Data Protection Policy

The GDPR is an EU directive regarding data protection and management. This is being managed by the Information Commissioner’s Office (ICO). It replaces the Data Protection Act (94/46/EC) OF 1995. The GDPR aims primarily to give increased control to the public over their personal data.

GDPR – What does it cover?

The GDPR covers the management and control of personal data within organisations. Personal data is defined as any information (data file or paper copy) relating to an identified or identifiable individual; an identifiable person is one who can be identified, directly or indirectly.

Any information which can be used to identify an individual constitutes personal data. Examples of personal data:

  • Names and date of birth
  • Addresses of parents and children
  • Personal phone numbers (landline or mobile)
  • Personal email addresses
  • Employee records
  • Financial records identifying a person (bank details)

Specific data examples:

  • Job applications
  • DBS checks
  • Former employees
  • Parents/carers details
  • I if checking eligibility, e.g. 2-year-old and 30 hour offer
  • Children’s records
  • Accident records
  • Medication records
  • SEND records
  • Safeguarding records
  • Notes taken room staff
  • Attendance records
  • Observations
  • Photographs
  • Transition documents
  • Outing records
  • DFE Census data
  • LA data
  • Software programs
  • Staff boards
  • Disqualification by association.

This list is not exhaustive of the data that you may hold. These data types have all to be audited and risk assessed.

Migration of risks

Some examples of how we mitigate or lower the risks from our data audit:

  • We have lockable filing cabinets in the office
  • Software, such as First Steps is password protected
  • We have anti-virus and malware installed on our ICT equipment to minimize any breaches

GDPR and lawful processing

GDPR states that personal data shall be ‘processed fairly and lawfully’ and ‘collected for specified, explicit and legitimate purposes’. Although consent is a great part of GDPR, we have additional lawful obligations that require us to collect, process, share and store personal data. We must hold data in order to comply with the EYFS Statutory Framework, local authority, DFE and Ofsted requirement, and retain them for a period of time. Our Privacy Notice (see appendix) explains the data we hold and the reasons why we hold such information for both parents and staff.

Retention of Data

All timescales are set in the UK by Government guidelines:

  • Statutory guidance and laws, e.g. Children Act, children and Families Act, EYFS, Ofsted, Safeguarding, DFE, Data Protection Act.
  • HMRC- employment law principles and record keeping
  • Health and Safety Directives


  • Records must be kept for 7 years
  • Staff wages records for 3 years
  • All business records must be retained for a period of 7 years
  • We keep minutes of meetings and resolutions for at least 10 years from the date of the meeting
  • Accidents and incident forms for children must be kept until the child is 21 years and three months
  • Safeguarding records must be kept until the child turns 25 years old
  • A health record must be kept for all employees under health surveillance
  • Records are important because they allow links between exposure and any health effects
  • Staff health records, or a copy, should be kept secure for at least 40 years from the date of the last entry because often there could be a long period between exposure and onset of ill health
  • Insurance certificates must be kept for 40 years.

What we do:

  • We are registered with the Information Commissioner’s Office (ICO), this organization is an independent body set up to uphold information rights in the public interest.
  • We have completed a data audit and identified any potential risks
  • We have migrated any potential risks
  • We will report any breaches to the ICO when necessary.