In order to provide a quality early years and childcare service and comply with legislation, I will be asking parents for personal data about themselves and their child. I am required to hold and use this personal data in order to comply with the statutory framework for the Early Years Foundation Stage, Ofsted, Department for Education and my local authority. Some of this will be personal data and some may be classed as special category data.
I take families’ privacy seriously, and in accordance with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), I will process any personal data according to the seven principles below:
1. I must have a lawful reason for collecting personal data, and must do it in a fair and transparent way. I will be clear about what data I am collecting, and why.
2. I must only use the data for the reason it is initially obtained. This means that I may not use a person’s data inappropriately or to market a product or service to them that is unconnected to the reasons for which they shared the data with me in the first place, unless required to do so by law.
3. I must not collect any more data than is necessary. I will only collect the data I need in order to provide appropriate childcare services and abide by relevant laws.
4. I will ensure that the data is accurate, and ask parents to check annually and confirm that the data held is still accurate.
5. I will not keep data any longer than needed. I must only keep the data for as long as is needed to complete the tasks it was collected for and in compliance with relevant laws.
6. I must protect the personal data. I am responsible for ensuring that I, and anyone else charged with using the data, processes and stores it securely.
7. I will be accountable for the data. This means that I will be able to show how I (and anyone working with me) am complying with the law.
All information on children and their families is kept securely and treated in confidence. All paper records are kept confidential and secure in a high cupboard with doors which I am able to access if required for inspection by Ofsted or by a parent/carer. Electronic records are kept on my computer under a password protected file. Antivirus and firewall are installed. Parents/guardians/carers have the right to inspect all records about their child at any time.
I am registered with the Information Commissioner’s Office registration number Z6917502.
I archive my records each year and store them in a secure location in my loft for a period of 7 years. I encourage parents to inform me of any changes in the child’s information which includes new address, change in job, contact details etc.
I am expected to share information with other childcare providers if a child also attends another setting. I am also required to share information with Surrey County Council in regards to the childcare and early years entitlements. In some cases I may need to share information without parents’ consent, if there is a child protection concern, criminal or tax investigations, health and safety reports etc. Ofsted may require access to my records at any time.
I will only share information without your prior permission if it is in a child’s best interests to do so. For example in a medical emergency I will share medical information with a healthcare professional. If I am worried about a child’s welfare I have a duty of care to follow Surrey County Council procedures and make a referral. Where possible I will discuss concerns with you before making a referral.
I expect parents to keep private and confidential any sensitive information they may accidentally learn about my family, setting or the other children and families attending, unless it is a child protection issue.
The GDPR provides the following rights for individuals:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling
I will investigate any suspected breaches and take prompt action to correct any areas of concern. If I suspect that data has been accessed unlawfully, I will inform the relevant parties immediately and report to the Information Commissioner’s Office within 72 hours. I will keep a record of any data breach.
Please also see my other policies particularly my Safeguarding Policy, Mobile phone camera internet and social networking policy.
Policy Written by: Ilana Hill Date: 17 January 2011 Reviewed and updated: Annually or as required