GDPR and Privacy

General Data Protection Regulation (GDPR)

Statement

GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Directives that were in place. It was approved by the EU parliament in 2016 and comes into effect on 25th May 2018.

GDPR states that personal data should be processed fairly and lawfully and collected for specified, explicit and legitimate purposes and that individuals data is not processed without their knowledge and are only processed with their explicit consent. GDPR covers personal data relating to individuals. Llanddulas Playgroup is committed to protecting the rights and freedoms of individuals with respect to the processing of children's, parents, visitors and staff personal data.

The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal is handled properly. Llanddulas Playgroup is registered with the ICO. (Information Commissioners Office.) Certificates are available to view on the parent's notice board.

GDPR includes 7 rights for individuals.

1. The right to be informed.

Llanddulas Playgroup is registered with CIW and is subject to inspections from CIW and Estyn. Also as a member of Wales PPA we are required to collect and manage certain data. We are required to know parent's names, addresses and telephone numbers. We need to know children's full names, addresses, date of birth, doctor's name, address and telephone number and also information about allergies and parental responsibilities. We are required to collect certain details about visitors to out playgroup. We need to know visitor's names, telephone numbers, and addresses and where appropriate which organisation or company they are employed by. This is in respect of our Health and Safety and Safeguarding policies.

As an employer Llanddulas Playgroup is required to hold data on its employees, names, addresses, email addresses, telephone numbers, date of birth and National Insurance numbers. Certificates of qualifications are to be held for a retention of 6 years.

2. The right of access

At any point an individual can make a request relating to their data and Llanddulas Playgroup will need to provide a response (within 1 month). Llanddulas Playgroup can refuse a request, if we have a lawful obligation to retain data, from CIW but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.

3. The right to erasure

You have the right to request the deletion of your data where there is no compelling reason for its continued use. However, Llanddulas Playgroup has a legal duty to keep children's and parent's details for a reasonable time. Llanddulas Playgroup retains these records for 3 years after a child leaves playgroup, children's accident and injury records for 19 years (or until the child reaches 21 years) and 22 years (or until the child reaches 24 years) for child protection and insurance records. Staff records must be kept for 6 years (or 7 years if there is a breach of contract, senior management records are kept for life) after the member of staff leaves employment, before they can be eased. This data is archived securely onsite and shredded after the legal retention period.

4. The right to restrict processing

Parents, visitors and staff can object to Llanddulas Playgroup processing their data. This means that records can be stored but must not be used in any way, for example reports or for communications.

5. The right to data portability

Llanddulas Playgroup requires data to be transferred from one IT system to another, such as from Llanddulas Playgroup to the Local Authority. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.

6. The right to object

Parents, visitors and staff can object to their data being used for certain activities like marketing or research. Llanddulas Playgroup does not use personal data for such purposes.

7. The right not to be subject to automated decision-making including profiling

Automated decisions and profiling are used for marketing based organisations. Llanddulas Playgroup does not use personal data for such purposes.

8. Storage and use of personal information

All paper copies of children's and staff records are kept in a locked filing cabinet in Llanddulas Playgroup. Members of staff have access to these files but information taken from the files about individual children is confidential and apart from archiving, these records remain on site at all times. These records are shredded after the retention period.

Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children's names, dates of birth and sometimes address. These records are shredded after the relevant retention period.

Llanddulas Playgroup collects a large amount of personal data every year including names and addresses of those on waiting lists. These records are shredded if the child does not attend or added to the child's file and stored appropriately.

Information regarding families involvement with other agencies is stored both electronically on an external hard drive, which is password protected and in paper format, this information is kept in a locked filing cabinet in Llanddulas Playgroup. These records are shredded after the relevant period.

Upon a child leaving Llanddulas Playgroup and moving onto school, data held on the child may be shared with Ysgol Llanddulas or other schools with parental consent.

Llanddulas Playgroup stores personal data held visually in photographs once written consent has been obtained. No names are stored with images on the website or on Llanddulas Playgroup's social media sites.

GDPR means that Llanddulas Playgroup must:
Manage and process personal data properly
Protect the individual's right to privacy
Provide an Individual with access to all personal information held on them

This General Data Protection Regulation policy was passed for use in Llanddulas Playgroup on 19th May 2018.
By: Julie Heap
Position: Registered Person

Reviewed: October 2019
By: J Heap

Next review due: October 2020

Privacy Policy

The Data Protection Act 1998 gives you various rights to do with the information that businesses, the Government and other organisations hold about you.

Personal information that Llanddulas Playgroup uses and holds is covered by the Data Protection Act. This note is to make sure you are fully aware of how we may use your personal information should you send your child to Llanddulas Playgroup. It covers the areas set out below.

How we collect information about you

When you send your children to Llanddulas Playgroup, we receive information about you and any children who attend Llanddulas Playgroup in a number of different ways. You may give us the information. This may happen when you:

  • Fill out the form in our welcome pack.
  • When you let us know about a change in your personal circumstances, e.g. change of address.
  • We may receive it from another organisation e.g. Local Authority or Social Services.

How we use personal information

We use information that we have about you and your children for business purposes. These purposes generally fall into the following areas.

1) Administration - This applies to past, current and potential future children and their parents/guardians. We use this information for the provision of childcare. The types of personal information we collect and use may include:

  • The personal details of your child
  • The payment of fees due
  • Details of the child's family (so we can contact you in case of an emergency)
  • Medical information(so we can cater for any allergies/illnesses or additional needs)

2) Provision of education - This applies to past, current and potential future children and their parents/guardians.

We use this information to ensure that your child's development needs are catered for. The types of information we collect and use include:

  • Observations (so we can ensure your child's development needs are catered for)

3) Keeping you informed - This applies to current, past and potential future children and their parents/guardians. We use this information to keep you updated about events at Llanddulas Playgroup (e.g. to let you know about events and changes to schedules). The types of information we collect and use may include:

  • Email address. So we can email you updates.
  • Phone numbers. So we can text you with changes in our service.
  • Details of all events and notices will always be posted on the Llanddulas Playgroup notice board and our Facebook page.

How long we keep personal information

We are required to keep certain personal information including registers, medication record books and accident, record books, pertaining to the children for at least 3 years after the child has left Llanddulas Playgroup(sometimes much longer- please refer to the Data Retention Chart) This is in order to comply with Child Minding and Day Care (Wales) Regulations 2010 and other legislation (e.g. Limitation Act 1980/The Statute of Limitations (Amendment) Act 1991).

Who we share Personal Information with

Generally we only use your information within Llanddulas Playgroup. There are some occasions when we need to share personal information about you and/or your child with third parties. These are:

  • If your child is entitled to 3 year funding, we will liaise with Conwy County Borough Council Education Department with regards to your child's educational progress/needs.
  • We may on occasions use your personal information for the purposes of recovery of overdue fees.
  • In case of an emergency, we may need to share with the emergency services details of your child including details of any medical conditions as provided to us by you.

Where we process personal information

We will only store and use your personal information in the United Kingdom.

Our commitment to you

We will process your personal information in line with the Data Protection Act 1998. This means that we will:

  • Only collect and hold information about you which we need for some reason.
  • Keep your personal information up to date and accurate(to help us do this please inform us as soon as possible to any changes)
  • Take appropriate steps to protect your personal information from being used without permission, or illegally, and to safeguard your rights; and
  • Destroy your personal information by shredding or deleting from our computer systems once we no longer need it.

What rights you have over your personal information

You have certain rights over your personal information. Most importantly, you have a right to ask for a copy of all the personal information we hold about you but there are some legal exceptions to this, such as information which is confidential to Llanddulas Playgroup. If you would like a copy of your personal information you should contact our manager. If a security breach occurs we will contact the ICO and inform the people affected.

Use of cookies by Llanddulas Playgroup

Llanddulas Playgroup's website currently does not use cookies.

Adopted: May 2018
Reviewed: October 2019 J Heap
Next review due: October 2020

Policy reviewed: October 2020 by J Heap
Next due for review: October 2021