GDPR stands for General Data Protection Regulation. This regulation has replaced the Data Protection Act. It was proved by the EU parliament in 2016 and came in to effect on the 25th May 2018.
GDPR states that personal data should be ‘processed fairly and lawfully’, ‘collected for specified, explicit and legitimate purposes’ and that the individual’s data is not processed without their ‘explicit consent’. GDPR covers personal data relating to individuals. Dragonfly is committed to protecting the rights and freedom of individuals with respect to the processing of children’s, parents, visitors and staff personal data.
GDPR includes 7 rights for individuals
1. The right to be informed
Dragonfly is a registered childcare provider with Ofsted and as so, is required to collect and manage certain data. We need to know the parents names, addresses, telephone numbers, email address, date of birth and National Insurance number. We need to know children’s full names, addresses and date of birth. For parent’s claiming the free childcare entitlement, we are requested to provide this data to Surrey County Council; the information is sent to them using a secure, electronic file transfer system.
We are required to collect certain details of visitors to our pre-school. We need to know names, telephone numbers, addresses and company name (if applicable). This is in respect of our Health and Safety and Safeguarding policies.
As an employer, Dragonfly is required to hold data on its employees; names, addresses, telephone numbers, date of birth, bank details, National Insurance numbers and photographic identification such as a passport or driving license. This information is also required for the Disclosure and Barring Service checks (DBS) that are carried out and to check proof of eligibility to work in the United Kingdom. This information is sent via a secure file transfer system, to the processor of the DBS checks.
Dragonfly uses cookies on its website, to collect data for Google Analytics. This data is anonymous.
2. The right to access
At any point, an individual can make a request relating to their data Dragonfly will need to provide a response to any requests, within 1 month. Dragonfly can refuse a request, if there is a lawful obligation to retain the data i.e. from Ofsted, in relation to the EYFS. We will always inform the individual of the reasons for rejection. The individual has the right to complain to the ICO if they re unhappy with the decision.
3. The right to erasure
You have the right to request deletion of your data, where there is no compelling reason for its continued use. However, Dragonfly has a legal duty to retain children and parents details for a reasonable amount of time. Dragonfly is required by law, to retain children and parents records for 3 years after the child has left the Pre-School. Accident and Injury records must be kept until the child reaches the age of 21. Child protection records must be retained until the child reaches the age of 24. Staff records must be kept for 6 years after the employment ceases. All of the data that we retain is archived securely, in a locked cupboard. It is shredded after the legal retention period.
4. The right to restrict processing
Parents, visitors and staff can object to Dragonfly processing their data. This means that records can be stored, but must not be used in any way.
5. The right to share data
Dragonfly requires some data to be shared with a third party, such as; the Local Authority and Payroll. These recipients use secure, file transfer systems and have their own policies and procedures in place, in relation to GDPR.
6. The right to object
Parents, visitors and staff can object to their data being used for certain activities, such as; marketing or research.
7. The right to not be subject to automated decision-making, including profiling
Dragonfly does not use personal data for such purposes.
Storage and use of personal information
All paper copies of children and staff records are kept securely in a locked cupboard at the pre-school. The manager has access to all records and staff has limited access, on a need to know basis.
Records held on the computer, are backed up on a weekly basis and can only be accessed by the ‘Data Controller’. These records are password protected.
All records are kept on site at all times. Archived records are shredded after the retention period.
In order to fulfil their role, to supervise and support the operations of the Pre-school, the Chairperson, Treasurer, Secretary and other nominated members of the Pre-School Management Committee may also deal with confidential information, including names and addresses of parents.
All information held, both paper and digital records will be kept confidential within the management committee and staff. In the event of there being any wrongful disclosures of confidential information, it will be investigated immediately.
Upon a child leaving Dragonfly and moving on to school or a new setting, data held on the child may be shared with the receiving school/setting. Such information will be sent via the Surrey County Council internal post service or via a secure file transfer system. For children attending a school/setting outside of Surrey, the data will be given to the parent to deliver to the receiving school/setting.
It is the parent’s responsibility to ensure that the information given to us in the registration forms, are correct and kept up to date.
GDPR means that Dragonfly must:
• Manage and process personal data properly.
• Protect the individual’s rights to privacy.
• Provide individuals with access to all personal data that is held on them.
If any person wishes to know what information we hold on them, they should speak to our Data Protection Officer- Kate Sugg
This Policy has been agreed by the Dragonfly Committee
Signed by Pre-School Manger
Signed on behalf of the Management Committee
This Policy was adopted in June 2021
Please view the ‘Retention periods for records’ policy.
Dragonfly Preschool Privacy Notice
Dragonfly Preschool 51-53 Parkside Place Staines Middlesex TW182QR
Telephone Number: 07724305581 Email: dragonflypreschoolltd@gmail.co.uk
Name of Data Protection Officer: Kate Sugg
Dragonfly are committed to ensuring that any personal data we hold about you and your child is protected in accordance with Data Protection Laws and is used in line with your expectations. This privacy notice explains what personal data we collect, why we collect it, how we use it and how we protect it.
Why do we collect your personal data?
We collect personal data about you and your child for the following reasons:
• To provide childcare services and fulfil the contractual agreement you have entered in to.
• So we are able to contact you in case of an emergency.
• To support your child’s wellbeing and development.
• To manage any special educational, health or medical needs whilst at our setting.
• To carry out regular assessments of your child’s progress and to identify any areas of concern.
• To maintain contact with you about your child’s progress and respond to any questions you may have.
• To process your claim for up to 30 hours free childcare (only where applicable).
• To keep you update with information about our service.
What personal data do we collect?
We collect personal data about you and your child to provide care and learning that is tailored to meet your child’s individual needs. We also collect information in order to verify your eligibility for free childcare, as applicable.
Personal data we hold about your child includes:
• Name, date of birth, address, health and medical needs, development needs, special educational needs, child protection plans from social services (if applicable), health care plans from health professionals (if applicable), details of who has parental responsibility for the child and any court orders pertaining to the child (if applicable).
Personal data that we hold about you includes:
• Name, home and work address, telephone numbers, emergency contact details and family details. This information will be collected from you directly, in the registration form.
• If you apply for up to 30 hours free childcare, we will also collect your National Insurance number or if you are self-employed, your Unique Taxpayer Reference (UTR). We may also collect information regarding benefits and family credits that you are in receipt of.
Who do we share your data with?
In order for us to deliver childcare services, we will share your data as required, with the following:
• Ofsted- during an inspection or following a complaint about our service.
• Banking services to process chip and pin or direct debit payments (if applicable).
• The Local Authority, when a claim for up to 30 hours free childcare is made.
• The Governments eligibility checker (as above).
• Our insurance underwriter (if applicable).
• Our software management provider (if applicable).
• The school that your child will be attending.
We will also share data if:
• We are legally required to do so, for example, by law, by a court, or the Charity Commission.
• To enforce or apply the terms and conditions of your contract with us.
• To protect your child and other children, for example, by sharing information with Social Services or the Police.
• It is necessary to protect our rights, property or safety.
• We transfer the management of the setting, in which case we may disclose your personal data to the prospective buyer, so they are able to continue the service.
We will not share information about you, with any third parties without your consent, unless the law allows us to.
We will never share your personal data with any other organisation, to use for their own purposes.
How long do we retain your data?
We are required by law, to retain your child’s personal data for up to 3 years after your child has left our setting, or until the next Ofsted inspection after your child has left. Medication and accident records are kept for longer, according to legal requirements. Your child’s learning and development records are maintained by us and handed to you when your child leaves the setting.
In some instances (child protection or other support service referrals), we are obliged to keep your data for longer, if it is necessary to comply with legal requirements.
Automated decision making
We do not make any decisions about your child, based solely on automated decision making.
How do we protect your data?
We protect unauthorised access to your personal data and prevent it from being lost, accidentally destroyed, misused or disclosed by:
• Keeping files in a secure, locked cupboard.
• Digital files are all password protected.
Your rights with respect to your data
With regards to personal data we hold, you have the right to:
• Request access to the personal data we hold.
• Object to processing of personal data that is likely to cause, or is causing, damage or distress.
• Prevent processing for direct marketing purposes.
• Have inaccurate personal data rectified, blocked, erased or destroyed.
• Claim compensation for damages caused by a breach of the General Data Protection Regulations.
• Object to us making any automated decisions about your data.
• Request that we transfer yours and your child’s personal data to another person.
If you wish to exercise any of these rights at any time or if you have any questions, comments or concerns about this privacy notice, or how we handle your data, please contact Kate Sugg. If you continue to have concerns about the way we handle your data and remain dissatisfied after speaking with us, you have the right to complain to the Information Commissioner Office (ICO). The ICO can be contacted at Information Commissioner Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or ico.org.uk
Changes to this privacy notice
This privacy notice will be under regular review. You will be notified of any changes, where appropriate