General Data Protection Regulation Policy Statement
GDPR stands for General Data Protection Regulation. This regulation has replaced the Data Protection Act. It was proved by the EU parliament in 2016 and came into effect on the 25th May 2018.
GDPR states that personal data should be ‘processed fairly and lawfully’, ‘collected for specified, explicit and legitimate purposes’ and that the individual’s data is not processed without their ‘explicit consent’. GDPR covers personal data relating to individuals. Meadow Pre-School is committed to protecting the rights and freedom of individuals with respect to the processing of children’s, parents, visitors and staff personal data.
GDPR includes 7 rights for individuals
1. The right to be informed
Meadow Pre-School is a registered childcare provider with Ofsted and as so, is required to collect and manage certain data. We need to know the parents names, addresses, telephone numbers, email address, date of birth and National Insurance number. We need to know children’s full names, addresses and date of birth. For parent’s claiming the free childcare entitlement, we are requested to provide this data to Medway Council; the information is sent to them using a secure, electronic file transfer system.
We are required to collect certain details of visitors to our pre-school. We need to know names, telephone numbers, addresses and company name (if applicable). This is in respect of our Health and Safety and Safeguarding policies.
As an employer, Meadow Pre-School is required to hold data on its employees; names, addresses, telephone numbers, date of birth, bank details, National Insurance numbers and photographic identification such as a passport or driving license. This information is also required for the Disclosure and Barring Service checks (DBS) that are carried out and to check proof of eligibility to work in the United Kingdom. This information is sent via a secure file transfer system, to the processor of the DBS checks.
2. The right to access
At any point, an individual can make a request relating to their data. Meadow Pre-School will need to provide a response to any requests, within 1 month. Meadow Pre-School can refuse a request, if there is a lawful obligation to retain the data i.e. from Ofsted, in relation to the EYFS. We will always inform the individual of the reasons for rejection. The individual has the right to complain to the ICO if they are unhappy with the decision.
3. The right to erasure
You have the right to request deletion of your data, where there is no compelling reason for its continued use. However, Meadow Pre-School has a legal duty to retain children and parents details for a reasonable amount of time. Meadow Pre-School is required by law, to retain children and parents records for 3 years after the child has left the Pre-School. Accident and Injury records must be kept until the child reaches the age of 21. Child protection records must be retained until the child reaches the age of 24. Staff records must be kept for 6 years after the employment ceases. All of the data that we retain is archived securely, in a locked cupboard. It is shredded after the legal retention period.
4. The right to restrict processing
Parents, visitors and staff can object to Meadow Pre-School processing their data. This means that records can be stored, but must not be used in any way.
5. The right to share data
Meadow Pre-School requires some data to be shared with a third party, such as; the Local Authority and Payroll. These recipients use secure, file transfer systems and have their own policies and procedures in place, in relation to GDPR.
6. The right to object
Parents, visitors and staff can object to their data being used for certain activities, such as; marketing or research.
7. The right to not be subject to automated decision-making, including profiling
Meadow Pre-School does not use personal data for such purposes.
Storage and use of personal information
All paper copies of children and staff records are kept securely in a locked cupboard at the pre-school. The manager has access to all records and staff has limited access, on a need to know basis.
Records held on the computer, are backed up on a weekly basis and can only be accessed by the ‘Data Controller’. These records are password protected.
All records are kept on-site at all times. Archived records are shredded after the retention period.
In order to fulfil their role, to supervise and support the operations of the Pre-school, the Chairperson, Treasurer, Secretary and other nominated members of the Pre-School Management Committee may also deal with confidential information, including names and addresses of parents.
All information held, both paper and digital records will be kept confidential within the management committee and staff. In the event of there being any wrongful disclosures of confidential information, it will be investigated immediately.
Upon a child leaving Meadow Pre-School and moving on to school or a new setting, data held on the child may be shared with the receiving school/setting.
It is the parent’s responsibility to ensure that the information given to us in the registration forms, are correct and kept up to date.
GDPR means that Meadow Pre-School must:
• Manage and process personal data properly.
• Protect the individual’s rights to privacy.
• Provide individuals with access to all personal data that is held on them.
If any person wishes to know what information we hold on them, they should speak to our Data Protection Officer.