General Data Protection Regulation Policy
GDPR stands for General Data Protection Regulation and replaces previous Data Protection directives (Data Protection Act 1998). It was approved by the EU Parliament in 2016 and is effective as of 25th May 2018.
GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individual data is not processed without their knowledge and is only processed with their ‘explicit’ consent (where it is not required either contractually or legally).
Dorothy Stringer Playgroup and GDPR
GDPR covers personal data relating to individuals. As a childcare provider Dorothy Stringer Playgroup is committed to protecting the rights and freedoms of individuals with respect to processing the personal data of children, parents, visitors and staff.
This document sets out Dorothy Stringer Playgroup’s GDPR policy including information on data sharing, data security and data breach protocol.
This policy document has been prepared with due regard and consideration for the Information Commissioner’s Office (ICO) at:
Dorothy Stringer Playgroup is registered with the ICO under registration reference: ZA076720 and has been registered since 19th September 2014. The certificate is on display on our notice boards inside the main entrance.
Dorothy Stringer Playgroup is a ‘Data Controller’ – A controller determines the purposes and means of processing personal data. (A processor is responsible for processing personal data on behalf of a controller.)
Responsibility for Dorothy Stringer Playgroup’s GDPR policy and data compliance is shared by the Management Team and Committee Members. No specific Data Protection Officer has been appointed, since this is not a requirement for Dorothy Stringer Playgroup.
GDPR is designed to protect personal data
GDPR is designed to protect individual rights in the following way:
- The right to be informed
Parents need to be informed what data we are collecting, what we do with it and who it is shared with. Dorothy Stringer Playgroup has a legal and contractual right to collect and process certain types of data. For the collection or processing of any other types of data, such as photographs, we will seek active consent and also provide a suitable and accessible method for withdrawal of consent.
- The right of access
Parents can request access to their own data at any time.
- The right to rectification
Personal data must be rectified if it is incorrect or incomplete.
- The right to erasure
Parents can request the deletion of their data where there is no compelling reason for its continued use. As a nursery we have guidelines on how long we need to retain certain records.
- The right not to be subject to automated decision-making including profiling.
Dorothy Stringer Playgroup does not use this type of process.
- The right to restrict processing
Parents can object to the processing of their data; meaning their records can be stored but must not be used in any way other than mentioned above.
- The right to object
Parents can object to their data being used for activities such as external marketing. Dorothy Stringer Playgroup does not pass on your data to a third-party for marketing purposes.
At any point a parent can make a request relating to their data and we will provide a response (within 1 month). If we have a lawful obligation to retain data (from Ofsted or the EYFS), we could refuse but we will inform you of the reasons for the rejection.
Individuals also have the right to lodge a complaint with the ICO. Full information about this is available at https://ico.org.uk/concerns/handling/
We only share information about our children and parents with those organisations with which we have a legal requirement to share data or other organisations, which allow us to run our business in a safe, efficient and suitable manner.
Information is shared by Dorothy Stringer Playgroup with the following organisations:
- Tapestry Online Learning Journal – https://tapestry.info/gdpr
- Local Education Authorities for obligations relating to Early Years funding
These organisations are also registered with the ICO.
Paper copies of children’s and staff records are kept in a secure location at the Dorothy Stringer Playgroup. Members of staff can have access to these files but information taken from the files about individual children is confidential. Apart from archiving, these records remain on site at all times. These records are shredded after the retention period.
The Dorothy Stringer Playgroup data archive is kept at a secure location at Dorothy Stringer Playgroup.
Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children’s names, date of birth and sometimes address. These records are shredded after the relevant retention period.
Dorothy Stringer Playgroup collects a large amount of personal data every year including names and addresses of those on waiting lists. These records are shredded if the child does not attend or added to the child’s file and stored appropriately if they do attend.
Upon a child leaving Dorothy Stringer Playgroup and moving on to school or moving to another childcare setting, data held on the child may be shared with the receiving school or setting. Such information would be sent via post or email. This would be coordinated between the settings.
Dorothy Stringer Playgroup has a separate process for collecting personal data held visually in the form of photographs or video clips or sound recordings. Positive consent for the collection of this kind of data will be sought for children from their respective parent or guardian. Parents will also have the ability to easily withdraw their consent for this kind of data.
Access to all Dorothy Stringer Playgroup Office computers and other software accounts including email is password protected.
When a member of staff leaves the company these passwords are changed in line with this policy and our Safeguarding policy.
Any portable data storage used to store personal data, e.g. USB memory sticks and external hard drives are password protected and/or stored in secure locations.
We hold information in our archive for the following amount of time, as per legal requirements:
- Staff Files 7 years
- Records of complaints 5 years
- Accident and incident forms 3 years
- Children’s Information (incl. medical) 3 years
- Attendance Registers 3 years
- Staff and Child sign-in registers 3 months
Data Breach Protocol
As per GDPR requirements, data breach notification to the ICO is mandatory
If any kind of data breach were to occur Dorothy Stringer Playgroup staff are required to:
- Report certain types of personal data breach to the relevant supervisory authority (ICO). This must be done within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, inform those individuals without undue delay.
- Ensure we have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not we need to notify the relevant supervisory authority and the affected individuals.
- Keep records of any personal data breaches, regardless of whether you are required to notify.