Date written May 2018
Date of next review May 2019
GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018.
GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individuals data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. Blundellsands Kindergarten is committed to protecting the rights and freedoms of individuals with respect to the processing of children’s, parents, visitors and staff personal data.
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
GDPR INCLUDES 7 RIGHTS FOR INDIVIDUALS:
- The right to be informed
The kindergarten is a registered Childcare provider with Ofsted and as so, is required to collect and manage certain data. We need to know parent’s names, addresses, telephone numbers, email addresses, date of birth and National Insurance numbers. We need to know children’s’ full names, addresses, date of birth and Birth Certificate number. For parents claiming the free nursery entitlement we are requested to provide this data to the Local Authority; this information is sent to the Local Authority via a secure electronic file transfer system.
As an employer the kindergarten is required to hold data on its employees; names, addresses, email addresses, telephone numbers, date of birth, National Insurance numbers, photographic ID such as passport and driver’s license, bank details. This information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK. This information is sent via a secure file transfer system to a DBS agency for the processing of DBS checks.
- The right of access
At any point an individual can make a request relating to their data and the kindergarten will need to provide a response (within 1 month). The kindergarten can refuse a request, if we have a lawful obligation to retain data i.e. from Ofsted in relation to the EYFS, but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.
- The right to erasure
You have the right to request the deletion of your data where there is no compelling reason for its continued use. However the kindergarten has a legal duty to keep children’s and parents details for a reasonable time*, The kindergarten retain these records for 3 years after leaving pre-school, children’s accident and injury records for 19 years (or until the child reaches 21 years), and 22 years (or until the child reaches 24 years) for Child Protection records. Staff records must be kept for 6 years after the member of staff leaves employment, before they can be erased. This data is archived securely offsite and shredded after the legal retention period. There is a full Risk Assessment in place for transportation and storage. A copy of this Risk Assessment can be provided upon request.
- The right to restrict processing
Parents, visitors and staff can object to the kindergarten processing their data. This means that records can be stored but must not be used in any way, for example reports or for communications.
- The right to data portability
The kindergarten requires data to be transferred from one IT system to another; such as from the kindergarten to the Local Authority and to shared settings’. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.
6) The right to object
Parents, visitors and staff can object to their data being used for certain activities like marketing or research.
7) The right not to be subject to automated decision-making .
Automated decisions and profiling are used for marketing based organisations. The kindergarten does not use personal data for such purposes.
STORAGE AND USE OF PERSONAL INFORMATION
All paper copies of children’s and staff records are kept in a locked office in the kindergarten or in a locked filing cabinet. Members of staff can have access to these files but information taken from the files about individual children is confidential and apart from archiving, these records remain on site at all times. These records are shredded after the retention period. Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children’s names, date of birth and sometimes address. These records are shredded after the relevant retention period.
The kindergarten collects a large amount of personal data every year including; names and addresses of those on the waiting list. These records are shredded if the child does not attend or added to the child’s file and stored appropriately.
Information regarding families’ involvement with other agencies is stored both electronically on an external hard drive and in paper format; this information is kept in a locked office or in a locked filing cabinet. These records are shredded after the relevant retention period.
Upon a child leaving the kindergarten and moving on to school or moving settings, data held on the child may be shared with the receiving school. For children attending school outside Local Authority area the parent/carer will be given the data to deliver to the receiving school.
The kindergarten stores personal data held visually in photographs or video clips or as sound recordings, unless written consent has been obtained via the Model Release form. No names are stored with images in photo albums, displays, on the website without permission.
Access to all Office computers is password protected. When a member of staff leaves the company these passwords are changed in line with this policy and our Safeguarding policy. Any portable data storage used to store personal data, e.g. USB memory stick, are password protected and/or stored in a locked filing cabinet.
GDPR MEANS THAT THE KINDERGARTEN MUST:
Manage and process personal data properly
Protect the individual’s rights to privacy
Provide an individual with access to all personal information held on them
Who we are
Our website address is: https://blundellsandskindergarten.co.uk.
What personal data we collect and why we collect it
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Visitor comments may be checked through an automated spam detection service.