Data Protection Act 1998, EU General Data Protection Regulations 2018
What information do we collect and hold about you and your child? How is this used?
Nannas Day Nurseries collect, hold and use personal information about you and your child in order for us to care for them effectively, communicate appropriately, access funding and support your child’s learning and development. For a full list of the information we hold please refer to the attached Information Audit.
Do we share your information?
By law and in order to adhere to contractual purposes we have a duty to share some of this information with our Local Authority, the DFE (department for education) and HMRC. This may include: full name and address, DOB, ethnic group, particular additional needs and National Insurance numbers. For full details on these agencies Privacy Notices, please visit their website directly.
Can you access your data? How is this stored?
Yes. You are able to access (and update when required) the data we hold on you and your child. Your data is securely stored on site and on our computer systems which have separate off-site back ups and servers. Children are able to access their own data at the age of 16. We have 1 month to comply with and/or respond your request.
What are your rights?
You have the right to: object to personal data being processed and shared; have records amended; and have records deleted, provided this doesn’t breach our other responsibilities (for example Safeguarding Children).
How long do we hold information on you and your child?
When a child leaves our setting we pass on their developmental records to you – the parent. Other information such as your child’s contract and accident records are stored off site in a secure storage unit until the child reaches the age of 24 years (this is normally 20 years after they have left the setting).
How is your data deleted?
Hard copies of personal data are shredded when your child reaches the age of 24 years. Digital copies are deleted from all sources when your child reaches the age of 24 years. You have the right to have your records amended or deleted provided this doesn’t breach our other responsibilities (for example Safeguarding Children). We have 1 month to comply with and/or respond to such a request.
Who is Nannas Day Nurseries Data Protection Officer?
Our DPO is the Company’s Operational Area Manager. Please feel free to contact them with your queries: firstname.lastname@example.org
The ICO – Information Commissioning Officer
Nannas Day Nurseries are required to report any personal data breach to the ICO – Information Commissioning Officer.
You are also able to contact the ICO if you think there is a problem with the way we are handling your data. Visit the ICO website www.ico.org.uk
(See also Nannas Day Nurseries Information Sharing policy)
Updated: March 2018
GDPR Rights for Individuals
- The right to be informed– we must inform all parents, children and employees what information we hold on them.
- The right of access- individuals have the right to access their personal data and gain confirmation that their data is being processed appropriately. Nannas Day Nurseries will provide a copy of information free of charge. However, we reserve the right to charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information. Information will be provided without delay and within one month of receipt. Where requests are complex or numerous we may extend the period of compliance by a further two months. If this is the case, we will inform the individual within one month of the receipt of the request and explain why the extension is necessary. Where we refuse to respond to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority. Nannas Day Nurseries will verify the identity of the person making the request, using ‘reasonable means’.
- The right to rectification - Individuals are entitled to have their personal data rectified if it is inaccurate or incomplete within one month of the request. If Nannas Day Nurseries has disclosed the personal data in question to others, we will contact each recipient and inform them of the rectification - unless this proves impossible or involves disproportionate effort. Where rectification is complex, Nannas Day Nurseries can extend this request by two months. Where we are not taking action in response to a request for rectification, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.
- The right to erasure - The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased: where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed; when the individual withdraws consent; when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing; when the personal data was unlawfully processed (ie otherwise in breach of the GDPR); where the personal data has to be erased in order to comply with a legal obligation; where the personal data is processed in relation to the offer of information society services to a child. Nannas Day Nurseries can refuse to comply with a request for erasure where the personal data is processed for the following reasons: to exercise the right of freedom of expression and information; to comply with a legal obligation for the performance of a public interest task or exercise of official authority; for public health purposes in the public interest; archiving purposes in the public interest, scientific research historical research or statistical purposes; or the exercise or defence of legal claims. As Nannas Day Nurseries processes personal data of children we pay special attention to existing situations where a child has given consent to processing and they later request erasure of the data (regardless of age at the time of the request), especially on social networking sites and internet forums. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent. If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the erasure of the personal data - unless this proves impossible or involves disproportionate effort.
- The right to restrict processing - Nannas Day Nurseries are required to restrict the processing of personal data in the following circumstances: where an individual contests the accuracy of the personal data, we will restrict the processing until we have verified the accuracy of the personal data; where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests) and we are considering whether our organisation’s legitimate grounds override those of the individual; when processing is unlawful and the individual opposes erasure and requests restriction instead; if we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim. Nannas Day Nurseries may need to review procedures to ensure that we are able to determine where we may be required to restrict the processing of personal data. If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the restriction on the processing of the personal data - unless this proves impossible or involves disproportionate effort. Nannas Day Nurseries will inform individuals when we decide to lift a restriction on processing.
- The right to data portability - The right to data portability only applies: to personal data an individual has provided to a controller; where the processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means. Nannas Day Nurseries will provide personal data in a structured, commonly used and machine readable form. Open formats include CSV files. This enables other organisations to use the data. The information will be provided free of charge. If the individual requests it, we may be required to transmit the data directly to another organisation if this is technically feasible. However, Nannas Day Nurseries are not required to adopt or maintain processing systems that are technically compatible with other organisations. If the personal data concerns more than one individual, we will consider whether providing the information would prejudice the rights of any other individual. We will respond without undue delay, and within one month. This can be extended by two months where the request is complex or we receive a number of requests. Nannas Day Nurseries will inform the individual within one month of the receipt of the request and explain why the extension is necessary. Where we are not taking action in response to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority.
- The right to object - Individuals have the right to object to their personal data being processed. Nannas Day Nurseries will stop processing the personal data unless: we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims. We will inform individuals of their right to object in our privacy notice. We will stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse. We will also offer a way for individuals to object to material shared online.
- Rights in relation to automated decision making and profiling – The GDPR requires Nannas Day Nurseries to give individuals specific information about automated individual decision-making and profiling. Automated individual decision-making is a decision made by automated means without any human involvement – this is not something which Nannas Day Nurseries practices.
Statement of Intent:
- Nannas Day Nurseries will comply with all the requirements of the GDPR, not just those specifically relating to children.
- We obtain parental consent to the processing for children who are under the age of 13
- We design our processing with children in mind from the outset, and use a data protection by design and by default approach.
- We make sure that our processing is fair and complies with the data protection principles.
- As a matter of good practice, we may use DPIA’s (Data Protection Impact Assessments) to help us assess and mitigate the risks to children. If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA.
- As a matter of good practice, we consult with children as appropriate when designing our processing.
- We regularly review available age verification and parental responsibility verification mechanisms to ensure we are using appropriate current technology to reduce risk in the processing of children’s personal data.
- We do not use personal data for solely automated decision making purposes (including profiling).
Breach of personal data:
Where Nannas Day Nurseries or an individual believes there has been a data protection breach we have a duty to report this to the ICO, investigate this breach and take appropriate action to rectify the breach, notifying individuals involved where possible. Any breach can be reported by visiting www.ico.org.uk
Updated: March 2018