Skip to main content

Data Protection

Tiddlywinks Day Nursery adheres and aims to fulfil our obligations under the General Data Protection Regulation (GDPR) 2016 to the fullest extent. This policy sets out our commitment to protecting personal data and how that commitment is implemented in respect of the collecting, processing, using, storing and sharing of personal data. This policy protects employees, children and their families against the misuse of personal data and covers both hardcopy and electronic records.

We have a designated Data Protection Co-ordinator who is responsible for ensuring our staff teams comply with the GDPR.

Their contact details are:

Tiddlywinks Day Nursery is registered with the Information Commissioners Office (ICO). We are aware that data protection legislation applies equally to children and staff. Article 5 of the GDPR sets out the principles that we work to:

  • Data must be processed fairly and lawfully and in a transparent manner.
  • Data must only be obtained and processed for specific and lawful purposes.
  • Data must be adequate, relevant and not excessive (limited to what is necessary).
  • Data must be accurate and kept up to date.
  • Data must be held securely.
  • Data must not be kept for longer than necessary.

We use the GDPR rights for individuals:

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights in relation to automated decision-making and profiling.

All staff members have undertaken training in the GDPR and are aware of their responsibilities in collecting, using and sharing data.

We have a privacy notice that sets out the lawful bases for processing the data, the legitimate interests for the processing, individual’s rights and the source of the personal data.

We have a process in place to record any data breaches and a form for reporting breaches to the ICO and any investigations.

We have an asset register in place to record the different types of information and documentation that we hold. This is updated regularly. We also have a spreadsheet showing how information is processed, stored and shared.

Procedures applicable to information held about children

  1. A child’s educational record will be disclosed to their parent or carer on submission of a written request. Requests will only be refused if it is obvious the requester does not understand what they are asking for, or if disclosure is likely to cause them or anyone else serious physical or mental harm.
  2. A child’s educational record will be made available without charge within 15 working days of receipt of the written request. If a copy of the information is requested, a charge will be made but it will not exceed the cost of supply.
  3. When a child moves to a new school, a completed Transition Record relating to the child will be sent to the new school. This includes copies of reports and any personal education plans. To ensure security, this data will be sent electronically using a secure email system no later than 15 days of the child ceasing to attend the setting, where possible. If the new school is not known, every effort will be made to contact the parents or carers by post, telephone or email.
  4. Children’s records will be stored securely. Paper files are locked in cabinets in the manager’s office. Electronic files are stored securely through our Connect Childcare server. Computers within the provision are kept secure with appropriate software to ensure maximum protection against ransom and malware which is regularly updated. All data is securely backed up through encrypted mobile storage devices.
  5. Information that is shared is done securely using a secure email system or password protection of the document.

Procedures applicable to information held about staff

  1. A copy of staff member’s personal data is sent to each member of staff during their supervisions four times a year. This applies to all data, whether held on computer or as hard copy.
  2. Members of staff are required to read this information carefully and inform their manager during the meeting if they believe that anything is inaccurate or untrue, or if they are dissatisfied with the information in any way.
  3. Requests for additional access must be sent in writing to their line manager. Each request will be judged in light of the nature of the information in question and the frequency with which it is updated. The member of staff will then be informed whether or not the request is granted. In the event of a disagreement, the matter will be taken up under the formal grievance procedure.
  4. If a request for additional access is granted, the information will be provided within 30 days of the date of the request. A fee will not be charged to gain access to the data. However, we can charge a “reasonable fee” if a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information.

Purposes for which Personal Data may be held

Personal data relating to employees may be collected primarily for the purposes of:

  • Recruitment, promotion, training, redeployment and/ or career development
  • Administration and payment of wages
  • Calculation of certain benefits including pensions
  • Disciplinary for performance management purposes
  • Staff Supervision review
  • Recording of communication with employees and their representatives
  • Compliance with legislation
  • Provision of references to finance institutions, to facilitate entry onto educational courses and/or to assist future potential employers
  • Staffing levels and career planning

Tiddlywinks Day Nursery considers that the following personal data falls within the categories set out above:

  • Personal details including name, address, age, status qualifications. Where specific monitoring systems are in place, ethnic origin and nationally will also be deemed as relevant
  • References
  • Emergency contact details
  • Notes on discussions between management and the employee
  • Supervision documentation and documents relating to grievances, discipline, promotion, demotion or termination of employment
  • Salary, benefits and bank/building society details
  • Absence and sickness information
  • Personal data must not be disclosed, either within or outside the company, to any unauthorised recipient
  • Personal data must only be used for one or more of the purposes specified in this policy
  • Company documents may only be used in accordance statement within each document stating its intended use
  • Provided that the identification of the individual employee is not disclosed, summative or statistical information may be used to respond to any legitimate internal or external requests for data (e.g. surveys, staffing level figures)

Disclosure of Personal Data

Personal data may only be disclosed outside the Company with the employee’s written consent, where disclosure is required by law or where there is immediate danger of the employee’s health.


Procedures applicable to any third parties that we are contracted with

Organisations we have contracts with we ensure we have:

  • Copies of documents from each contractor confirming their compliance with GDPR.
  • Agreed safe sharing of information.
  • Confidentiality agreements are in place.

No information will be shared until the identification of the person making the request can be verified through security questions, identity checks or through reverse contact (phoning the persons head office). All electronic data will be sent via email through a secure encrypted platform.

Accuracy of Personal Data

In order to ensure staff individuals files are up to date, and so that the company is able to contact the employee or, in the case of an emergency, another designated person, employees must notify the company as soon as possible of any change in their personal details (e.g., change of name, address, telephone number, loss of driving licence were relevant, next of kin details, etc.).

Copies of personal records will be issued to all employees on an annual basis for the purpose of ensuring the data is up to date and accurate. Employees will be entitled to amend any incorrect details and these corrections will be made to the files held on the company’s information systems. In some cases, documentary evidence, e.g., qualification certificates will be requested before any changes are made.

Once completed, these records will be stored in the employee’s personal file.

Access to Personal Data (“Subject Access Requests”)

Employees have the right to access personal data held about them. The Administrator will arrange for the employee to see the personal data held about them within 30 days of receipt of the written request and subject to the £10.00 administration fee.



OFSTED Judgement – Effectiveness of Leadership & Management

Statutory Framework for the Early Years Foundation Stage – The Safeguarding & Welfare Requirements – Introduction – 3.2, Information & Records – 3.68 & 3.69

Tiddlywinks Policies & Procedures – Access to Information, Confidentiality, Legislation, Retention of Records, Working in Partnership with Parents & Carers, Working in Partnership with Multi-Agencies