Statement of Intent
GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018. GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individuals data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. Bloomers Day Nurseries Limited is committed to protecting the rights and freedoms of individuals with respect to the processing of children’s, parents, visitors and staff’s personal data. The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. Bloomers Day Nurseries Limited is registered with the ICO (Information Commissioners Office).
GDPR includes 7 rights for individuals:
1) The right to be informed
2) The right of access
At any point an individual can make a request relating to their data and Bloomers Day Nurseries Limited will need to provide a response (within 1 month). Bloomers Day Nurseries Limited can refuse a request, if we have a lawful obligation to retain data i.e. from Ofsted in relation to the EYFS, but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.
3) The right to erasure
You have the right to request the deletion of your data where there is no compelling reason for its continued use. However, Bloomers Day Nurseries Limited has a legal duty to keep children’s and parents’ details for a reasonable time*, Bloomer Day Nurseries Limited retain these records for 3 years after leaving pre-school, children’s accident and injury records for 19 years (or until the child reaches 21 years), and 22 years (or until the child reaches 24 years) for Child Protection records. Staff records must be kept for 6 years after the member leaves employment, before they can be erased. This data is archived securely offsite and shredded after the legal retention period. There is a full Risk Assessment in place for transportation and storage. A copy of this Risk Assessment can be provided upon request.
4) The right to restrict processing
Parents, visitors and staff can object to Bloomers Day Nurseries Limited processing their data. This means that records can be stored but must not be used in any way, for example, for reports or for communications.
5) The right to data portability
Bloomers Day Nurseries Limited requires data to be transferred from one IT system to another; such as from Bloomers Day Nurseries Limited to the Local Authority, to shared settings and to Tapestry’ Online Learning Journal. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.
6) The right to object
Parents, visitors and staff can object to their data being used for certain activities like marketing or research.
7) The right not to be subject to automated decision-making including profiling.
Automated decisions and profiling are used for marketing. Bloomers Day Nurseries Limited does not use personal data for such purposes.
Storage and use of personal information
All paper copies of children’s and staff records are kept in a locked office and a locked filing cabinet at the nursery. Members of staff can have access to these files but information taken from the files about individual children is confidential, these records remain on site at all times and are also archived on site. These records are shredded after the retention period. Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children’s names, date of birth and sometimes address. These records are shredded after the relevant retention period.
Bloomers Day Nurseries Limited collects a large amount of personal data every year including; names and addresses of those on the viewing list. These records are shredded if the child does not attend or added to the child’s file and stored appropriately.
Information regarding families’ involvement with other agencies is stored both electronically on an external hard drive and in paper format, this information is kept in a locked office and in a locked filing cabinet. These records are shredded after the relevant retention period. Upon a child leaving Bloomers Day Nurseries Limited and moving on to school, data held on the child may be shared with the receiving school. Such information will be sent via post or via a secure file transfer system or handed in person to Parent/Carer. For children attending school outside Hackney borough, the parent/carer will be given the data to deliver to the receiving school. Bloomers Day Nurseries Limited stores personal data held visually in photographs or video clips or as sound recordings (written consent would have been obtained via the registration form). No names are stored with images in photo albums, displays, on the website or on Hackney Learning Trust website. Access to all Office computers and Tapestry Online Learning Journal is password protected. When a member of staff leaves the company, these passwords are changed in line with this policy and our Safeguarding policy. Any portable data storage used to store personal data, e.g. USB memory stick, are password protected and/or stored in a locked filing cabinet. GDPR means that Bloomers Day Nurseries Limited must;
• Manage and process personal data properly
• Protect the individual’s rights to privacy
• Provide an individual with access to all personal information held on them
Personal information will be stored in one of two ways, paper form or on the computer in a password secured file. All paper copies of personal information are stored in a locked cupboard in the office with limit access to only staff in the management team and parents on request. Permission to store information on the computer will be sought from parents or staff during registration through the contracts. All computers are password protected and information is also stored in password protected files within the computers. Computers in the office are again only accessed by the management team or if used by another member of the team personal files are not accessible to them. In line with the updated data protection policy staff have 28 days to provide information on request from a parent or carer.
Personal information that is stored will include:
* Children’s and parent’s details such as name, address, date of birth, phone numbers, medical information and bank details.
* Staff details such as name, address, medical information, bank details, criminal records, insurance numbers and qualifications.
* Accident forms, incident records, restraint records, administration of medication records.
* Child protection records.
Information Commissioners Office
The Data Protection Act 1998 requires every organisation that processes personal information to register with the Information Commissioner’s Office (ICO), unless they are exempt. Failure to do so is a criminal offence. The role of the ICO is to uphold information rights in the public interest and to improve the information rights practices of organisations by gathering and dealing with concerns raised by members of the public. The ICO has set out a commitment to increase consumer trust people have in what happens to their personal data. The Commissioner has also demonstrated a focus on the essential role data protection can play in innovation, and the importance of organisations understanding the growing impetus on companies to be accountable for what they do with personal data. This forms a central part of the new General Data Protection Regulation, which comes into force in May 2018.
Data Protection Officer
A data protection officer (DPO) is a security leadership role required by the General Data Protection Regulation (GDPR). Data Protection Officers are responsible for overseeing data protection strategies and implementations to ensure compliance with GDPR requirements. When the GDPR becomes effective in May 2018 the data protection officer becomes a mandatory role under Article 37 for all companies that collect or process personal data in the EU. DPO’s responsibilities include but are not limited to educating the company and its employees on the important compliance requirements and conducting regular security audits. They are also the point of contact between the company and GDPR supervisory Authorities. The DPO will need to ensure they have informed parents, carers and staff on how their data is being stored and their rights to any of it being erased at any point.
Bloomers Day Nurseries Limited’s Designated Data Controller:
Miss Desreen Shakes Policy Date: 14th of May 2018