DPR came into force on the 25th May 2018. It complements the 2018 Data Protection Act which replaced and updated the existing Data Protection Act of 1998. Wboosc has registered with the Information commissioner’s office (ICO) and updates annually.
Wboosc aims to fulfil all its obligations under the GDPR 2018. This policy sets out our commitment to protecting all the information we need and our commitment in collecting, processing, using, storing and sharing personal data appropriately.
We have a privacy notice which shows our lawful basis of processing the data, our legitimate interest for the processing, individual’s rights and the source of the personal data we keep.
Within Wboosc we keep and regularly use various types of data from our CIR and contact details to observations taken on children. We legally have to keep certain information for longer periods to comply with the Children’s Act and Ofsted EYFS guidelines.
We have a process in place to record any data breach that may occur, recording this on a data breach admission form, investigating the breach and informing the Childcare directors, and for reporting data breaches to the Information Commissioner office (ICO). We must inform the ICO within 72hours if we detect a breach of data.
All staff are trained in GDPR as part of our induction training and they are aware of their responsibility in collecting, sharing and using of personal data. All of our staff have also completed Non- disclosure agreements with WBOOSC to assist in protecting confidential and sensitive data within the setting and are made aware of the information they are allowed access to.
These forms stipulate that “all employees must protect WBOOSC ltd confidential information and must not disclose it to any parties without authorisation”
We have a document in place to show how long we keep records -only keeping records that are applicable and appropriate with a genuine legal reason to retain. The EYFS states that records need to be retained for a set amount of time. We follow rules set out from authorities when deciding how long we need to keep documentation.
There are 6 lawful basis for processing data within Wboosc.
The six reasons are set out in Article 6 of the General Data Protection Regulation (GDPR) as detailed below:
1. Consent: The individual has given clear consent for you to process their personal data for a specific purpose. Within our setting this may include the use of children’s photographs or permission to travel in the minibus.
2. Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. This might include contractual permission for us to care for your child or to access funding or agree a place with us.
3. Legal obligation: The processing is necessary for you to comply with the law (not including contractual obligations). This may include providing a person’s details to legal authorities upon request.
4. Vital interests: The processing is necessary to protect someone’s life. This may include sharing children’s information with emergency services if needed - although we also have consent for this in our contracts.
5. Public task: The processing is necessary for you to perform a task in the public interest or for your official function and the task or function has a clear basis in law. For us this may include government’s stats and consensus data.
6. Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Procedure
We are aware that GDPR applies to our parents, children and our staff equally.
Article 5 of the GDPR sets out the principles that we work to.
• Data must be processed fairly, lawfully and in a transparent manner.
• Data must only be obtained for specified and lawful purposes.
• Data must be adequate, relevant and not excessive (limited to what is necessary).
• Data must be accurate and up to date.
• Data must not be kept for longer than necessary.
• Data must be securely kept.
We use the GDPR rights for individuals.
• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.
• Rights in relation to automated decision-making and profiling.
The following procedures apply to information held about children.
1. Every member of our wboosc team is individually responsible for data security and must make sure they fully understand their level of responsibility. This policy details the protection of data but is not exhaustive in its examples – it is therefore essential that any potential breaches or opportunity of accidental breaches are reported immediately to line managers and fed up the line of command to wboosc Directors.
2. A child’s educational records will be disclosed to their parent or carer on submission of a written request within 48 hours. Requests will only be refused if it is obvious the requester does not understand what they are asking for, or if disclosure is likely to cause them or anyone else serious physical or mental harm.
3. When a child moves to a new school, a completed Transfer File together with all educational records relating to the child will be sent to their new school. This includes copies of reports and any personal education plans. If the new school is not known, every effort will be made to contact the parents or carers by post, telephone or email.
4. Children’s paper records are stored appropriately onsite in a lockable room or in a locked office at our Playroom nursery site . The office is only used by authorised staff and is not accessible by parents or visitors. If meetings are held in the office for any reason, then visitors will be accompanied by a competent member of staff. This room remains locked when not in use. Electronic files are stored on USB sticks that are safely stored when not in use. Any email discussions relating to a child are limited to initials and only sent through wboosc email accounts. These emails are only to be used between wboosc employees and must never be used to email external email accounts to maintain the highest level of security. These are over seen by the Childcare Director to ensure only suitable information is being sent. All Wboosc computers have Antivirus software installed which automatically renews to ensure our computers are fully protected. All long term digital data is securely backed up to hard drives which are not connected to the internet.
5. All staff are aware they must keep information stored on their clipboard safe at all times and must ensure the safety of the clipboard at all times.
6. Information that is shared is done securely using a secure email system or password protection of the document.
7. Only information that is necessary for the current working day ie; Register – Visitors Book – Medicines record – Accidents Record will be held on the daily plan clipboard.
8. If a parent wishes to see information kept on their child, reference should immediately be made to the site manager with the childcare director also being notified.
The following procedures apply to information held about staff.
1. It is each member of staff’s responsibility to ensure they complete a staff current details update sheet for any changes to their personal information. Data on computer is held securely offsite under the responsibility of the Children’s director. Staff have individual paper files stored in a locked cupboard. We are moving towards being a paperless organisation.
2. Requests for additional access must be sent directly to the Childcare director in writing. Each request will be judged in light of the nature of the information in question and the frequency with which it is updated. The member of staff will then be informed whether or not the request is granted. In the event of a disagreement, the matter will be taken up under the formal grievance procedure.
3. If a request for additional access is granted, the information will be provided within 30 days of the date of the request. A fee will not be charged to gain access to the data. However, we can charge a “reasonable fee” if a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information.
How does this affect our practice?
1. We must maintain an element of secure storage of data within the building. This means tidy clipboards, not allowing paper work to be left out that can be viewed by unauthorised people eg; parents.
2. No paperwork other than Medication required documents should go offsite with children. CIRs of children on trips must be maintained on site at all times. In the case of kids’ club holiday club, the relevant paperwork will be kept at the Administration Centre in nursery.
3. It is the responsibility of each Team Leader to ensure that all trips, displays etc naming children comply with the consents given by their parents and they have full responsibility for safe storage of all documents in their rooms naming children. Displays of children’s work, birthdays etc. should only show the child’s first name.
4. Team Leaders MUST ensure that all members of their team are using correct email addresses that parents have provided and only sending information out to the given parents’ email address.
5. Parents will be requested to provide us with an email address that they are happy other families can see in emergencies if staff slip up with cc and bcc.
6. Where group emails are sent out from wboosc; Team Leaders and Managers must ensure that the email is sent to wboosc with the bcc being used for parents’ email addresses.
7. Cameras are securely stored at all times and that they are kept in the designated place, under the supervision of the Manager when not in use.
8. Information sticks and computer records must be kept securely at all times and stored in the locked, accessible toilet when not in use. When the Admin Centre is not in use, the door must be locked to prevent un-authorised absence. External members eg; training providers must never be left unattended. If this is likely, this area should not be used for training etc.
9. All CIR’s are stored appropriately and not shared with anyone else.
10. We need to collectively manage the information that may be left out in the Admin Centre or kids club sites.
11. Reminder displays – the main display by the door should be discreet and only have initials not full names of children used.
12. Reminder displays of children’s dietary and medical needs must be discreet and ideally out of obvious view of parents and visitors eg; tucked behind the wall where the food is prepared or inside the kitchen cupboard at the studio. A separate file should be maintained at the Infants for those preparing food in the kitchen.
To View the privacy notice for Kids Club HQ please see {{KCHQPrivacyNotice}}
Kind regards,
Wboosc Ltd
