This article will review our GDPR and data protection policies to outline how we keep our data subject's information confidential and safe
At Hatching Dragons we recognise that we hold sensitive/confidential information about children and their families and the staff we employ. This information is used to meet children’s needs, for registers, invoices and emergency contacts. We store all records in a locked cabinet or on the office computer with files that are password protected in line with data protection principles. Any information shared with the staff team is done on a ‘need to know’ basis and treated in confidence. This policy will work alongside the Privacy Notice to ensure compliance under General Data Protection Regulation (Regulation (EU) 2016/679 (GDPR) and Data Protection Act 2018.
Legal requirements
- We follow the legal requirements set out in the Statutory Framework for the Early Years Foundation Stage (EYFS) 2024 and accompanying regulations about the information we must hold about registered children and their families and the staff working at the nursery
- We follow the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679 (GDPR), Data Protection Act 2018 and the Freedom of Information Act 2000 with regard to the storage of data and access to it.
Procedures
It is our intention to respect the privacy of children and their families and we do so by:
- Storing confidential records in a locked filing cabinet or on the office computer with files that are password protected
- Ensuring staff, student and volunteer inductions include an awareness of the importance of confidentiality and that information about the child and family is not shared outside of the nursery other than with relevant professionals who need to know that information. It is not shared with friends and family, discussions on the bus or at the local bar. If staff breach any confidentiality provisions, this may result in disciplinary action and, in serious cases, dismissal. Students on placement in the nursery are advised of our confidentiality policy and required to respect it
- Ensuring that all staff, volunteers and students are aware that this information is confidential and only for use within the nursery and to support the child’s best interests with parental permission
- Ensuring that parents have access to files and records of their own children but not to those of any other child, other than where relevant professionals such as the police or local authority children’s social care team decide this is not in the child’s best interest
- Ensuring all staff are aware that this information is confidential and only for use within the nursery setting. If any of this information is requested for whatever reason, the parent’s permission will always be sought other than in the circumstances above
- Ensuring staff do not discuss personal information given by parents with other members of staff, except where it affects planning for the child's needs
- Ensuring staff, students and volunteers are aware of and follow our social networking policy in relation to confidentiality
- Ensuring issues concerning the employment of staff remain confidential to the people directly involved with making personnel decisions
- Ensuring any concerns/evidence relating to a child's personal safety are kept in a secure, confidential file and are shared with as few people as possible on a ‘need-to-know’ basis. If, however, a child is considered at risk, our safeguarding/child protection policy will override confidentiality.
All the undertakings above are subject to the paramount commitment of the nursery, which is to the safety and well-being of the child.
General Data Protection Regulation (Regulation (EU) 2016/679 (GDPR) compliance
In order to meet our requirements under GDPR we will also undertake the following:
- We will ensure our terms & conditions, privacy and consent notices are easily accessed/made available in accurate and easy to understand language
- We will use your data only for [insert reasons] and only contact you [insert reasons] . We will not share or use your data for other purposes.
- Everyone in our nursery understands that people have the right to access their records or have their records amended or deleted (subject to other laws and regulations).
Staff and volunteer information
- All information and records relating to staff will be kept confidentially in a locked cabinet
- Individual staff may request to see their own personal file at any time.
Registered electronic devices with imaging and sharing capabilities
Sharing capabilities are managed and disabled for unapproved apps / equipment via central management system Jamf
All devices are registered and restricted through our central device management system Jamf which allows us to lock / disable and disarm devices if stolen / lost / damaged.
* devices must be disabled when third party providers are used to fix the devices.
Cyber Security Protocols
minimum level of cyber security requirements:
- All user accounts are password protected and passwords are updated no less frequently than every 60 days;
- Remote access to all systems and cloud services maintained, operated or used by our employees in the course of their employment which requires multi-factor authentication and remote access to the network through secure gateways (e.g. a VPN, 2FA);
- Access to administrative accounts requires multi-factor authentication;
- Data is appropriately secured, including as a minimum the encryption of all mobile and portable storage devices, e.g.enabling inbuilt encryption on laptops, mobile phones, USB drives (requiring a code for decryption);
- Native (inbuilt) email (e.g. Microsoft Office 365) and internet (e.g. web browser) security features are being used;
- Anti-virus software and anti-spyware is installed and updated in accordance with supplier recommendations, and security updates in respect of all software used by our company are installed in accordance with supplier recommendations.
- Firewalls are in place for all external gateways and updated in accordance with supplier recommendations.
- Basic security checks on key third parties are performed, e.g. asking main suppliers how they protect our data;
- Security logging is in place across critical IT systems, e.g. to capture login activity to your finance system; and
- All employees are made aware of their and the company's data privacy and information security responsibilities, and common risks and mitigations, through training which must be conducted no less frequently than annually. All employees complete General Data Protection e-training and Cyber Security e-training.
Password and system reset must be done every 8 weeks beginning 6th of January.
The schedule of password reset is planned and outlined on our Central Management Calendar for 56 day reminders.
Hints and tips
For more information on data protection and to register your nursery visit