General Data Protection Regulations (GDPR) Policy – May 2018
Statement of Intent
Bodmin Pre-school is required to collect personal information for its employees, committee, children, parents and visitors. It is also necessary to process information so that staff can be recruited and paid, activities organised and legal obligations to funding bodies. Bodmin Pre-school intends to meet all the requirements of the General Data Protection Regulations 2018 when collecting, storing and destroying personal data.
To comply with the law (GDPR), information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this Bodmin Pre-school must comply with the General Data Protection Regulations 2018. In summary these state that personal data must be:
- Obtained and processed fairly and lawfully.
- Obtained for a specific and lawful purpose and not processed in any manner incompatible with that purpose; adequate, relevant and not excessive for that purpose.
- Accurate and kept up to date.
- Not kept for longer than necessary (see Retention Periods for Records).
- Processed in accordance with the data subject’s rights.
- Kept safe from unauthorised access, accidental loss or destruction.
- Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
All Bodmin Pre-school staff and volunteers who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, Bodmin Pre-school has adopted this GDPR Policy.
Notification of Data Held and Processed.
All employees, committee, parents, visitors and other members of the public have the right to:
- Know what information Bodmin Pre-school holds and processes about them and why.
- Know how to gain access to it.
- Know how to keep it up to date.
- Know what Bodmin Pre-school is doing to comply with its obligations under GDPR.
The Data Controller and the Designated Data Controllers.
Bodmin Pre-school as a registered charity is the Data Controller under GDPR and the organisation is ultimately responsible for implementation. However, Designated Data Controllers will deal with day to day matters. Bodmin Pre-school’s Designated Controllers are:
- Nicola Bennett – Setting Manager
- Louise Pay – Early Years Teacher
Personal Information is defined as any details relating to a living identifiable individual. Within Bodmin Pre-school this relates to employees, attending children, and their families, committee, professional visitors and some members of the public such as job applicants. Bodmin Pre-school will ensure that the information gained from each individual is kept securely and to the appropriate level of confidentiality.
The personal information collected from individuals may include:
- Email address
- Telephone numbers- including those of emergency contacts
- Date of birth
- Medical information
- National insurance number
- DBS numbers
- Birth certificate numbers
- Observations of children’s progress (Learning Journeys through EyLog)
- Children’s reports, pre-school or from outside professionals.
- Family medical history when necessary
Bodmin Pre-school stores personal information to comply with the Statutory Framework (EYFS 2017) to deliver services to our families such as government funding and to employ suitable people for our setting.
Processing of personal information.
All staff and volunteers who process or use any personal information are responsible for ensuring that:
- All personal information is kept securely.
- Personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party.
Staff and volunteers should note that unauthorised disclosure will be a disciplinary matter and may be considered gross misconduct in some cases.
Personal Information should be:
- Kept in a locked cabinet or
- In a locked cupboard or
- If it is computerised, be password protected
- Kept on a storage device which is itself kept securely.
Conversations and meetings
Information of a personal or confidential nature should not be discussed in a public area, in front of anyone that is not an employee of the Pre-school. Pre-school employees should be aware of confidentiality at all times when discussions are taking place, either distancing themselves from the conversation if it does not concern them, or, ensuring that their discussion is not overheard by others. All staff should respect the confidential nature of any information inadvertently overheard.
When meetings are being recorded it is important that only the relevant information is written down. This must be carried out using the correct forms provided by the Pre-school, notes must be written legibly and coherently. The written notes are then to be stored in a locked cupboard and disposed of (shredded) in a timely manner once the child/ family have left the setting (see retention periods for records).
Whenever information is collected about people, they should be informed why the information is being collected, who will be able to access it and to what purpose it will be put. The individual concerned must agree that he or she understands and gives permission for the declared processing to take place, or it must be necessary for the legitimate business of the Pre-school.
Sensitive information is defined by GDPR as that relating to ethnicity, political opinions, religious beliefs, trade union membership, physical or mental health, sex life, criminal proceedings or convictions. The person about whom this data is kept must give express consent to the processing of such data, except where the data processing is required by law for employment purposes or to protect the vital interests of the person or a third person.
Disposal of confidential information.
Sensitive material should be shredded as soon as it is no longer needed; following retention guidelines and statutory requirements. Particular care should be taken to delete information from the tablets and computer hard drive if they are to disposed of.
All staff are responsible for checking that any information that they provide to Bodmin Pre-school in connection with their employment is accurate and up to date. Staff have the right to access any personal data that is being kept about them, either on computer or in a manual filing system. Staff should be aware of and follow this policy and seek further guidance where necessary.
Duty to Disclose Information
There is a legal duty to disclose certain information, namely information about child abuse (which will be disclosed to MARU), drug trafficking, money laundering or acts of terrorism or treason (which will be disclosed to the police).
Retention of Data
Bodmin Pre-school takes care to only store personal information that is absolutely necessary. Personal information is kept for the period of time requested by the Pre-school Learning Alliance, these retention periods are either recommended or statutory. Stored information is filed in sealed filing boxes and locked in the Pre-school cupboard/cabinet. Once the retention period has lapsed, the information is destroyed. For retention periods see attached guidance.
Signed on behalf of the Committee: Nicola Bennett
Role of signatory: Setting Manager
Date of policy review: September 2019.