General Data Protection Regulation (GDPR),
Privacy and Confidentiality Policy
At Little Acorns we aim to provide a quality, early years and childminding service, complying with legislation. In order to fulfil our responsibilities, we will need to request information from parents about their child and family and we know that some of this will be personal data. Personal data is data that can identify someone, such as their name, address, date of birth, national insurance number, parents age etc.
Some information may also be particularly sensitive such as health, medical or allergy information, GP’s name, a health visitor’s information, or details of possible special needs. Other relevant information, such as religious or cultural information will help us to adapt our provision or meet dietary or food rule needs. Some of this information is deemed to be Special Category Data and needs to meet 1 or more of the conditions in Article 9 in order to comply with GDPR. This will determine how this very special data may need to be processed or archived as part of our role. The specific conditions are listed in our Privacy Notice.
|
We will record some of this information as we talk together during our initial meetings with you, and we will gather it from forms that you complete for us, such as the All About Me form, or a data gathering form. We will be storing some of this information digitally and some in paper form. In addition to this we may collect data about parents, such as your National Insurance Number, and your date of birth. This information, shared with the local authority through their portal process, will enable your child to access free entitlements to contribute to the cost of childcare. Called FEET and FEE, this money will be paid to us, reducing your costs considerably.
At Little Acorns we take families’ privacy seriously, and in accordance with the General Data Protection Regulation (GDPR), we will process any personal data according to the Seven Principles below:
- We must have a lawful reason for collecting personal data; and must do it in a fair and transparent way. We will be clear about what data we are collecting, and why, and how we are storing it.
- We must only use the data for the reason it is initially obtained. This means that we may not use a person’s data to market a product or service to them that is unconnected to the reasons for which they shared the data with us in the first place.
- We must not collect any more data than is necessary. We will only collect the data we need to hold in order to do the job for which we have collected the data.
- We will ensure that the data is accurate; and ask parents to check annually and confirm that the data held is still accurate. We will update data as circumstances change.
- We will not keep data any longer than needed. We must only keep the data for as long as is needed to complete the tasks it was collected for.
- We must protect the personal data. We are responsible for ensuring that we, and anyone else charged with using the data, processes and stores it securely.
- We will be accountable for the data. This means that we will be able to show how we (and anyone working with us) are complying with the law.
We are registered with the Information Commissioner’s Office, (ICO), the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
We also expect parents to keep private and confidential any sensitive information they may accidentally learn about our family; setting or the other children and families attending our setting, unless it is a child protection issue.
We will be asking parents for personal data about themselves and their child/ren to deliver a quality, efficient and safe childcare service (see Privacy Notice). We are required to hold and use this personal data to comply with the statutory framework for the Early Years Foundation Stage, Ofsted, Department for Education and our Local Authority.
We are required to gather evidence of children’s learning through observations and notes to compile learning summaries and to help us to identify Next Steps in children’s development.
Subject access
Parents have the right to inspect records about their child at any time. This will be provided without delay and no later than 20 school days after the request, which should be made in writing.
We will ask parents to regularly check that the data is correct and update it where necessary, and to inform us if their information changes.
Parents have the right to inspect records about their child at any time. This will be provided without delay and no later than 20 school days after the request, which should be made in writing.
We will ask parents to regularly check that the data is correct and update it where necessary, and to inform us if their information changes.
Storage
We will keep all paper-based records about children and their families securely locked away in lockable document boxes or a cupboard.
If we keep records relating to individual children on the computer; externally or cloud storage such as OneDrive, including digital photos or videos, we will obtain parents’ permission. We will store the information securely in a password-protected computer which is not used by other members of the household.
Backup files will be stored on an external hard drive. Firewall and virus protection software are in place.
If in the future we store children’s learning journals using a digital solution we will carry out due diligence to ensure they are compliant with GDPR.
We will keep all paper-based records about children and their families securely locked away in lockable document boxes or a cupboard.
If we keep records relating to individual children on the computer; externally or cloud storage such as OneDrive, including digital photos or videos, we will obtain parents’ permission. We will store the information securely in a password-protected computer which is not used by other members of the household.
Backup files will be stored on an external hard drive. Firewall and virus protection software are in place.
If in the future we store children’s learning journals using a digital solution we will carry out due diligence to ensure they are compliant with GDPR.
Information sharing
We are expected to share information with other childcare providers if a child also attends another setting, or moves to an alternative setting.
We are also required to share information with the Local Authority regarding the childcare and early year’s entitlements such as FEET or FEE numbers. To access these entitlements we are required to share parents National Insurance numbers and their date of birth.
We will not share any information with anyone without parents’ consent, unless there is a child protection concern.
Ofsted may require access to owner records at any time.
We are expected to share information with other childcare providers if a child also attends another setting, or moves to an alternative setting.
We are also required to share information with the Local Authority regarding the childcare and early year’s entitlements such as FEET or FEE numbers. To access these entitlements we are required to share parents National Insurance numbers and their date of birth.
We will not share any information with anyone without parents’ consent, unless there is a child protection concern.
Ofsted may require access to owner records at any time.
Record keeping
We record all accidents in an accident book, parents receive copies of these records. We also record incidents, challenging behaviour, medication use and treatment in the same way.
We will notify Morton Michel of any accidents which may result in an insurance claim, e.g. an accident resulting in a doctor or hospital visit. Morton Michel will log and acknowledge receipt of the correspondence and forward the information to the company providing owner public liability policy to enable a claim number to be allocated.
We will inform Ofsted, the local child protection agency and the Health and Safety Executive of any significant injuries, accidents or deaths as soon as possible.
We record all significant incidents in an incident book and we will share these with parents so that we can work together to resolve any issues.
We will only share information if it is in a child’s best interests to do so. For example, in a medical emergency, we will share medical information with a healthcare professional. If we are worried about a child’s welfare we have a duty of care to follow the Local Safeguarding Children Board procedures and make a referral. Where possible and appropriate we will discuss concerns with you before making a referral.
We record all accidents in an accident book, parents receive copies of these records. We also record incidents, challenging behaviour, medication use and treatment in the same way.
We will notify Morton Michel of any accidents which may result in an insurance claim, e.g. an accident resulting in a doctor or hospital visit. Morton Michel will log and acknowledge receipt of the correspondence and forward the information to the company providing owner public liability policy to enable a claim number to be allocated.
We will inform Ofsted, the local child protection agency and the Health and Safety Executive of any significant injuries, accidents or deaths as soon as possible.
We record all significant incidents in an incident book and we will share these with parents so that we can work together to resolve any issues.
We will only share information if it is in a child’s best interests to do so. For example, in a medical emergency, we will share medical information with a healthcare professional. If we are worried about a child’s welfare we have a duty of care to follow the Local Safeguarding Children Board procedures and make a referral. Where possible and appropriate we will discuss concerns with you before making a referral.
Safe disposal of data
We are required by law to keep some data for 10 years after a child has left the setting. We have a review plan in place and ensure that any data is disposed of appropriately and securely. Once deleted from OneDrive it is permanently so.
We are required by law to keep some data for 10 years after a child has left the setting. We have a review plan in place and ensure that any data is disposed of appropriately and securely. Once deleted from OneDrive it is permanently so.
Suspected breach
If we suspect that data has been accessed unlawfully, we will inform the relevant parties immediately and report to the Information Commissioner’s Office within 72 hours. We will keep a record of any data breach.
If we suspect that data has been accessed unlawfully, we will inform the relevant parties immediately and report to the Information Commissioner’s Office within 72 hours. We will keep a record of any data breach.
Central Record
We also gather and store information about the adults working and living at the address in line with the Early Years Register and the Childcare Register. This is a collection of names, numbers, qualifications, First Aid training details and DBS numbers and renewal dates as part of our central record.
We also gather and store information about the adults working and living at the address in line with the Early Years Register and the Childcare Register. This is a collection of names, numbers, qualifications, First Aid training details and DBS numbers and renewal dates as part of our central record.
Date: Oct 2023
Signed: AOkane Date: 26.10.23
Signed: MOKane Date: 26.10.23
Signed: AOkane Date: 26.10.23
Signed: MOKane Date: 26.10.23
Little Acorns Godstone: Privacy Notice
At Little Acorns we take your privacy seriously and, in accordance with the General Data Protection Regulation, we will commit to the following:
We will be asking you for personal data about you and your child/ren to deliver a childcare service to you. We must have a legal basis for collecting this data, and there are six lawful bases:
(a) Consent:
The individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract:
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation:
The processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests:
The processing is necessary to protect someone’s life.
(e) Public task:
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests:
The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
We will be asking you for personal data about you and your child/ren to deliver a childcare service to you. We must have a legal basis for collecting this data, and there are six lawful bases:
(a) Consent:
The individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract:
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation:
The processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests:
The processing is necessary to protect someone’s life.
(e) Public task:
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests:
The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
We will be processing your data under the following bases:
- consent – e.g., to medical treatment, to take photographs, to go on trips or use sun-cream, to use non-identifiable photos on website/Facebook/newspaper/coursework, to begin to access free entitlements, through the local authority portal. etc
- contract – e.g., to provide certain food, in line with medical history or religious/cultural rule.
- legal obligation – e.g., in order to admit your child, record progress and plan for them, archive reports/SEND, accessing free childcare entitlements.
- vital interest – e.g., in order to keep your child safe.
- public interest – none
- legitimate interest – e.g., marketing, but always with consent and under the protection of our e-safety/use of images guidelines.
Where we require consent, we will provide a way for you to positively ‘make a decision’ about the information that you make available and how, if necessary, this is shared.
This information will be collected by Little Acorns Godstone as part of the child’s induction to the setting. We will be asking for this data verbally at our initial meeting and recording it on paper forms/digitally. We will also gather this information from our All About Me form. We will ask for this information at regular intervals to ensure it is up to date and accurate. We will do this by asking you to complete and return a data form.
This information will be collected by Little Acorns Godstone as part of the child’s induction to the setting. We will be asking for this data verbally at our initial meeting and recording it on paper forms/digitally. We will also gather this information from our All About Me form. We will ask for this information at regular intervals to ensure it is up to date and accurate. We will do this by asking you to complete and return a data form.
The information that we require will be:
- Child’s name
- Child’s date of birth,
- Child’s age
- Have sight of their birth certificate
- Child’s address
- Parents’ names, addresses, contact numbers, including work contacts, email address/es,
- Parents National Insurance number, and parents date of birth (to access free childcare entitlements FEET and FEE)
- Who has parental responsibility for the child
- Emergency contact names, addresses and contact numbers
- Home language
The following are classed as “special category data” and we must therefore ensure that we meet one or more of the conditions of Article 9 of GDPR as well as the legal bases above:
- Child’s doctor’s name and contact number
- Health clinic/health visitor
- Child’s NHS number
- Any allergies/medical history/ requirements
- Information about immunisations
- Whether the child has any special educational needs or disabilities
- Ethnic group
- Religion
Our conditions for processing special category data are:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject.
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
We are required to hold and use this personal data in order to comply with the statutory framework of England, Ofsted, the Department for Education, and my local authority early years team.
It will also include photographs, video, or audio recordings of the child. This data will be used to:
- support your child’s development
- monitor and report on your child’s progress
- share information about activities in our setting
- contact named people in an emergency
- share with other professionals in accordance with legislation
- ensure a contract of service is delivered and maintained
- ensure that this setting receives the statutory funding for which it is eligible.
This data may be, when necessary, shared with:
- Other professionals supporting your child, for example health visitor, pre-school, nursery, school, other health, or education professional
- My local authority through the Free Childcare and Early Education Entitlement headcount and annual Early Years Census (England)
- My local authority for the purposes of funded services that they support
- My local authority to access funded childcare entitlements (FEET and FEE)
- Ofsted
If you want to see a copy of the information we hold and share about you or your child, then please contact us.