logo
Register Your Child
Home All Policies

Data Protection Policy



Introduction

LoveSpring Nursery School is committed to ensuring that all personal data collected about children, parents, staff, governors, and visitors is handled in accordance with UK data protection law. We recognize the importance of protecting personal information and maintaining the trust of our nursery community.

We serve children aged 6 months to 5 years at our Coventry location (CV1 5HA), and our data protection practices are specifically designed to safeguard the sensitive information of young children and their families.

1. Policy Aims

Our Commitment

This policy aims to ensure that all personal data is:

  • Processed lawfully, fairly and transparently
  • Collected for specific, legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and kept up to date
  • Stored only for as long as necessary
  • Processed securely to prevent unauthorized access or loss

2. Legal Framework

2.1 Legislative Requirements

This policy complies with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Early Years Foundation Stage (EYFS) Framework 2024
  • Freedom of Information Act 2000
  • Children and Families Act 2014

2.2 EYFS Specific Requirements

Under the EYFS framework, we must:

  • Obtain necessary consents for photographs and observations
  • Maintain accurate records of children's development
  • Share information appropriately with other settings and professionals
  • Ensure secure storage of sensitive child information

3. Key Definitions

3.1 Data Protection Terminology

Term Definition Nursery Example
Personal Data Any information relating to an identifiable person Child's name, address, medical information, photos
Special Category Data More sensitive personal data requiring extra protection Medical conditions, allergies, SEN information
Data Controller Organization that determines how data is processed LoveSpring Nursery School
Data Processor Organization that processes data on our behalf Nursery management software providers
Processing Any operation performed on personal data Recording, storing, using, sharing information

4. Roles and Responsibilities

4.1 Designated Roles

Role Responsibilities Contact
Data Protection Officer (DPO) Oversee data protection compliance, staff training, breach management [DPO's Name]
Nursery Manager Day-to-day data protection implementation, staff supervision [Manager's Name]
All Staff Follow procedures, report concerns, maintain confidentiality All team members
Governors/Trustees Policy oversight, compliance monitoring, resource allocation Chair of Governors

4.2 Staff Responsibilities

All staff must:

  • Complete data protection training annually
  • Follow nursery procedures for handling personal data
  • Report any data protection concerns immediately
  • Maintain confidentiality at all times
  • Secure devices and paperwork containing personal data
  • Seek guidance when unsure about data handling

5. Data Collection and Processing

5.1 Lawful Bases for Processing

Lawful Basis Application Examples
Legal Obligation Processing required by law EYFS records, safeguarding reports, attendance data
Vital Interests Protecting someone's life Medical emergency information, allergy details
Public Task Official functions as an education provider Educational progress tracking, assessment data
Consent Explicit permission obtained Photographs, marketing communications, special activities

5.2 Information We Collect

Types of Personal Data

  • Child Information: Name, date of birth, address, medical needs, development records
  • Parent/Carer Information: Contact details, payment information, emergency contacts
  • Staff Information: Employment records, qualifications, DBS checks, training records
  • Special Category Data: Medical conditions, allergies, SEN information, dietary requirements

6. Data Sharing and Third Parties

6.1 Approved Data Sharing

Third Party Purpose Data Shared
Local Authority Funding claims, safeguarding, statutory requirements Child details, attendance, progress data
Health Professionals Medical care, health assessments Medical information, development concerns
Other Settings Transition arrangements Learning journals, progress summaries
Software Providers Nursery management systems Child and family information (with safeguards)

6.2 Sharing Principles

  • Only share data when necessary and with appropriate safeguards
  • Obtain consent for non-essential sharing
  • Use data sharing agreements with third parties
  • Ensure international transfers comply with UK law
  • Record all data sharing activities

7. Individual Rights

7.1 Data Subject Rights

Right Description Response Time
Access Right to see personal data we hold 1 month
Rectification Right to correct inaccurate data 1 month
Erasure Right to be forgotten in certain circumstances 1 month
Restriction Right to limit processing in certain circumstances 1 month
Portability Right to receive data in transferable format 1 month
Objection Right to object to certain processing 1 month

7.2 Children's Rights

Age-Appropriate Approach

  • Children under 12: Generally considered unable to understand data rights fully
  • Children 12+: Increasing capacity to understand and exercise rights
  • Parental requests: Usually granted for younger children, considered case-by-case for older children
  • Child's best interests: Always paramount in decision-making

8. Photographs and Digital Media

8.1 Consent and Usage

Media Type Consent Required Usage Examples
Learning Journals Implied consent for educational purposes Development records, progress tracking
Nursery Displays Specific consent for internal display Classroom walls, corridor displays
Website/Social Media Explicit written consent Website gallery, social media posts
Marketing Materials Explicit written consent Brochures, prospectuses, advertisements

8.2 Parent Photography Guidelines

  • Personal photos must not be shared on social media without consent of other parents
  • No photography during performances or events without permission
  • Respect other families' privacy preferences
  • Follow nursery's digital safety guidelines

9. Data Security

9.1 Security Measures

Security Area Measures Responsibility
Physical Security Locked filing cabinets, secure premises, visitor signing-in All Staff
Digital Security Password protection, encryption, secure backups Management + IT Support
Access Control Role-based access, regular access reviews Nursery Manager
Device Security Encrypted devices, secure disposal, remote wipe capability All Device Users

9.2 Artificial Intelligence Guidelines

AI Usage Restrictions

  • No personal data to be entered into public AI tools (e.g., ChatGPT)
  • Only approved, secure AI tools may be used for nursery purposes
  • Staff training on AI risks and appropriate usage
  • Breach procedures apply to unauthorized AI data entry

10. Data Breach Management

10.1 Breach Response Procedure

Immediate Actions

  1. Report: Immediately notify DPO of suspected breach
  2. Contain: Take steps to limit further data exposure
  3. Assess: Determine severity and potential impact
  4. Notify: Inform ICO within 72 hours if required
  5. Communicate: Tell affected individuals if high risk
  6. Investigate: Identify cause and implement prevention
  7. Review: Learn from incident and improve procedures

10.2 Common Breach Scenarios

Scenario Immediate Action Prevention Measures
Email Mis-send Recall email, contact recipients Double-check addresses, use secure transfer methods
Lost Device Remote wipe, change passwords Device encryption, regular backups
Paperwork Loss Search premises, secure area Secure storage, minimal printing, shredding
Unauthorized Access Reset access, investigate source Strong passwords, access reviews, monitoring

11. Record Retention

11.1 Retention Schedule

Record Type Retention Period Disposal Method
Child Records Until child reaches 25 years old Secure shredding / deletion
Accident Records Until child reaches 21 years old Secure shredding
Staff Records 6 years after employment ends Secure shredding / deletion
Financial Records 7 years Secure shredding
Consent Forms Until consent withdrawn or child leaves Secure shredding

12. Training and Monitoring

12.1 Staff Development

Training Type Frequency Participants
Induction Training On appointment New Staff
Annual Update Annually All Staff
Specialist Training As needed Management Team
Breach Response Termly refresher All Staff

12.2 Monitoring and Review

  • Annual policy review by DPO and management team
  • Regular audits of data processing activities
  • Termly review of data breaches and near-misses
  • Ongoing compliance monitoring with UK GDPR
  • Staff performance includes data protection compliance

13. Contact Information

Data Protection Officer: [DPO's Name]

Nursery Manager: [Manager's Name]

LoveSpring Nursery School: Coventry, CV1 5HA

Telephone: +44 (0)24 1234 5678

Email: dpo@lovespringnursery.co.uk

ICO Helpline: 0303 123 1113

Date of Policy: [Current Date]

Last Reviewed: [Current Date]

Next Review Due: [One year from current date]

Signed: _________________________

Position: Nursery Manager/Owner, LoveSpring Nursery School

Subscribe to get free updates and newsletters

Quick Links
Parent Resources
Legal & Policies

Copyright © 2025 All Rights Reserved by LoveSpring

L O V E S P R I N G

Loading