Truly Scrumptious E Y Nursery

General Data Protection Regulations (GDPR) Policy

Purpose of this Policy

This policy outlines how Truly Scrumptious Early Years Nursery ensures compliance with the UK General Data Protection Regulation (UK GDPR), which came into effect on 25th May 2018, replacing the Data Protection Act 1998. It provides individuals with greater control over their personal data and places obligations on organisations that collect, store, and process it.

As part of our operation, we are required to collect, store, and sometimes share personal data relating to children, parents/carers, and staff. We take our responsibilities under the GDPR seriously and are committed to handling personal data lawfully, transparently, and securely.

ICO Registration

Truly Scrumptious Early Years Nursery is registered with the Information Commissioner’s Office (ICO) under registration number Z2390392, registered since 23rd September 2010. A copy of our registration certificate is displayed in the nursery for parents and carers to view.

Principles of Data Protection

Under the UK GDPR, we must adhere to the seven key principles of data processing:

Lawfulness, Fairness, and Transparency
Personal data must be processed lawfully, fairly, and in a transparent manner.
Purpose Limitation
Data is collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes.
Data Minimisation
We only collect data that is adequate, relevant, and limited to what is necessary.
Accuracy
Data must be accurate and kept up to date.
Storage Limitation
Personal data will not be retained longer than necessary.
Integrity and Confidentiality
Personal data is processed securely to prevent unauthorised access, loss, or damage.
Accountability
We are responsible for, and must be able to demonstrate, compliance with these principles.

Individual Rights under the UK GDPR

All individuals have the following rights regarding their personal data:

The right to be informed
The right of access
The right to rectification
The right to erasure (‘right to be forgotten’)
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision-making and profiling

We will respond to any request regarding these rights within one calendar month.

Data Controller and Data Processor Roles

As a childcare provider, Truly Scrumptious Nursery is the Data Controller. We determine the purposes and means of processing personal data.

We may share data with third-party services (e.g., local authorities, software systems), making them Data Processors. We ensure that any Data Processor we use is GDPR-compliant and bound by appropriate contractual obligations.

Lawful Basis for Processing Data

We must have a lawful basis for processing personal data. The six lawful bases under the UK GDPR are:

Consent – the individual has given clear permission.
Contract – processing is necessary for a contract.
Legal Obligation – necessary to comply with a legal requirement.
Vital Interests – necessary to protect someone’s life.
Public Task – carried out in the public interest or in the exercise of official authority.
Legitimate Interests – necessary for legitimate interests (except where overridden by the individual’s rights).

For most data collected, including names, contact information, medical details, and attendance, our legal obligation under the Statutory Framework for the Early Years Foundation Stage is the lawful basis.

Where data processing is not mandatory (e.g., photographs), explicit consent is required. Consent is sought via a clear opt-in process and can be withdrawn at any time.

Privacy Notices

We provide all staff and parents/carers with privacy notices explaining:

What data we collect and why
How data is stored and retained
Who we may share data with and why
Their rights under the UK GDPR
How to raise concerns

These notices are updated regularly and issued at the point of data collection.

Data Retention

We retain personal data only for as long as necessary and in line with statutory guidance and our internal Record Retention Policy. After the retention period, all data is securely disposed of.

For example:

Accident records: 3 years (or until the child is 21 if relating to a child)
Child records: Retained for a minimum of 3 years after the child has left the setting

A full retention schedule is available upon request.

Data Security

We are committed to ensuring personal data is secure by:

Storing paper records in locked cabinets
Ensuring electronic records are password-protected
Limiting access to data to authorised staff only
Regularly updating and monitoring our cybersecurity measures

Staff receive ongoing training in data security and are reminded of their confidentiality obligations.

Data Breaches

In the event of a personal data breach:

The incident will be investigated promptly by the designated compliance leads.
If the breach presents a risk to rights and freedoms, it will be reported to the ICO within 72 hours.
Affected individuals will be informed when required.

All breaches are documented, regardless of severity.

Responsibilities and Compliance

The following individuals are responsible for data protection compliance within the setting:

Patricia
Hayley
Brittany

Their responsibilities include:

Conducting data audits
Ensuring policies are up to date
Providing training to staff
Investigating data breaches
Monitoring compliance with current legislation

Legal Framework

This policy is based on the following legislation:

UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Human Rights Act 1998
Freedom of Information Act 2000 (where applicable)
Statutory Framework for the Early Years Foundation Stage (EYFS)

Policy Review

This policy is reviewed annually or in response to significant changes in data protection laws or nursery procedures.

Last Reviewed: August 2024
Next Review Due: August 2025

Policy Written By Brittany V – May 2018

Reviewed by Brittany V – Manager – 27/05/2025