Whitehill Childcare Services Ltd is required to collect, process and retain certain types of information in order to comply with the relevant legislation pertaining to our business. This policy relates to the protection of Personally Identifiable Data (herein referred to as personal data), that is any piece of data that could identify an individual such as their name, address, date of birth, telephone number, parent’s names, email address.
This personal data must be handled in an appropriate manner, whether in paper form or online, to protect the privacy for those which it concerns.
Whitehill Childcare Services Ltd regards the lawful and correct treatment of personal data of paramount importance. All individuals associated with our setting, children, parents, staff, students and volunteers, have a right to expect that their personal data is treated lawfully and respectfully. To ensure this we adhere to the principles of the General Data Protection Regulations (GDPR) 2018 and subsequent UK guidelines for the collection and processing of personal data.
The GDPR principles (Article 5) requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In addition Article 5 (2) requires that:
- The controller shall be responsible for, and be able to demonstrate, compliance with the principles
(Source: The Information Commissioner’s Office)
- We are registered with the Information Commissioner’s Office (ICO) – registration number Z7891546
- We have appointed Nehal Vara as the Data Protection Lead for our setting. Their responsibilities include the provision of privacy statements, updating this (and related) policies on an annual basis, undertaking an annual audit of our data protection systems and processes, monitoring staff with regards to appropriate handling of data and ensuring systems are in place to maintain the accuracy of the data we hold.
- We will provide privacy notices to parents staff, students and volunteers that detail how we:
- Meet the GDPR regarding the collection of their personal data;
- Fulfil our obligations to specify our lawful basis for processing their data and the purposes for which it will be used;
- Collect and process only appropriate data that is required to fulfil the operational needs of the business and to comply with legislation;
- Ensure the quality of the data used and that it is timely, accurate and kept up to date;
- Ensure those associated with our setting are fully communicated to regarding their right to be informed that data collection and processing is undertaken, to their right of access to their personal information, their right to withdraw consent (where given) and their right to be forgotten and to correct, rectify, block or erase inaccurate data;
- Set out transparent procedures for responding to requests for information;
- Share information, and with whom we may share and the circumstances for doing so; and
- Store both current and historical data.
- Staff receive training in our processes for handling personal data.
- Staff are appropriately supervised when handling personal data.
- Breaches of data protection by staff may lead to disciplinary action being taken by our setting.
- A data audit is carried out annually by the Data Protection Lead for the purposes of identifying that data held, our lawful basis for processing, the systems and processes in place to ensure the accuracy of the data and the identified retention periods of historical data.
- Data Sharing Agreements are in place with organisations with whom we collect and share personal data (See our Privacy Notice for specific information)
- Organisations who process data on our behalf provide a Data Sharing Contract/Policy detailing how they protect the data provided. These are available to parents, staff, students and volunteers upon request.
- Our email systems are encrypted to prevent unauthorised access to any data shared by this means (see our Acceptable Internet Use Policy)
- Are IT systems and electronic devices are password protected to prevent unauthorised contact (see our Acceptable Internet Use Policy)
- Parents, staff, students and volunteers within our setting have a right to know that the data shared with us will be regarded as confidential, as well as to be informed of the circumstances when, and the reasons why, we may be obliged to share information either with or without consent.
- We are obliged to share information without authorisation from the person who provided it, or to whom it relates, when:
- There is evidence that a child is suffering, or is at risk or suffering, significant harm;
- There is reasonable cause to suspect that a child may be suffering, or is at risk of suffering, significant harm;
- It is to prevent a crime from being committed or to intervene where one may have been; and/or
- Not sharing the information could be worse than the outcome of having shared it.
- Parents, staff, students and volunteers have a right to access their personal data and request that any inaccurate data is rectified and/or deleted. All such requests to access the information held on an individual should be made, in writing, to the Data Protection Lead.
- If parents, staff, students or volunteers have concerns relating to the way your personal data is handled this should be raised in the first instance with the Data Protection Lead for our setting.
- If you are still dissatisfied after raising your concern you make a complaint to the Information Commissioner’s Office (ICO) by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or via their website ico.org.uk
This policy was first adopted: 22/05/2018
Date for review: 22/05/2019