Privacy and Cookies Policy
GDPR stands for General Data Protection Regulation and replaces previous Data Protection directives (Data Protection Act 1998). GDPR gives individuals greater control over their own personal data. As a Childcare business, it is necessary for us to collect personal information about the children who attend as well as staff and parents/carers.
Wise Owls Childcare and GDPR
GDPR covers personal data relating to individuals. As a childcare provider, Wise Owls Childcare is committed to protecting the rights and freedoms of individuals with respect to processing the personal data of children, parents, visitors and staff.
This document sets out Wise Owls Childcare’s GDPR policy including information on data sharing, data security and data breach protocol.
Since 2009 we have been registered as a Data Controller with the Information Commissioner's Office (ICO number Z1961923) and have a Cyber Security procedure which all employees follow.
Responsibility for Wise Owls Childcare’s GDPR policy and data compliance is shared by Senior Managers at Wise Owls Head Office.
GDPR is designed to protect personal data
GDPR is designed to protect individual rights in the following way:
The right to be informed
Wise Owls Childcare is registered with Ofsted and the Local Authority and consequently, is required to collect and manage certain data, such as:
Parent’s/Carer’s name, date of birth, address, telephone number, email address, bank details.
We need to know children’s’ full names, addresses and date of birth, plus other information relating to their health and well-being.
For parents claiming the free nursery entitlement we are requested to provide this data to the Local Authority; this information is sent to the Local Authority via a secure electronic file transfer system.
We are required to collect certain details of visitors to our nursery. We need to know visits names, telephone numbers, addresses and where appropriate company name. This is in respect of our Health and Safety and Safeguarding Policies.
As an employer we are required to hold data on our employees; names, addresses, email addresses, telephone numbers, date of birth, National Insurance numbers, photographic ID such as passport and driver’s license, bank details.
Information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK. This information is sent via a secure file transfer system to our provider for the processing of DBS checks.
The right of access
At any point an individual can make a request relating to their data and we will need to provide a response (within 1 month). We can refuse a request, if we have a lawful obligation to retain data i.e. from Ofsted in relation to the EYFS, but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.
Parents can view their data and their child’s data in the secure ParentZone app. Parents can amend their personal data including their name, home address and phone number directly through the ParentZone app. Any changes to a child’s record can me requested by emailing firstname.lastname@example.org
The Right of Erasure or Deletion
You have the right to request the deletion of your data where there is no compelling reason for its continued use. However, Wise Owls Childcare has a legal duty to keep children’s and parents’ details for 3 years. This data is archived securely and shredded after the legal retention period.
At any point a parent can make a request relating to their data and we will provide a response (within 1 month). If we have a lawful obligation to retain data (from Ofsted or the EYFS), we could refuse but we will inform you of the reasons for the rejection.
Staff data we hold for 6 years, also any serious incidents, accidents, social services or legal matters are kept on record for 21 years. Any office employee’s working from home will ensure no data is left unattended and data is held on a computer with a secure password.
The Right to Restrict Processing
Parents, visitors and staff can object to Wise Owls Childcare processing their data. This means that records can be stored but must not be used in any way. If the restriction does not enable us to perform our childcare service, we will consult with the parent/carer to find an acceptable solution. If none can be found then the childcare service may need to be discontinued.
The Right to Object
Parents, visitors and staff can object to their data being used for certain activities like marketing or research.
The right to Data Portability
Wise Owls Childcare requires data to be transferred from one IT system to another; such as from Wise Owls Childcare to the Local Authority and to Connect Childcare, ParentZone and iConnect. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.
The Right Not to be Subject to Profiling or Automated Decisions
Automated decisions and profiling are used in marketing based organisations. Wise Owls Childcare does not use or share personal data for such purposes.
We only share information about our children and parents with those organisations with which we have a legal requirement to share data or other organisations, which allow us to run our business in a safe, efficient and suitable manner.
Information is shared by Wise Owls Childcare with the following organisations:
- Connect Childcare – https://www.connectchildcare.com/wpcontent/uploads/2018/04/Connect-Childcare-GDPR-Security-Processes.pdf
We will not normally share personal data with anyone else, but may do so where:
- There is an issue with a child or parent/ carer that puts the safety of our staff at risk.
- We need to liaise with other agencies – we will seek consent as necessary before doing this.
- Our suppliers or contractors need data to enable us to provide services to us – for example, IT companies. When doing this, we will only appoint suppliers or contractors which can provide sufficient guarantees that they comply with data protection law.
We will also share personal data with law enforcement and government bodies where we are legally required to do so, including for:
- The prevention or detection of crime and/or fraud.
- The apprehension or prosecution of offenders.
- The assessment or collection of tax owed to HMRC.
- In connection with legal proceedings.
- Where the disclosure is required to satisfy our safeguarding obligations.
For the majority of data we collect, the lawful basis for doing so falls under the category of ‘legal obligation’ such as names, date of birth and addresses as we have a legal requirement to obtain this data as part of the Statutory Framework for the Early Years Foundation Stage.
Some data we collect, for example, photographs, requires parents to give consent for us to do so. Where this is the case, parents will be required to provide consent to ‘opt in’ and are made aware that they have the right to withdraw their consent at any time.
We may also be required to collect data as part of a parent’s contract with the setting or local authority, for example, for us to claim government funding.
The information that our website requests in the registration process is necessary for us to comply with legislation and to promote a secure environment for the children in our care. Our database Connect Childcare obtains and stores your personal data and we use your personal data to enable us to care for your child safely. We use the data to communicate with Parents and Carers. We use data to advertise and market our settings to every registered client.
We make sure that this data is kept secure when we receive it. Data is stored on our secure database and any data that is sent to our settings in hard copy is stored within a locked box in a locked cupboard in a locked setting. This data needs to be on site to enable staff to care for the children and contact parents if needed. We also give a guarantee that this information will not be knowingly passed on to third parties or used for any purpose other than the management of Wise Owls Childcare activities.
The Wise Owls Club website makes use of one cookie which is a part of the Google Analytics suite. It enables Wise Owls to monitor the number of visits to the site and the way that it is used.
This will help us to improve the service that we offer. No personal information is recorded in this process.
Some of the cookies on our website, social media sites and Mailchimp collect data for more than one use. We will only use strictly necessary cookies for their essential purposes unless you have given us consent to any other uses that they have.
We do not share any data with third parties however, we cannot control the cookies used by third party sites. You can change your cookie preferences for these sites at any time.
We keep data about all individuals secure and aim to protect data against unauthorised change, damage, loss or theft. All data collected is only accessed by authorised individuals. All paper forms are kept locked away and all computers and tablets are password protected.
Access to all Wise Owls Childcare computers and other software accounts including email is password protected. Passwords are changed every 60 days in line with our cyber security policy.
When a member of staff leaves the company these passwords are changed in line with this policy.
We will hold information about individuals only for as long as the law says and no longer than necessary. After this, we will dispose of it securely. Please see a copy of the Retention periods for records.
- Staff Files 6 years
- Records of complaints 5 years
- Accident and incident forms 3 years
- Children’s Information (incl. medical) 3 years
- Parents information 3 years
- Funding forms containing child and parent data 7 years
- Attendance Registers 3 years
- Nappy Rotas 6 months
- Staff and Child sign-in registers 3 months
All employees and contractors are screened prior to employment: All references are checked. Enhanced DBS checks are performed on all staff/contractors who have access to personal data and the Connect Childcare Systems.
Photographs / Videos
As part of our nursery activities and as part of your child’s learning profile, we may take photographs and record images of individuals and / or children. We will obtain written consent from parents and carers for photographs and videos to be taken of their child for communication, marketing and promotional materials. We will clearly explain how the photograph and/or video will be used to the parent and carer. Authorised uses may include:
- Within the nursery on notice boards, pegs, observations, etc.
- Outside of nursery by external agencies, such as print media.
- On our nursery website or social media pages.
Consent can be refused or withdrawn at any time. If consent is withdrawn, we will delete the photograph or video and not distribute it further. When using photographs and videos in this way we will not accompany them with any other personal information about the child, to ensure they cannot be identified.
Should any data be breached this should be reported immediately to the Office Director. Details of the breach will be held at head office. UK GDPR says that when a security incident takes place, you should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.