Confidentiality and GDPR

In order to provide a quality early years and childcare service and comply with legislation, I will need to request information from parents about their child and family. Some of this will be personal data.

I take families’ privacy seriously, and in accordance with the General Data Protection Regulation (GDPR), I will process any personal data according to the seven principles below:


1. I must have a lawful reason for collecting personal data, and must do it in a fair and transparent way. I will be clear about what data I am collecting, and why. 

2. I must only use the data for the reason it is initially obtained. This means that I may not use a person’s data to market a product or service to them that is unconnected to the reasons for which they shared the data with me in the first place. 

3. I must not collect any more data than is necessary. I will only collect the data I need to hold in order to do the job for which I have collected the data. 

4. I will ensure that the data is accurate, and ask parents to check annually and confirm that the data held is still accurate. 

5. I will not keep data any longer than needed. I must only keep the data for as long as is needed to complete the tasks it was collected for.

6. I must protect the personal data. I am responsible for ensuring that I, and anyone else charged with using the data, processes and stores it securely. 

7. I will be accountable for the data. This means that I will be able to show how I (and anyone working with me) am complying with the law. 

I am registered with the Information Commissioner’s Office, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. 

I expect parents to keep private and confidential any sensitive information they may accidentally learn about my family, setting or the other children and families attending my setting, unless it is a child protection issue.

I will be asking parents for personal data about themselves and their child in order to deliver a childcare service (see privacy notice). I am required to hold and use this personal data in order to comply with the statutory framework for the early years foundation stage, Ofsted, Department for Education and my local authority.


Subject access


Parents have the right to inspect records about their child at any time. This will be provided without delay and no later than one month after the request, which should be made in writing. I will ask parents to regularly check that the data is correct and update it where necessary.


Storage


I will keep all paper-based records about children and their families securely locked in a cupboard and any computer based files including photos or videos will be kept on a password protected computer. Firewall and virus protection software are in place.The computer is only used by myself.

I will take photos and videos using my iPad and phone see. My mobile phone is facial recognition and pass code protected.


Data sharing


I am expected to share information with other childcare providers if a child attends another setting.

I am also required to share information with Gloucestershire county council in regards to the childcare and early years entitlement.

It may be necessary from time to time to share information about yourself and/ or your child with other professionals, for example the health visitor or GP.

I will not share any information with anyone without parental consent unless there is a safeguarding concern and I believe that by informing you I will place your child in immediate danger.

HMRC/ Tax credits may also request information from me which may include copies of your invoice which contains personal information.

Ofsted may require access to my records at any time.


Data may be shared;

  • Verbally
  • On paper
  • Electronically 


Under the General Data Protection Legislation I am only permitted to share information that is required and necessary. Please see my privacy notice.


Record keeping


I record all accidents on an accident form.

I will notify PACEY and my insurance company of any accidents which may result in an insurance claim. PACEY will log and acknowledge receipt of the correspondence and forward the information to the company providing my public liability insurance policy to enable a claim number to be allocated.

I will inform Ofsted, the local child protection agency and the Health and Safety Executive of any significant injuries, accidents or deaths as soon as possible.

I record all significant incidents on an incident form and I will share these with parents so that together we can work to resolve any issues.

I will only share information if it is in a child’s best interests to do so. For example in a medical emergency I will share medical information with a healthcare professional. If I am worried about a child’s welfare I have a duty of care to follow the Local Safeguarding Children Board procedures and make a referral. Where possible I will discuss concerns with you before making a referral.


Your right to erasure


As a parent you have the right to refuse consent or withdraw consent at any time and you have the right to challenge my decision to retain documents about you or your child. This is called the ‘right to erasure’ in GDPR. However, if I need to keep information because it is legally required then exceptions to the ‘right to erasure’ apply. I will make a decision about each erasure request individually – please speak to me for more information. 


Safe disposal of data


I am required by law to keep some data for some time after a child has left the setting. I have a review plan in place and ensure that any data is disposed of appropriately and securely.


Suspected breach 


If I suspect that data has been accessed unlawfully, I will inform the relevant parties immediately and report to the Information Commissioner’s Office within 72 hours. I will keep a record of any data breach.

 Copyright © 2011 GLH Childminding Services©