Data Protection Policy
1. Introduction
Dolphins Pre-school is required to collect and process data for a number of purposes concerning its staff, contractors, parents, children and any other individual who comes into contact with the Pre-school. In gathering and using this data Dolphins Pre-school is committed to protecting all individual’s rights of freedom and privacy.
Dolphins Pre-school is fully committed to full compliance with the requirement of the General Data Protection Regulation (GDPR). In line with this, this policy describes how personal data must be collected, handled, managed and stored in order to comply with the company’s data protection standards and the law.
Why This Policy Exists
This data protection policy sets out the rules that all personal data collected, processed, stored, shared and disposed of on behalf of Dolphins pre-school is compliant with the obligations of the General Data Protection Regulation (GDPR).
This policy has been put in place to ensure Dolphins Pre-school:
- Complies with the requirements set out by GDPR
- Protects the rights and privacy of any individual it holds data on, including but not limited to; staff, contractors, parents and children
- Reduces the risk of a data breach
- Has a clear and consistent approach to the collection, storage and management of data
Relevant Legislation
The General Data Protection Regulation (GDPR) has been in force since 25th May 2018. It applies to all organisations who offer services to monitor or process the personal data of subjects residing in the EU. Failure to comply with the GDPR can result in fines up to 4% of annual global turnover or €20 million.
Policy Scope
This policy applies to UK operations:
- Settings operated by Dolphins Pre-school
- Offices and other sites operated by Dolphins Pre-school
- All staff and volunteers employed by Dolphins Pre-school
- All contractors, suppliers and other people working on behalf of Dolphins Pre-school
This can include (but is not limited to):
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Photographs
- Wage and salary information
- Bank account details
- Medical records
- Date of births
- Copies of identification
- Curriculum Vitaes (CVs)
- Staff performance records
- Disciplinary records
- Accident and incident records
- Any other information relating to individuals
2. Data Protection Policy Statement
Dolphins Pre-school is fully committed to ensuring full compliance with the requirement of the General Data Protection Regulation (GDPR).
Dolphins Pre-school will:
- Protect the fundamental rights and freedoms of natural persons personal data
- Be lawful, fair and transparent in relation to how personal data is collected, stored and processed
- Collect data for relevant specified, explicit and legitimate purposes
- Keep accurate, up to date and detailed registers of personal data held
- Keep data for no longer than is required for the purposes it was collected
- Process data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
- Keep data secure with appropriate and technical and organisational measures taken to protect the information
- Process data in line with the right of the individual
3. Roles and Responsibilities
All members of staff who work for Dolphins Pre-school have a responsibility to ensure that data is collected, stored, processed and disposed of appropriately.
The following people have key responsibilities:
Sheila Gavan (trading as Dolphins Pre-school)
Sheila Gavan has overall responsibility for the implementation of the Data Protection Policy throughout the business.
She will:
- Ensure that the requirements of GDPR are understood and effectively managed
- Ensure that appropriate resources are provided to effectively implement the Data Protection Policy
- Ensure that a competent individual is appointed to manage data protection
Data Protection Officer – Head of Operations
The Data Protection Officer (DPO) oversees and has managerial responsibility for data protection in the business. The DPO will ensure:
- There are adequate resources available for the business to be legally compliant with GDPR and the policies, procedures and management systems in place are robust and effective
- The business is registered with the Information Commissioner Office (ICO) and will co-operate with any of their requests or investigations
- A data protection policy is in place and reviewed on a regular basis
- Employees are aware of their obligations to comply with the GDPR and other data protection laws
- Monitoring of compliance with the GDPR and reviews of the policies, procedures and systems are undertaken to ensure they are effective
- Training, advice and information is provided to employees and business contacts when necessary in relation to data protection
- Data breaches are notified to the Information Commissioner within 72 hours of being made aware and an investigation is undertaken in response to the data breach
- An effective system is in place for compiling information requested as part of a Subject Access Request in line with the timescales detailed in GDPR
- Contracts with third parties are checked to ensure they are consistent with this Policy
- Maintaining the registers that hold personal data or software information
- Undertaking investigations into data breaches
- Co-ordinating and managing Subject Access Requests
- Monitoring and actioning correspondence relating to data protection
- Devising and delivering data protection training
- Monitoring the website, and shared folders to ensure they are accurate and include up to date information on Data Protection and Privacy
- Ensure all systems, services and equipment used for storing personal data meet acceptable security standards
- Perform regular checks and scans to ensure security hardware and software is functioning properly
- Investigate and address any suspect anti-virus or spam
- Evaluate any third-party services the company is considering using to store or process data
- Give advice and feedback on any concerns regarding IT or security systems that may affect the abilities of Dolphins Pre-school to meet the requirements of this Policy and the GDPR
- ensure all marketing materials abide by data protection principles
- Ensure that consent is collected for the distribution of all direct marketing material
- Ensuring any changes in the way we use data for marketing purposes is communicated to parents and the DPO
- All staff are trained and familiar with their duties under the Data Protection Policy
- Any collection, processing, management and disposal of personal data is done so in line with the Data Protection Policy
- A Data Protection Impact Assessment is completed when deemed necessary, for instance when acquiring a new software system
Staff Guidelines
All Dolphins Pre-school employees are required to comply with the following guidelines to ensure all personal data held by the company is used, stored and managed in the most appropriate way possible:
- Data should only be used for its original purpose and only by those who need it for their work
- Data concerning individuals must not be communicated to other persons or organisations unless required to do so by law or under an approved contract
- Care should be taken when sharing data that you have checked the identity of the individual and the organisation they are representing and you are confident they have a legitimate need for the information
- Take sensible precautions to ensure all personal data is kept secure. This should include locking computers when leaving a desk and making sure no personal data is left out in view of other people.
- Use secure passwords when storing digital data and usernames and passwords should never be shared
- Data should be regularly reviewed and updated, and if found to be out of date or no longer required for its original purpose, it should be updated or deleted and disposed of in the manner detailed in the Retention and Disposal Guidance
- Employees should request help from the DPO if they are unsure of any aspect regarding data protection
- Documents containing personal data should be disposed of in line with the Retention and Disposal Guidance, with confidential waste bins being used before collection with our approved waste contractor. Documents that contain personal data should not be placed in general waste bins.
- Dolphins Pre-school will provide training to all employees to help them understand their responsibilities when handling data
- Employees should ensure that the data held on HR software is reviewed at least annually and updated
Staff that work from home or undertake work in locations other than those under the management of Dolphins Pre-school should also comply with the following guidelines:
- Where possible use a Dolphins Pre-school approved device that has been installed with approved software
- Data should not be transferred onto a personal USB stick
- Employees should avoid leaving sensitive information out on display or in vehicles
- Computers should be password protected and locked when left unattended
- Documents containing personal data should be taken to the Pre-school to be placed in a confidential waste bin, burned or shredded. They should not be placed in general waste bin.
4. Personally Identifiable Data
Dolphins Pre-school only collect, process and store personal data where we have a valid lawful basis to require it. We do the following to be transparent:
- Provide information to data subjects in our Privacy Policy on where data is held, the lawful basis and how long we store it.
- Only use data for its original purpose, where we wish to use it for a different purpose, we will notify you of this and request your consent
- Keep data in as few places as necessary
- Update our data regularly using annual declaration requests
- Provide you with any information we hold on you when we receive a Subject Data Request
- Where an individual contests the accuracy of personal data, Dolphins Pre-school will restrict processing until the personal data has been confirmed and updated
Children’s’ Data
As a childcare provider Dolphins Pre-school collects, holds and processes a lot of children’s data. There is an increased need to protect children’s personal data because they are classed as vulnerable individuals. Where a child is under the age of 16, consent for the processing of the child’s data is required from the child’s parent or guardian.
Additional care should be taken when handling or sharing children’s data to ensure that it is shared with only those that need to know the information. Some data such as medical data will need to be shared with staff to ensure that any emergency medical care can be given when needed however this should not be shared with people outside the organisation unless there is a legal requirement to do this.
Staff Data
We collect, hold and process data on employees as part of our legal responsibilities and in order that we can support and manage them in their work. Certain personal data on employees is held on our HR software and employees should ensure that they check the information held is accurate on a regular basis.
Sensitive Personal Data
Dolphins Pre-school has recognised that special categories of personal data need to be processed as part of our business activities and this data needs additional protection to manage the risk. The data we collect is detailed in our Dolphins Pre-school data audit.
Sensitive personal data is only processed when explicit consent is given or when the processing is necessary for substantial public interest reasons which must include measures to protect the interests of the data subject.
Criminal Convictions and Offences
Dolphins Pre-school, as a childcare provider is required by law to review the history of employees in relation to historic criminal convictions and offences. As required by the GDPR we have provided information on this data below.
Capita carry out the DBS check – no criminal conviction history is stored by Dolphins Pre-school only the DBS number
Information given, consent agreed, and DBS check date
5. Collecting and Processing Personal Data
Dolphins Pre-school will only collect and process personal data when at least one of the following lawful processes apply:
- Consent: A data subject has given consent to the processing on his/ her personal data
- Contract: Processing is necessary for the performance of a contract
- Legal obligation: Processing is necessary for compliance with a legal requirement
- Vital interests: Processing is necessary to protect the vital interests of the data subject
- Legitimate interests: Processing is necessary for the legitimate interests pursued by the data controller or third party unless there is a good reason to protect the individuals’ data which override those legitimate interests
Dolphins Pre-school makes automatic decisions on the processing and use of data where it is:
- Necessary for the entry into or performance of a contract
- Required to comply with the law
- Based on the individuals explicit consent
Processing Parent and Child Data
All personal data regarding a parent, guardian, carer and child processed by Dolphins Pre-school is mandatory in order to fulfil the requirements of the contract. Failure to provide this information will result in the child being declined a place at the nursery.
Processing Employee Data
All personal data regarding an employee processed by Dolphins Pre-school is mandatory in order to fulfil the requirements of the contract. Failure to provide this information will result in the individual being unable to be join Dolphins Pre-school as an employee.
Consent Management
Where processing is based on consent, Dolphins Pre-school shall demonstrate that the data subject has consented to the storage and processing of his/ her personal data. For the collection of personal data which relies on explicit consent, data subjects are given the opportunity to freely give their consent to us processing that data for the specified purpose. Some examples of where explicit consent (outside the terms and conditions of the contract) is required are detailed below:
a. Consent for photographs
Dolphins Pre-school recognises the taking of photographs is not compulsory for the fulfilment of a contract and is not required for legal reasons. Considering this, parents are given the opportunity to give or withdraw their consent for photographs of their child to be taken, displayed or used in various ways by Dolphins Pre-school. This information is collected as part of the application.
b. Consent for Marketing
Dolphins Pre-school recognises individuals are required to give explicit consent to be contacted for marketing purposes. Parents given the opportunity to freely give their consent to being contacted for marketing purposes. Consent is given in a granular manner to show clearly what is being agreed to. This information is collected as part of the application.
c. Other consents
For further processes where we require consent for additional functions or needs, an additional consent forms will be used.
6. Data Security, Retention, Storage and Disposal
Responsibilities and Procedures
Dolphins Pre-school is committed to ensuring we do not hold personal data for longer than necessary. Dolphins Pre-school retains different types of data for different periods of time due to the law or business need. All data should be stored only in the location(s) detailed in the Dolphins Pre-school Data Audit and all staff are required to follow retention guidelines to ensure compliance with the GDPR.
Hard Copy/ Paper Records
When data is stored in paper format and not in use, it should be kept in a secure place where unauthorised people cannot gain access to it. The following procedures should be followed when handling paper documents. These guidelines also apply to electronic data which has been printed.
- Paper files containing personal data should only be handled by those within Dolphins Pre-school that need it to complete an essential task and should not be shared unless it is necessary to do so
- When not in use, paper documents should be kept in a secure environment such as locked in an office
- Paper or printouts containing personal information should not be left out
- Printouts where the data is no longer required should be securely disposed of in the confidential waste bin or shredded
- Procedures are in place to securely dispose of confidential waste
Soft Copy/ Electronic Records
When data is stored electronically, measures should be put in place to prevent data from unauthorised access, deletion, virus’ and malicious hacking attempts
- Staff should be trained and be given information as to where the correct and secure place to save data is
- Data should be protected by password which is regularly changed and never shared, even with those within the organisation
- Data should be backed up frequently
- Data should never be downloaded or saved directly onto personal devices
- All servers and computers containing personal data should be protected by security and anti-virus software and a firewall
- Where possible removable media devices, such as a USB stick should not be used, where they are required, they should be kept in a secure locked environment and wiped once they have been used for the purpose
- All staff should ensure computers or laptops are secured when left unattended.
Cyber Security
Dolphins Pre-school ensures that all data is kept secure with appropriate technical and organisational measures taken to protect the information. Dolphins Pre-school ensures all business devices have appropriate anti-virus, firewall and spam software to help minimise access to files and identify any areas of concern.
E-mails are checked regularly for viruses. However, no liability is accepted for any viruses which may be transmitted in or with e-mails.
Disposal of Documents
Employees must ensure that documents are only kept for the retention period set out for that particular type of data. All documents that exceed this retention period or are no longer required should be placed in a Confidential Waste bin, bag marked as ‘confidential waste’ or shredded. Any waste that is being stored before collection should be kept in a secure location such as a locked office to prevent unauthorised access.
Disposal of IT Hardware
Computer hardware that comes to the end of its use, should be wiped and any personal or sensitive data removed. Once this has been completed, the equipment must be destroyed.
7. Data Sharing and Processing
Third Party Sharing and Processing
Dolphins Pre-school may need to share personal data with organisations outside of Dolphins Pre-school, we refer to these as ‘third parties’. This may be for a variety of reasons but where this is necessary Dolphins Pre-school ensures all third parties who process data on behalf of Dolphins pre-school (the data controller) have robust systems in place to comply with the conditions set out in GDPR.
Third parties who process data on behalf of Dolphins Pre-school may be required to sign a Data Confidentiality Agreement. This outlines how we expect each organisation as a data processor, to handle the data we share with them. Failure to adhere to the obligations set out in the Data Confidentiality Agreement would result in us reviewing our partnership with them as this may lead to a data breach.
Some organisations who we share data with such as Public Bodies or very large organisations, may not be able to sign our Third Party Data Confidentiality Agreement, where this is the case we try to ensure that we have information on their Data Protection Policy and arrangements to ensure that we are satisfied that they are compliant with the GDPR.
In relation to the sharing of data with Third Parties Dolphins Pre-school will take reasonable steps to ensure:
- Reasonable steps are taken to ensure secure measures are in place to protect individuals’ personal data
- A written contract or confidentiality agreement is set out establishing what personal data will be processed, the purpose for processing and how long the data will be held
- Third parties are informed about data subjects who wish to access, erase or rectify their personal data
- Personal data is only disclosed to third parties outside a formal contract or agreements where there is a legal obligation to do so
- The T&Cs within the contract with a third party meet the requirements of the GDPR
- Data subjects have given their explicit consent to disclose their personal data to third parties or are agreeing to the terms of a Dolphins Pre-school contract
- The disclosure of data is necessary to protect the vital interests of the data subject
Internal Sharing of Data
The subsequent guidelines should be followed when sharing data internally
- Data should never be shared via email unless the email is adequately protected
- Emails containing personal data should be deleted after being dealt with / saved within the appropriate software system and any hard copy file in line with the Management, Retention and Disposal guidelines
- Personal data should only be shared with those who need to have it and care should be taken when sharing personal data via email that it is sent to the correct recipient
- Data should not be shared over the phone or in person unless the individual is known to you or their identity has been confirmed
8. Social Media
Dolphins Pre-school use Facebook and other social media outlets as a means to communicate positive messages about the organisation. They are updated with regular posts showing a selection of the activities for children, news and special offers.
All photographs of children used on the Dolphins Pre-school Facebook page require parents’ consent. Photos are not to be posted on this or any social media or internet sites without this consent. The consent should be updated at least once a year to ensure the parents are still happy for images to be used.
We are not responsible for any social media groups which are detached from Dolphins Pre-school and have been set up by parents such as forum groups.
9. GDPR Provisions
Privacy Notices
The Dolphins Pre-school Privacy Notices outline the following information:
- what personal data we collect
- how we process the data
- the lawful basis in which we process
- the purpose for processing
- who we share data with and why
- how long we hold it for
- where it is stored and
- the rights of the data subject
Privacy by Design and Default
Dolphins Pre-school as the data controller shall implement appropriate technical and organisational measures to ensure that by default, only personal data necessary is used for each specific purpose of processing. Dolphins Pre-school will also (where deemed necessary) follow data protection principles such as data minimisation to protect the rights of the data subject by implementing appropriate technical and organisational measures, such pseudonymisation.
10. Data Subject Rights
Subject Access Requests (SAR)
The personal data collected and held by Dolphins Pre-school remains the property of the Data Subject and therefore they retain the right to know what information we hold on them, where it is held and for what purpose. Under the GDPR we are aware of our legal obligations to provide a copy of the data, free of charge and without undue delay and at the latest within one month of a request on receiving a Subject Access Request (SAR).
Dolphins Pre-school reserve the right to refuse or charged for information if the SAR is manifestly unfounded or excessive. We will inform the Data Subject of this within one month of the request and provide information as to why it has been refused or why a charge has been requested.
Right to be Forgotten
A Data Subject has the right to ask Dolphins Pre-school to erase his/her personal data and cease further dissemination of the data. The right to be forgotten will not be available where we are under contract with the Data Subject or we hold the data to meet legal requirements. If personal data has been disclosed to third parties where possible, we are required to inform them about the erasure of personal data.
Right to Rectification
A Data Subject has the right to request that we rectify inaccurate or incomplete personal data concerning him/ her. If such personal data has been disclosed to third parties where possible these third parties will be informed. We will take steps to correct inaccurate or incomplete data as soon as practicable after becoming aware of it. We would always aim to have this completed and the Data Subject be advised of the action taken within one month.
Right to Object
A Data Subject has the right to object to the processing of their data where it is used for direct marketing, research, statistical analysis, for legitimate interests or the performance of a task in the public interest. Where a Data Subject objects to Dolphins Pre-school having their data for these purposes, we will no longer process the personal data and inform the Data Subject when this has been actioned. We will assume the Data Subject is removing consent for the data to be used in that way and remove this from our systems.
11. Reporting Breaches
All Dolphins Pre-school employees who are aware that a data breach has occurred should report the breach to their line manager and the Data Protection Officer. The Data Protection Officer will then ensure that the breach is recorded.
High Risk Breaches
Dolphins Pre-school are required under the GDPR to notify the Information Commissioners Office of a high risk data breach, where the breach is likely to result in a risk for the right and freedoms of the individual. Dolphins Pre-school will report the breach within 72 hours of first becoming aware of the breach. Dolphins Pre-school will also notify the individual concerned directly and advise them of what is being done to manage the risk.
12. Monitoring
Data Audit
The Data Audit outlines what information is held, what lawful process the data fits into, where the data is held, how long the data is held for, who has access, and whether the data is shared with any third parties.
Data Breach
The Data Breach Log is a centralised log for all data breaches to be recorded. All staff members are required to record their breach in this register along with the action taken and whether the ICO have been notified.
Subject Access Request
The Subject Access Request Log is a centralised log for all subject access requests to be recorded. This includes the name of the requester, the date of request and the date of completion.
13. Complaints
Dolphins Pre-school is fully committed to protecting the privacy of individuals and complying with the General Data Protection Regulation (GDPR). We will do our best to investigate any complaints from Data Subjects in accordance with our Complaints Procedure.
If you are unhappy with our handling of a SAR or have concerns with how we handle data, please let us know and we will try and resolve the issue. If you are still unsatisfied, you have the right to contact the Information Commissioners Office and raise a concern with them. They can be contacted on: https://www.ico.org.uk/concerns/ or 0303 123 1113.
14. Training and Awareness
Dolphins Pre-school recognises that most staff in the course of their work will come into contact with personal data and endeavours to provide information, training and support to all employees to assist them in collecting, storing, processing and disposing of personal data.
Data Protection Training
All staff members are required to undertake data protection awareness training. New employees will undertake data protection training as part of the induction to ensure they are familiar with our Data Protection Policy and accompanying guidance documents. All staff members are encouraged to read this policy along with the assisting protocols and guidance documents to ensure compliance.
Data Protection Support
Data protection support is provided by Dolphins Pre-school
Employees should familiarise themselves with this policy and other relevant data protection protocols and guidance. Employees who fail to comply and as a result cause a significant data breach may face disciplinary action. Each incident will be assessed on a case-by-case basis.
Data Protection and Privacy Policy
Your privacy is important to Dolphins Pre-school so we have developed a number of privacy notices which cover how we collect, use, process, transfer and store your personal information. All your personal Information shall be held and used in accordance with The General Data Protection Regulation (2018). Our full Data Protection Policy can be accessed by contacting our Data Protection Officer (DPO).
Dolphins Pre-school is the data controller of your Information and is required to collect and process data for several purposes concerning its staff, contractors, parents, children, website users and any other individual who comes into contact with the company. In gathering and using this data Dolphins Pre-school is committed to protecting all individuals’ rights of freedom and privacy.
The policies below are intended to inform you how we gather, define, and utilise your personal information such as name, address, email address and mobile phone number.
Privacy Policy for website users
What personal data we collect about you as a visitor to our website
When you visit our website, you may provide us with two types of information:
- Personal Information you provide to us on an individual basis
- Registration website use information collected as you and others browse our website.
Any information you submit is sent at your own risk. Once we have received your Information we will use strict procedures and security features to minimise the risk of unauthorised access.
Similar to other commercial websites, our website uses a technology called "cookies" (see explanation below, "What Are Cookies?") and web server logs to collect information about how our website is used.
Information gathered through cookies and web server logs may include the date and time of visits, the pages viewed, time spent at our website, and the websites visited just before and just after our website.
How we use the information you provide to us
Dolphins Pre-school use your Information in the following ways:
- to ensure that content from our website is presented in the most effective and efficient manner for you and your computer;
- to allow you to register, request information or order any products and services available on our website where you choose to do so;
- to notify you about changes to our service;
- in accordance with your authorisation at the point of registration;
- if you have given your consent at the point of registration, to contact you with information about products, services and special offers that you request from us, or that we feel may be of interest to you or to ask you to participate in one of our surveys. We may pass your Information to carefully selected third party organisations:
- if we buy or sell any business or assets in which case we may disclose your Information to the seller or buyer of such business or assets;
- if we are under a duty to disclose or share your personal data to comply with any legal obligation or in order to enforce or apply our terms and conditions and other agreements or protect the rights, property, or safety of our customers, or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction.
How we protect your information
Storage of data
The data you provide to us via the website we will hold in our software systems. Data relating to you and your child will be kept at Dolphins Pre-school. Personal data held within a software system will be securely protected with individual logins, which will only be given to those who need to access the data.
Your data subject rights
You may request access to all your Information that we collect online and maintain in our database by writing / emailing our Data Protection Officer (DPO) via our website.
We are obliged under GDPR to complete your request within 1 month of receipt of the request.
Your Consent
By using our website, you consent to our collection and use of your Information as described in this Privacy Policy. If we change our privacy policies and procedures, we will post those changes on our website to keep you aware of what information we collect, how we use it and under what circumstances we may disclose it.
Where we store your personal dataData and Information that we collect from you may be transferred to and stored at a destination outside the European Economic Area ("EEA"). You consent to our sending and storing Your Information outside the EEA. We will take all steps reasonably necessary to ensure that your Information is treated securely and in accordance with this Privacy Policy.
Cookies
What Are Cookies?
A cookie is a very small text document, which often includes an anonymous unique identifier. When you visit a website, that site's web server/computer asks your computer for permission to store this file in a part of your hard drive specifically designated for cookies.
Each website can send its own cookie to your browser if your browser's preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other sites, therefore private information supplied to one web site cannot be read by another organisation.
A more detailed look at how we use cookies on the Dolphins Pre-school web site can be found by clicking the 'Cookie Settings' button, you will also find further useful information at https://cookiepedia.co.uk/giving-consent-to-cookies
How We Use Information We Collect from Cookies
As you browse and navigate around our website, the website uses cookies to differentiate you from other users to prevent you from seeing unnecessary advertisements or requiring you to log in more than is necessary for security.
Cookies, in conjunction with our web server's log files, allow us to calculate the aggregate number of people visiting our website and which parts of the website are most popular. This helps us gather feedback so that we can improve our website and better serve our customers.
Cookies do not allow us to gather any personal Information about you and we do not generally store any personal Information that you provided to us in your cookies.
Privacy Notice for Parents
Dolphins Pre-school is the data controller for any personal information you provide to us regarding you or your child. This means we decide how your personal data is processed and for what purpose.
Dolphins Pre-school is required to collect and process data for a number of purposes concerning its staff, contractors, parents, children and any other individual who comes into contact with the company. In gathering and using this data Dolphins Pre-school is committed to protecting all individual’s rights of freedom and privacy and meeting the requirements of the General Data Protection Regulation 2018 (GDPR).
What personal data we collect about you and your child
Dolphins Pre-school contractual responsibilities include but are not limited to the collection of the following personal data:
- Personal details (name, date of birth, gender)
- Attendance information (start date, hours in pre-school)
- Medical and health information
- Personal characteristics
- Dietary requirements and preferences (allergies on intolerances, food likes/dislikes)
- Special Educational Needs information
- Development records
The information we hold about you as a parent or guardian may include:
- Personal details (name, date of birth, national insurance number)
- Contact details (address, phone number, email address)
- Bank details (name of bank, account number and sort code)
We do hold some special category data about you and your child regarding race, ethnic origin, religion and health information. The special category data is only collected as required by the Local Authority or other public bodies for legal and contractual purposes. We comply fully with the requirements of GDPR in relation to special category data and are aware of the sensitive nature of the information.
It is the duty of you, the Data Subject to let us know of any personal data that has changed or is incorrect, we send out annual declaration forms to ensure the data we hold on you is accurate.
How we process your personal dataDolphins Pre-school complies with its obligations under the GDPR by keeping personal data up to date; storing and destroying it securely; not collecting or retaining excessive amounts of data; protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. All the data we process, we do so to fulfil the contract we have with you.
Dolphins Pre-school hold and processes your data to be able to:
- Provide the appropriate care for your child
- Support your child’s learning
- Monitor and report on your child’s progress
- Ensure the right first aid and medication is provided to your child in cases where they become ill or have an accident in our care
- Be able to contact you in case there is an emergency regarding your child
- Be able to take payment for the childcare we are providing your child
- To provide proof of consent of your agreement to our contract terms and conditions
The lawful basis in which we process this dataDolphins Pre-school collects and process all the information you provide to us as a parent or guardian under the contractual lawful process. It is necessary to process this data to be able carry out the requirements of the contract. Without this data we will not be able to fulfil your contract and thus not be able to keep your child in our care.
The health and medical data you provide to us regarding your child is legally required and is vital to keep your child safe whilst in our care.
Data regarding your child's ethnicity, race and religion is only processed under the requirements of Local Authorities and public bodies and upholding Dolphins Pre-school equal opportunities policy and ensuring we are meeting the Equality Act 2010.
Some data will only be processed if explicit consent is given. This can include the ability to take photographs of your child and using your details for direct marketing. Where this is the case we will ask for your specific consent.
Who collects this data
Dolphins Pre-school collects most of its data directly from the individual themselves. The information we collect about you and your child will all be obtained from the application form you fill out when you first enrol your child. Additional data is collected as part of the Annual Declaration and on an ad-hoc basis as required.
Storage of data
All your data is either kept in our software systems or in paper format. Data relating to you and your child will be kept in the pre-school. Personal data held within a software system will be securely protected with individual logins, which will only be given to those who need to access the data. If you wish to see the full version of our policies relating to ICT please contact the Data Protection Officer.
All data stored in paper format will be kept in a safe location where only those who are authorised to access it, can.
Who and why we share this data
We are legally obliged to pass some of your details on to third parties for legal reasons such as public bodies. This includes Local Authorities, Ofsted, NHS, Police and enforcing agencies. We will not give information about you or your child to anyone outside of the company without your explicit consent unless the law or our terms and conditions allow us to.
We may also share data with organisations for trend analysis. The processing of this kind of data we are not legally required to do and therefore we will ask you for your explicit consent for us to share your data for this purpose
We may share your child’s progress data with schools as they transfer from pre-school, however this will only be done with the explicit consent from you as a parent or guardian.
Data retention periods
Dolphins Pre-school is committed to ensuring we do not hold personal data for any longer than necessary.
Data which we hold under contract is subject to specified retention periods. These are detailed within our data audit details of which are available upon request.
Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Privacy Notice, we will provide you with a new notice explaining this new purpose. Where and whenever necessary, we will seek your consent to the new processing.
Your data subject rights
Under GDPR you have the right to request access to any of the data held by Dolphins Pre-school about you and your child. If you wish to make a subject access request please contact the Data Protection Officer (DPO).
If you feel Dolphins Pre-school has not handled your or your Child’s personal details adequately or you are unhappy with how your data request has been dealt with contact the Data Protection Officer (DPO).
Recruitment
If you are successful and are offered a position to work for Dolphins Pre-school we will hold your data under contract. Further information on what information we hold on employees, how we store it and how we process this data can be found on the Privacy Notice for Employees below.
If you are unsuccessful we will dispose of any personal data you have supplied us immediately unless you have given explicit consent for us to keep this information.
Privacy Notice for Employees
Dolphins Pre-school is the data controller for any personal information you provide to us regarding yourself as an employee of Dolphins Pre-school. This means we decide how your personal data is processed and for what purpose.
Dolphins Pre-school is required to collect and process data for a number of purposes concerning its staff, contractors, parents, children and any other individual who comes into contact with the company. In gathering and using this data Dolphins Pre-school is committed to protecting all individual’s rights of freedom and privacy and meeting the requirements of the General Data Protection Regulation 2018 (GDPR).
What personal data we collect about you
Dolphins Pre-school contractual responsibilities include but are not limited to the collection of the following personal data:
- Personal information (name, employee number, national insurance number)
- Contact information (phone number, email address)
- Work absence information (number of absences and reasons)
- Qualification and educational history
- Bank details (name of bank, account number and sort code)
- Medical and health information
- Contract information (start date, hours worked, salary information)
We do hold some special category data about you regarding your race, ethnic origin, religion and health information. The special category data we hold we only process if it is essential for the purpose of a contract or required for legal reasons and is adequately protected because of the sensitive nature of the information. We only use this information for equal opportunity research and feedback.
It is the duty of the data subject to let us know of any personal data that has changed so we can update our records and ensure the data we hold on you is accurate.
How we process your personal data
Dolphins Pre-school complies with its obligations under the GDPR by keeping personal data up to date; storing and destroying it securely; not collecting or retaining excessive amounts of data; protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. All the data we process from employees, we do so to fulfil the contract.
Dolphins Pre-school hold and processes your data to be able to:
- Enable individuals to get paid
- Contact employees when necessary
The lawful basis in which we process this data
Dolphins Pre-school collects and process all the information you provide to us about yourself as an employee under the contractual lawful process. It is necessary to process this data to be able carry out the requirements of the contract. Without this data we will not be able to fulfil the contract and thus not be able to employ you as a member of staff here at Dolphins Pre-school.
The health and medical data you provide to us is legally required and is vital to keep you safe whilst you are employed with us. It is also under your contract that you supply sick notes to us as evidence of proof of illness and ensure you are paid for these days.
Data regarding your ethnicity, race and religion is only processed for monitoring and upholding Dolphins Pre-school equal opportunities policy and ensuring we are meeting the Equality Act 2010.
Who collects this data
Dolphins Pre-school collects most of its data directly from the individual themselves. The information we collect about you will be obtained from the application you give us during the recruitment process or new starter pack you fill out when you first become employed with Dolphins Pre-school. Additional data is collected via our payroll system and on an ad-hoc basis as required.
Storage of data
All your data is either kept in our software systems or in paper format. Employees’ data may be held within the department your work for. Bank details are held in payroll. Personal data held within software systems securely protected with logins, which will only be given to those who need to access the data.
All data stored in paper format will be kept in a safe environment where only those who need it can access it. This may include being locked away.
Who and why we share this data
We are legally obliged to pass some of your details on to third parties such as public bodies or civil services. These may include, the police, the courts, HMRC and pension providers. We limit the sharing of data to third parties as far as practicable and only share data where it is necessary for legal reasons or for the processing of the contract.
Data retention periods
Dolphins Pre-school is committed to ensuring we do not hold personal data for no longer than necessary. We are required by law to hold some of the personal data you provide us for certain periods of time. Medical, health and accident data will not be destroyed and both financial and personal data we will hold for 6 years after you have left, after this period your data will be appropriately disposed of. Further information can be found on our Management, Retention and Disposal of Records Guidance.
Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, we will provide you with a new notice explaining this new purpose. Where and whenever necessary, we will seek your consent to the new processing.
Your data subject rights
Under GDPR you as an employee have the right to request access to any of the data held by Dolphins Pre-school. If you wish to make a subject access request, please contact the Data Protection Officer (DPO).
If you feel Dolphins Pre-school has not handled your personal details adequately or you are unhappy with how your data request has been dealt with contact the Data Protection Officer (DPO).
Consent
Dolphins Pre-school is committed to ensuring where consent is required, it is freely given, specific and unambiguous. Where consent is required for additional processing, data subjects are given the opportunity to freely give their consent to us processing that data for the specified purpose. Additional consent forms will be distributed to gather additional permission.
Contact Us
If you have any questions or suggestions regarding our privacy policy, please contact us via our website
Last reviewed: 3 Aug, 2022
dolphins_data_audit_3.8.22.docx.pdf |