Privacy and GDPR

Stepping Stones Pre School

General Data Protection Regulation Policy

The Data Protection Act 2018 which includes the General Data Protection Regulation (GDPR) came into effect on 25th May 2018 and replaces the Data Protection Act 1998. It gives individuals greater control over their own personal date. There are six principles which are referred to as the Privacy Principles.

  • We will have a lawful reason for collecting personal data and do it in a fair and transparent way
  • We will only use the data for the reason it is initially obtained
  • We will not collect any more data than is necessary
  • Data will be accurate and we will have mechanisms in place to keep it up to date.
  • We will keep it for no longer than needed
  • We will protect personal data

These privacy principles are supported by a further principle of accountability.

To support these regulations Stepping Stones Pre School will ensure that all staff are trained in Data Protection and are aware of the correct handling of the data of the families and staff in the setting. All documentation that relates to GDPR will be retained to show compliance is achieved. During our booking procedures parents will be notified about how we will use their date, who we might share it with and how long we will keep it. During our interview and selection process prospective staff will be made aware of the use that their date will be used for and how long it will be kept. Parents and staff will be informed that they have the right to withdraw their consent for Stepping Stones to have their data at any time.

Under these new and enhanced rights Stepping Stones Preschool will

  • Tell parents and staff what data we are collecting and what we will do with it
  • Allow parent and staff to see their data after it has been collected
  • Allow parents and staff to change data that is incorrect
  • Remove data that we have no legal right to collect
  • Shred data once parents and staff have left the setting unless legally obliged to keep it
  • Inform other data processors if someone asks us not to use their data
  • Let people take their data away
  • Take account of objections to what you hold and do with their data
  • Allow parents and staff to ask you not to make any automated decisions about their data.

Data will only be processed if the lawful conditions for use are met. This will be to comply with a legal obligation or using it after the data subject has given their consent or if the data subject is needed to protect the vital interests of the parent or staff member. Data processing might also be necessary for performing a task carried out in the public interest.

We will have agreements for processing data with other data processors that protect the rights of the parents, children and staff in the setting. All pre existing agreements will be re-negotiated to ensure compliance with the new regulations if they are due to continue beyond 25th May 2018. All new data protection within the setting will be fully compliant with the new regulations.

Stepping Stones Pre School will inform the Information Commissioner’s Office of any data breach within 72 hours of becoming aware of the breach. If it is a high risk to the individual, for example, if the type of data compromised could lead to identity theft and fraud, then the families would be notified as soon as possible.

All families and staff have the right to withdraw their consent for Stepping Stones Pre School to store their data at any time and the right to lodge a complaint with the Information Commissioner’s Office if their Data Protection rights are felt to be compromised.

The Data Protection Officer is Val Cuff

The Deputy Data Protection Officer is Donna Peters.