and those with parental responsibility have the right to inspect records about their child at any time. This will be provided without delay and no later than one month after the request. Requests can be made verbally and I will ensure I have received the correct information. I may need to check the identity of the person making the request if, for example, the request was made via an unknown email address. I will ask parents to regularly check that the data is correct and update it where necessary.

Individual Rights

The GDPR provides the following rights for individuals:

1. The right to be informed

2. The right of access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights in relation to automated decision making and profiling

Storage

I will keep all paper-based records about children and their families securely locked away on the setting making sure keys are also securely stored.

If I keep records relating to individual children, families or anyone working for me, including in a digital format, such as on my computer or smartphone, externally or in cloud storage such as iCloud, Google Drive or Dropbox, including digital photos or videos, I will obtain parents’ permission. I will ensure any external or cloud based services have adequate security around the data. This also includes CCTV. I will store the information securely, for example, in password-protected files, to prevent viewing of the information by others with access to the computer or device.

Backup files will be stored on the computer which I will lock away when not being used. Firewall and virus protection software are in place.

I also store records using a digital solution Kinderly, I will ensure I have carried out due diligence to ensure they are compliant with GDPR. If I use any external providers who process data for me I will make sure they have proper contracts in place that comply with GDPR.

I have a smart doorbell, which can record images and conversations. I inform parents when the child starts at my setting about how I manage this information, and timescales for deletion of the recordings.

Information sharing

I am expected to share information with other childcare providers if a child also attends another setting.

I am also required to share information with Enfield Borough Council in regards to the childcare and early years entitlements.

In some cases I may need to share information without parents’ consent, for example, if there is a child protection concern, criminal or tax investigations, health and safety reports etc.

Ofsted may require access to my records at any time.

Record keeping

I record all accidents in Kinderly and keep records on the computer.

Because I am insured with PACEY, I will notify PACEY of any accidents which may result in an insurance claim, e.g. an accident resulting in a doctor or hospital visit. PACEY will log and acknowledge receipt of the correspondence and forward the information to the company providing my public liability insurance policy to enable a claim number to be allocated.

I will inform Ofsted ,the local child protection agency and the Health and Safety Executive of any significant injuries, accidents or deaths as soon as possible.

I record all significant incidents in Kinderly and I will share these with parents so that together we can work to resolve any issues.

I will only share information without your prior permission if it is in a child’s best interests to do so. For example, in a medical emergency I will share medical information with a healthcare professional. If I am worried about a child’s welfare I have a duty of care to follow my Safeguarding Partnership procedures and make a referral. Where possible I will discuss concerns with you before making a referral.

Safe disposal of data

I am required by law to keep some data for some time after a child has left the setting. I have a review plan in place and ensure that any data is disposed of appropriately and securely. Safe disposal of paper would be with the use of a cross cut shredder. Any IT hardware is securely disposed of.

Suspected breach

I will investigate any suspected breaches and take prompt action to correct any areas of concern. If I suspect that data has been accessed unlawfully, I will inform the relevant parties immediately and report to the Information Commissioner’s Office within 72 hours. I will keep a record of any data breach.

Last updated May 2022 BACK TO POLICIES