Data protection and privacy (GDPR) policy and procedure

1. Introduction and Legal Framework

This policy outlines how personal data is managed to protect family privacy while meeting legal childminding obligations. We operate in accordance with the Data Protection Act 2018, GDPR, and EYFS requirements. As a data controller, we are registered with the Information Commissioner's Office (ICO) and renew this registration annually.

2. Data Collection and Purpose

We collect essential information to ensure the safety, health, and well-being of every child.

  • Types of Data: This includes identification (names, birth certificates), health records (medical needs, allergies), and safeguarding documentation (emergency contacts).
  • Reason for Collection: Data is required to fulfil the childminding contract, meet Ofsted registration requirements, and protect the vital interests of the child during medical emergencies.

3. Storage and Security

Information is protected using a combination of physical and digital security measures:

  • Paper Records: Stored in locked containers within a private, restricted study.
  • Digital Records: Kept on a password-protected desktop or a dedicated business iPhone secured with Touch ID and a PIN.
  • No Cloud Backups: To enhance security, the business phone does not use automatic cloud or iCloud backups.

4. Information Sharing

While most data remains private, it may be shared with:

  • Local Authorities: Such as Northumberland County Council for funding, SEND support, or mandatory assessments via secure portals.
  • Ofsted: During professional inspections.
  • Parents: Shared via the Seven Steps Childcare website, a password-protected site where parents only view their own child's data.
  • Emergency Services: Relevant health data may be shared with professionals in an emergency without prior consent.

5. Retention and Disposal

Records are only kept for as long as legally necessary:

  • General Records: Typically kept for 3 years after a child leaves.
  • Accident/Injury Records: Retained until the child is 21 years and 3 months old.
  • Safeguarding Records: Retained until the child's 25th birthday if concerns were raised.
  • Disposal: Paper records are shredded, and digital hardware is securely wiped before disposal.

6. Digital Communication and Media

  • Photography: A dedicated business phone is used for milestones and photos are deleted at the end of each working day/week.
  • Social Media: We do not share child data or photos on public platforms like Facebook or WhatsApp. Parents are also prohibited from sharing group photos provided by the setting on social media.
  • Educational Media: Supervised use of television or smart speakers (like Google Mini) is limited to age-appropriate, pre-screened educational content

7. Parental Rights

Under GDPR, parents have the right to request access to their data, ask for corrections, or request deletion where legally permitted. Requests should be made in writing via email, and we will respond within one calendar month or sooner where possible.

Parent documents

The complete document is available to download from here as a PDF.

Log in to view and download parent documents for this policy.

Back to Policies and procedures