BRIGHTER DAYS KIDS CLUB
DATA
PROTECTION POLICY (GENERAL DATA PROTECTION REGULATION COMPLIANT) AND PRIVACY
NOTICES
Our lawful basis to process data is
Legitimate Interest and annexed to this policy is our Legitimate Interest
Assessment (LIA), which details how, where and why we hold certain data.
Further annexes to this policy are Privacy Notices.
In this policy data deletion means
that Paper data that is no longer required is erased 2 months after the end of
the academic year and Electronic data is erased 2 years after the child/ren’s
attendance has ceased.
At brighter days kids club we handle
personal data relating to a living individual who can be identified from that
information, i.e. Name and DOB. We also hold Sensitive Personal Data which is
any data that can be used in a discriminatory way, such as; religion,
ethnicity, medical conditions, behavioural needs, anything that can be viewed
as information that can be used to bully. At Brighter kid’s data is held in
both electronic and/or paper format.
Brighter days is Registered with the
Information Commission’s Officer (ICO) under the Data Protection Act 1998 and
we are General Data Protection Regulation (GDPR) compliant. Brighter days
Registration Certificate Reference number is 00250000065 and Brighter days Data
Protection Officer / Data Protection Controller is JESSIE GEORGE who is
ultimately responsible for ensuring that Brighter days meets all its legal
requirements.
Right
to Erasure: We will only delete photos/digital images and videos from
our website, promotional material and Facebook page if it is reasonable to do
so and is not going to involve disproportionate effort. We refuse to destroy
any data that we must hold for statutory reasons, such as Health and Safety and
Safeguarding data and there might be times when we refuse to comply with a
request for erasure for certain reasons. Data that Brighter days collects is to
protect the interests of parents/carers/children/staff and we ensure we are not
using data in ways that are deemed as intrusive or which could cause harm
unless we have very good reason.
Subject
Access Request: Parent’s/carers/children/staff have a right to request
to see all their data that Brighter days holds about them. Brighter days will
provide the requested information in easy formats such as PDF/XLS/CSV within 30
days. If our data is found to be incorrect or out of date, we will update it
promptly. If any individual about whom we hold data has a complaint about how
we have kept their information secure, or how we have responded to a subject
access request, they may complain to the Information Commissioner’s Office
(ICO).
Data
Protection Law: The Data Protection Act 1998 and GDPR compliancy
describes how organisations such as Brighter days Childcare Services must
collect, handle and store personal information. This Policy is to comply with
both the Law and Good Practice of Brighter days and respect individual rights
and will include: Staff, Individual Children and Families of Brighter days.
These rules apply regardless of whether data is stored electronically, on paper
or on other materials. To comply with the law, personal information must be
collected and used fairly, stored safely and not disclosed unlawfully.
The
Data Protection Act is underpinned by eight important principles. These say
that personal data must:
1. Be processed fairly and lawfully
2. Be obtained only for specific, lawful
purposes
3. Be adequate, relevant and not
excessive
4. Be accurate and kept up to date
5. Not be held for any longer than
necessary
6. Processed in accordance with the rights of
data subjects
7. Be protected in appropriate ways
8. Not be transferred outside the European
Economic Area (EEA), unless that country or territory also ensures an adequate
level of protection.
This Policy applies to information held physically and digitally.
This Policy supports and protects Brighter days from data security risks, including:
• Breaches of Confidentiality: For instance,
information being given out inappropriately. If a serious breach occurs,
Brighter days will notify ICO within 72 hours from becoming aware of the
breach. We understand there is no allowance for weekends or bank holidays.
• Failing to offer choice: For instance, all
individuals should be free to choose how Brighter days uses data relating to
them
• Reputational Damage: For instance,
Brighter days could suffer if hackers successfully gained access to sensitive
data
• Breach of Security: For instance, allowing
access to data by someone unauthorised
Responsibilities:
Brighter days recognise that there may be
issues that arise which are sensitive and should not be discussed in an open
forum. Management, Staff and volunteers are expected to maintain
confidentiality about all issues relating to individuals, families, children
and staff contracted by Brighter days Childcare Services. Data Protection forms
part of staff’s induction.
There will be times when staff will
discuss issues within a staff meeting or other meetings, but these are not to
be discussed outside the meeting/setting. The Management will also discuss
matters relating to staff and these discussions will also be kept to the
confines of the meeting/setting.
Brighter days recognises that personal
information is given to us for specific reasons only and we take our duty of
care regarding confidentiality very seriously. All records are kept
confidential and secure on and off site.
Everyone who works for Brighter days
has responsibility for ensuring data is collected, stored and handled
appropriately. Each staff member that handles personal data must ensure that is
handled and processed in line with this Policy, Data Protection Principles and
Data Protection Registration Requirements.
Data will only be shared with third
parties for the safety and well-being of the children in our care. We will only
share information about a child/ren with outside agencies on a need-to know
basis and with consent from parents, except in cases relating to safeguarding
children, criminal activity, or if required by legally authorised bodies (e.g.
Police, HMRC, etc). If we decide to share information without parental consent,
we will record this in the child’s file, clearly stating our reasons.
Data
Storage and destruction:
Brighter days data is held within an
individual Registration Pack which is in paper format and is stored on site
securely in a locked fireproof cabinet; staff personnel records are also stored
in this way.
. This electronic data is protected
from unauthorised access, accidental deletion, and malicious hacking attempts.
We use strong passwords that only the Management of Brighter days have access
to; copies of personal data are never transferred to personal computers or
other devices; all servers and computers used by Brighter days are protected by
a firewall and security/ encryption software.
Once a
child/parent/carer/staff/volunteer/visitor has left Brighter days, their data
will be held for 2 months after the current academic year has ended and a
further 2 years thereafter. After which, all data will be destroyed unless the
data is regarding Health & Safety and Safeguarding purposes. When Brighter
days retains data that is relating to Health & Safety /Safeguarding, it
will not be shared unless required by Law. Any electronic data will be deleted
after the referred to time and removed from the recycle bin which will also be
emptied at this time. Paper data will be shredded using a cross cut shredder
within the referred to time. Any personal and payroll data forms part of HMRC
requirements and will be retained for seven years before being destroyed.