top of page

Confidentiality & GDPR

Policy Statement
All information on children and families is kept securely and treated in confidence. Information will only be shared if the parents/carers give their permission or there appears to be a child protection issue. All records are kept secure. The details are easily accessible if any information is required for inspection by OFSTED. Children’s records should only be accessed on the premises unless authorisation is given.

We intend to meet all the requirements of the Data Protection Act 1998 and the General Data Protection Regulations 2018 when collecting, storing, and destroying personal data. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

We respect that the information you give to us about you and your child/children may be sensitive. We will keep written information about your child securely. 

We will not talk about confidential information to others, unless we need to do so to safeguard your child (please see our Safeguarding Children procedure) or to assist in the handover to other child carers as agreed with you. 

We will take into account data protection rules when disclosing records that refer to third parties. 

You are welcome to see any written information that we hold regarding your child at any time. 

All parents are free to view the policies which detail how we run our settings. 

Our certificate of registration is displayed and available to view by all parents. 

We are aware of the responsibilities under the data protection act 1998, the freedom of information act 2000 and the GDPR 2018. 

We maintain a record of parents and/or emergency contact details, the contact details of the child’s GP and appropriate signed consent forms. 

If a child is identified as a child in need [section 17 of the Children’s Act 1989) I will, with the parents permission, give appropriate information to referring agencies.

The General Data Protection Regulation (GDPR) replaced the Data Protection Act 1998. It will give individuals greater control over their own personal data. It is necessary for us to collect personal information about the children who attend as well as staff and parents/carers.


GDPR condenses the Data Protection Principles into 8 areas, which are referred to as the Privacy Principles. They are:

You must have a lawful reason for collecting personal data and must do it in a fair and transparent way.

You must only use the data for the reason it is initially obtained.

You must not collect any more data than is necessary.

 It must be accurate and there must be mechanisms in place to keep it up to date.

You cannot keep it any longer than needed.

 You must protect the personal data.

You must have appropriate measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction/damage to personal Data.

Personal Data shall not be transferred to any outside agency or country within the EU that does not comply with the new General data protection regulations.

Your rights with respect to your data

Request access to the personal data we hold.

Objecting to the processing of personal data that is likely to cause, or is causing, damage or distress.

Prevent processing for direct marketing purposes.

Have inaccurate personal data rectified, blocked, erased or destroyed.

Claim compensation for damages caused by a breach of the General Data Protection Regulations.

Object to us making any automated decisions about your data.

Request that we transfer yours and your child’s personal data to another person.

If you wish to exercise any of these rights at any time or if you have any questions, comments or concerns about this privacy notice, or how we handle your data, please contact the manager. If you continue to have concerns about the way we handle your data and remain dissatisfied after speaking with us, you have the right to complain to the Information Commissioner Office (ICO).


bottom of page