Little Beehive Nursery

DATA PROTECTION

1st April 2019

Lorem ipsum dolor sit amet news article image

Document Control
Version:                                               Data Protection Policy v1.0

Policy prepared by:                         Matthew Martin

Owner:                                                 Senior Management

Next review date:                           May 2020

 

 

 

1.     Introduction
Little Beehive Nursery is required to collect and process data for a number of purposes concerning its staff, contractors, parents, children and any other individual who comes into contact with the company. In gathering and using this data Little Beehive Nursery is committed to protecting all individual’s rights of freedom and privacy.

 

Little Beehive Nursery is fully committed to full compliance with the requirement of the General Data Protection Regulation (GDPR). In line with this, this policy describes how personal data must be collected, handled, managed and stored in order to comply with the company’s data protection standards and the law.

 

Why This Policy Exists
This data protection policy sets out the rules that all personal data collected, processed, stored, shared and disposed of on behalf of Little Beehive Nursery is compliant with the obligations of the General Data Protection Regulation (GDPR).

This policy has been put in place to ensure Little Beehive Nursery:

-          Complies with the requirements set out by GDPR

-          Protects the rights and privacy of any individual the company holds data on, including but not limited to; staff, contractors, parents and children

-          Reduces the risk of a data breach

-          Has a clear and consistent approach to the collection, storage and management of data

 

Relevant Legislation
The General Data Protection Regulation (GDPR) has been in force since 25th May 2018. It applies to all organisations who offer services to monitor or process the personal data of subjects residing in the EU.  Failure to comply with the GDPR can result in fines up to 4% of annual global turnover or

€20 million.

 

Policy Scope
This policy applies to UK operations:

·         Little Beehive Nursery National Support Centre

·         All settings operated by Little Beehive Nursery

·         Offices and other sites operated by Little Beehive Nursery

·         All staff and volunteers employed by Little Beehive Nursery

·         All contractors, suppliers and other people working on behalf of Little Beehive Nursery

This policy applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998.

This can include (but is not limited to):

·         Names of individuals

·         Postal addresses

·         Email addresses

·         Telephone numbers

·         Photographs

·         Wage and salary information

·         Bank account details

·         Medical records

·         Date of births

·         Copies of identification

·         Curriculum Vitaes (CVs)

·         Staff performance records

·         Disciplinary records

·         Accident and incident records

Plus any other information relating to individuals

2.     Data Protection Policy Statement
 

Little Beehive Nursery is fully committed to ensuring full compliance with the requirement of the General Data Protection Regulation (GDPR).

 

 

The Little Beehive Nursery Group of Companies will:

 

·         Protect the fundamental rights and freedoms of natural persons personal data

·         Be lawful, fair and transparent in relation to how personal data is collected, stored and processed

·         Collect data for relevant specified, explicit and legitimate purposes

·         Keep accurate, up to date and detailed registers of personal data held

·         Keep data for no longer than is required for the purposes it was collected

·         Process data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage

·         Keep data secure with appropriate and technical and organisational measures taken to protect the information

·         Process data in line with the right of the individual

3.     Roles and Responsibilities
All Members of staff who work for Little Beehive Nursery have a responsibility to ensure that data is collected, stored, processed and disposed of appropriately.

 

The following people have key responsibilities:

 

Board of Directors
The Board of Directors has overall responsibility for the implementation of the Data Protection Policy throughout the business.

The Board of Directors will:

·         Ensure that the requirements of GDPR are understood and effectively managed

·         Ensure that appropriate resources are provided to effectively implement the Data Protection Policy

·         Ensure that a competent Head of Compliance is appointed to manage data protection

 

Data Protection Officer – Head of Compliance (Matthew Martin)
The Data Protection Officer (DPO) oversees and has managerial responsibility for data protection in the business.

The DPO will ensure:

·         There are adequate resources available for the business to be legally compliant with GDPR and the policies, procedures and management systems in place are robust and effective

·         The business and its legal entities are registered with the Information Commissioner Office (ICO) and we co-operate with any of their requests or investigations

·         A data protection policy is in place and reviewed on a regular basis

·         Employees  are  aware  of  their  obligations  to  comply  with  the  GDPR  and  other  data protection laws

·         Monitoring  of  compliance  with  the  GDPR  and  reviews  of  the  policies,  procedures  and systems are undertaken to ensure they are effective

·         Training,  advice and  information  is  provided  to  employees  and  business  contacts  when necessary in relation to data protection

·         Data breaches are notified to the Information Commissioner within 72 hours of being made aware and an investigation is undertaken in response to the data breach

·         An effective system is in place for compiling information requested as part of a Subject Access Request in line with the timescales detailed in GDPR

·         Contracts with third parties are checked to ensure they are consistent with this Policy

Head of IT (Matthew Martin) 
The Head of IT co-ordinates software systems and information technology in the business. The Head of IT will:

·         Ensure all systems, services and equipment used for storing personal data meet acceptable security standards

·         Perform regular checks and scans to ensure security hardware and software is functioning properly

·         Investigate and address any suspect anti-virus or spam

·         Evaluate any third-party services the company is considering using to store or process data

·         Give advice and feedback to the DPO on any concerns regarding IT or security systems that may affect Little Beehive Nursery abilities to meet the requirements of this Policy and the GDPR

 

Head of Marketing (Matthew Martin)
The Head of Marketing co-ordinates the collection and use of data for marketing purposes. The Head of marketing is responsible for:

·         Liaising with the DPO to ensure all marketing materials abide by data protection principles

·         Ensure that consent is collected for the distribution of all direct marketing material

·         Ensuring any changes in the way we use data for marketing purposes is communicated to parents and the DPO

 

Heads of Departments
The head of department is responsible for ensuring that data collected, handled and processed within their department is done so in line with the GDPR and this policy.

The Head of Department will ensure:

·         Personal data handled in the department is recorded on the Information Asset Register

·         Software used to store personal data is recorded on the Software Register

·         All third parties, contractors or suppliers that have access to Little Beehive Nursery personal data are recorded on the Third-Party Register

·         All staff are trained and familiar with their duties under the Data Protection Policy

·         Any collection, processing, management and disposal of personal data is done so in line with the Data Protection Policy

·         Information  is  provided  (when  requested)  to  enable  a  Subject  Access  Request  to  be completed within the timescales required

·         A Data Protection Impact Assessment is completed when deemed necessary, for instance when acquiring a new software system

 

Managers
Managers are responsible for ensuring that data collected, handled and processed within their area of control is done so in line with the GDPR and this policy.

Managers will ensure:

·         They inform senior management of any personal data that is collected in the course of their work to ensure this is recorded on the Information Asset Register

·         Before any new software system is used, this is discussed with the Data Protection Officer and Head of  IT to ensure a  Data Protection Impact Assessment is  completed and it is recorded on the Software Register

·         All third parties, contractors or suppliers that have access to Little Beehive Nursery personal data are recorded on the Third-Party Register

·         All staff are trained and familiar with their duties under the Data Protection Policy

·         Any collection, processing, management and disposal of personal data is done so in line with the Data Protection Policy

·         Information is provided (when requested) to enable a Subject Access Request to be completed within the timescales required

·         Data protection breaches are reported to the Data Protection Officer as soon as possible

 

General Staff Guidelines
All Little Beehive Nursery employees are required to comply with the following guidelines to ensure all personal data held by the company is used, stored and managed in the most appropriate way possible:

·         Data should only be collected on approved Little Beehive Nursery documentation, approval from the DPO must be sought where additional personal data is collected

·         Data should only be used for its original purpose and only by those who need it for their work

·         Data concerning individuals must not be communicated to other persons or organisations unless required to do so by law or under an approved contract

·         Care should be taken when sharing data that you have checked the identity of the individual and the organisation they are representing and you are confident they have a legitimate need for the information

·         Take sensible precautions to ensure all personal data is kept secure. This should include locking computers when leaving a desk and making sure no personal data is left out in view of other people.

·         Use strong and secure passwords when storing digital data and usernames and passwords should never be shared

·         Data should be regularly reviewed and updated, and if found to be out of date or no longer required for its original purpose, it should be updated or deleted and disposed of in the manner detailed in the Retention and Disposal Guidance

·         Employees should request help from the DPO if they are unsure of any aspect regarding data protection

·         Documents containing personal data should be disposed of in line with the Retention and Disposal Guidance, with confidential waste bins being used before collection with our approved waste contractor. Documents that contain personal data should not be placed in general waste bins.

·         Little Beehive Nursery will provide training to all employees to help them understand their responsibilities when handling data

·         Employees should ensure that the data held on HR software is reviewed at least annually and updated

Staff that work from home or undertake work in locations other than those under the management of Little Beehive Nursery should also comply with the following guidelines:

·         Where possible use a Little Beehive Nursery laptop or tablet that has been installed with approved firewall and security software

·         Little Beehive Nursery documents should be worked via VPN and not downloaded or installed onto personal computers.

·         Data should not be transferred onto a personal USB stick

·         Employees should avoid leaving sensitive information out on display or in vehicles

·         Computers should be password protected and locked when left unattended

·         Documents containing personal data should be taken to a nursery or office to be placed in a confidential waste bin, burned or shredded, they should not be placed in general waste bin.

·         Paper Documents Cannot be removed from the nursery without written permission from senior management.

 

 

4.     Personally Identifiable Data
Little Beehive Nursery only collect, process and store personal data where we have a valid lawful basis to require it. We do the following to be transparent:

·         Provide information to data subjects in our Privacy Policy on where data is held, the lawful basis and how long we store it. This is available on our website: Www.Littlebeehivenursery.co.uk/Privacy Policy

·         Only use data for its original purpose, where we wish to use it for a different purpose, we will notify you of this and request your consent

·         Keep data in as few places as necessary

·         Update our data regularly using annual declaration requests

·         Provide you with any information we hold on you when we receive a Subject Data Request

·         Where  an  individual  contests  the  accuracy  of  personal  data,  Busy  Bees  will  restrict processing until the personal data has been confirmed and updated

 

Children’s’ Data
As a childcare company Little Beehive Nursery collects, holds and processes a lot of children’s data. There is an increased need to protect children’s personal data because they are classed as vulnerable individuals. Where a child is under the age of 16, consent for the processing of the child’s data is required from the child’s parent or guardian.

 

Additional care should be taken when handling or sharing children’s data to ensure that it is shared with only those that need to know the information. Some data such as medical data will need to be shared with staff to ensure that any emergency medical care can be given when needed however this should not be shared with people outside the organisation unless there is a legal requirement to do this.

 

Staff Data
We collect, hold and process data on employees as part of our legal responsibilities and in order that we can support and manage them in their work. Much personal data on employees is held on our HR software and employees should ensure that they check and amend the information held is accurate on a regular basis.

 

 
 
 
5.     Collecting and Processing Personal Data
Lawful Processing (Article 6)
Little Beehive Nursery will only collect and process personal data when at least one of the following lawful processes apply:

·         Consent: A data subject has given consent to the processing on his/ her personal data

·         Contract: Processing is necessary for the performance of a contract

·         Legal obligation: Processing is necessary for compliance with a legal requirement

·         Vital interests: Processing is necessary to protect the vital interests of the data subject

·         Legitimate interests: Processing is necessary for the legitimate interests pursued by the data controller or third party unless there is a good reason to protect the individuals’ data which override those legitimate interests

 

Little Beehive Nursery makes automatic decisions on the processing and use of data where it is:

·         Necessary for the entry into or performance of a contract

·         Required to comply with the law

·         Based on the individuals explicit consent

 

Processing Parent and Child Data
All personal data regarding a parent, guardian, carer and child processed by Little Beehive Nursery is mandatory in order to fulfil the requirements of the contract. Failure to provide this information will result in the child being declined a place at the nursery.

 

Processing Employee Data
All personal data regarding an employee processed by Little Beehive Nursery is mandatory in order to fulfil the requirements of the contract. Failure to provide this information will result in the individual being unable to be join Little Beehive Nursery as an employee.

 

Consent Management
Where processing is based on consent, Little Beehive Nursery shall demonstrate that the data subject has consented to the storage and processing of his/ her personal data. For the collection of personal data which relies on explicit consent, data subjects are given the opportunity to freely give their consent to us processing that data for the specified purpose. Some examples of where explicit consent (outside the terms and conditions of the contract) is required are detailed below:

 

a.       Consent for photographs
Little Beehive Nursery recognises the taking of photographs is not compulsory for the fulfilment of a contract and is not required for legal reasons. Considering this, parents are given the opportunity to give or withdraw their consent for photographs of their child to be taken, displayed or used in various ways by Little Beehive Nursery. This information is collected as part of the Registration pack.

 

b.      Consent for Marketing
Little Beehive Nursery recognises individuals are required to give explicit consent to be contacted for marketing purposes. Parents given the opportunity to freely give their consent to being contacted for marketing purposes. Consent is given in a granular manner to show clearly what is being agreed to. This information is collected as part of the Registration Pack.

 

 

 

c.       Other consents
For further processes where we require consent for additional functions or needs, an additional consent forms will be used. These include (but are not limited to):

·         Use of fobs in nurseries

·         Involvement in parent/ event groups

·         Use of software or equipment outside our normal work practices

 

 

 

 

 

 

 

 

 

 

 

6.     Data Security, Retention, Storage and Disposal
Responsibilities and Procedures
Little Beehive Nursery is committed to ensuring we do not hold personal data for longer than necessary. Little Beehive Nursery retains different types of data for different periods of time due to the law or business need. Each Head of Department or Nursery Manager is responsible for ensuring data is only kept for the appropriate retention period. All data should be stored only in the location(s) detailed in the Little Beehive Nursery Information Asset Register and all staff are required to follow the retention guidelines on the Management, Retention and Disposal guidance document, to ensure compliance with the GDPR.

 

Security Levels

Due to the industry we are in and the regulations we must comply with, we are unable to store all service users’ data under lock and key 24/7. We value the security of your data and have put in place the following Policies and Procedures, to make sure that service users data Is as safe and secure as possible.

 

Our Policy has 3 levels.

 

level 1: this is the data that we deem as “High risk” . This data is given the highest level of security while in the nursery. (E.g. Bank Details, Identification, Emails)

 

Level 2: this is data we deem “Medium risk” or have “Just cause” to have a less severe policy surrounding this data. Although we value the security of this data extremely highly, to do our job in the nursery, we are required to have information to had for the safety and security of your child’s day to day needs. (E.g. Contact Cards, Contact Numbers, Daily Medical needs…)

 

Level 3: This data we deem as “Low risk”. This data we feel is offers limited risk if a data breach was to occur. We will never use this data without your permission out with the nursery, however we may use this to create wall displays and suchlike.

 

 

 

Hard Copy/ Paper Records
 
Protection Level  1 (high)  - data must be kept in a locked unit within the manager's office (to be locked when the nursery is closed), only senior management have access to this data and requests must be made in writing to access this data.   
 
Protection Level 2 (Med) - data must be stored in lockable cabinets in the nursery, access to these documents can be made by all employees of the company  through verbal request with the room senior or senior management. When in use, this data should be kept out of sight of Service Users.  This data must be stored in a locked environment when the nursery is closed.
 
Protection Level 3 (Low) - data can be stored in non-lockable cabinets or folders. Efforts must be made to make sure there is no identifiable information on photos/art with documentation being stored away at the end of the working day.  
 
Continued
·         Paper files containing personal data should only be handled by those within the company that need it to complete an essential task and should not be shared unless it is necessary to do so

·         When not in use, paper documents should be kept in a secure environment such as locked in a drawer, filing cabinet or office

·         Paper or printouts containing personal information should not be left out

·         Printouts  where  the  data  is  no  longer  required  should  be  securely  disposed  of  in  the confidential waste bin or shredded

·         Procedures are in place to securely dispose of confidential waste

 

Soft Copy/ Electronic Records
 
Protection Level  1 (high) - data must be stored on the manager's computer in the office, either on the local disk or on Tresort (Cloud). Only senior management have access to these files. The computer should be locked at night inside the locked manager's office.   The office computer must be password protected ensuring it automatically locks if unused within 15mins.
 
Protection Level 2 (Med) - data can be stored on nursery computers/laptops. This data can be accessed by all employees. The devices must be locked at night and password protected. The devices must not leave the building unless authorisation has been received from senior management.
 
Protection Level 3 (Low) - data must be stored on nursery computers that are password protected. All staff can access this data for use on a daily basis.
 
·         Data can only be stored on Tresorit (Cloud)  and on Nursery computers

·         Staff should be trained and be given information as to where the correct and secure place to save data is

·         Data should be protected by a strong password which is regularly changed and never shared, even with those within the organisation

·         Data should never be downloaded or saved directly onto personal laptops or mobile phones

·         All servers and computers containing personal data should be protected by security and anti-virus software and a firewall

·         removable media devices, such as a USB stick should not be used.

·         All staff should ensure computers or laptops are logged off or locked when left unattended.

 

Cyber Security
Little Beehive Nursery ensures that all data is kept secure with appropriate technical and organisational measures taken to protect the information. Little Beehive Nursery ensures all business computing devices have appropriate anti-virus, firewall and spam software to help minimise access to files and identify any areas of concern.

E-               mails are checked regularly for viruses. However, no liability is accepted for any viruses which may be transmitted in or with e-mails.

 

Disposal of Documents
Employees must ensure that documents are only kept for the retention period set out for that particular type of data. All documents that exceed this retention period or are no longer required should be placed in a Confidential Waste bin, bag marked as ‘confidential waste’ or shredded. Any waste that is being stored before collection should be kept in a secure location such as a locked cupboard or office to prevent unauthorised access.

 

Disposal of IT Hardware
Computer hardware that comes to the end of its use, should be returned to Head Office to ensure it is wiped and any personal or sensitive data is removed.

 

 

7.     Data Sharing and Processing
 
Hard Copy / Paper
 
Protection Level  1 (high)  - data is only accessible by senior management and cannot be shared with anyone out with the company apart from the owner of the data and appropriate external agencies.  Where appropriate any sharing of data must have the approval of the  parent\carer.
 
Protection Level 2 (Med) -data is only accessible by employees of Little Beehive Nursery with the authorisation of their room senior or senior management.  Data will not be shared with third parties without the consent of the owner or carer of the data. Hard copy medium risk data will be shared in person with the manager or senior managements  authorisation.  Data that must be used on a day to day basis must be kept out of sight.
 
Protection Level 3 (Low) - data can be displayed and shared for any visitors to the nursery to view. However, there cannot be any identifiable linking information. This data must not leave the nursery without the consent of the data owner.
 
Digital Data
 
Protection Level  1 (high) - data is only accessible by senior management and cannot be shared without the consent of the data owner. If this data is to be shared, it must be stored in tresorit and shared with the Tresorit Password Protected Link. The password is to be unique to each customer.  If this data is to be transported to and from branches, it must be stored on an encrypted device.
 
Protection Level 2 (Med)  - data is available to all employees of the nursery. However, this data cannot be shared without the consent of the parent/carer. Medium risk data must be shared via tresorit password protected links. The password is to be unique to each customer.  If this data is to be transported to and from branches, it must be stored on an encrypted device.
 
Protection Level 3 (Low) - data can be shared in non-encrypted emails. However, this data cannot be shared without the consent of the data parent/carer.
 
 
 
Third Party Sharing and Processing
Little Beehive Nursery may need to share personal data with organisations outside the Little Beehive Nursery organisation, we refer to these as ‘third parties’. This may be for a variety of reasons but where this is necessary Little Beehive Nursery ensures all third parties who process data on behalf of Little Beehive Nursery (the data controller) have robust systems in place to comply with the conditions set out in GDPR.

 

In relation to the sharing of data with Third Parties Little Beehive Nursery will ensure:

·         Reasonable steps are taken to ensure secure measures are in place to protect individuals’

personal data

·         Third parties are informed about data subjects who wish to access, erase or rectify their personal data

·         The T&Cs within the contract with a third party meet the requirements of the GDPR

·         Data subjects have given their explicit consent to disclose their personal data to third parties or are agreeing to the terms of a Little Beehive Nursery contract

·          The disclosure of data is necessary to protect the vital interests of the data subject

 

 

We will share your data with these companies if you accept the terms and agreements of Little Beehive Nursery.  To attend Little Beehive Nursery, we must be able to share your data with the following online services. 

FAMLY (Session booking / Invoicing/Childs account)
NAMS (Government Funding) 
Mailchimp (DailyEmails / Announcements) 
DEPUTY (STAFFING)
PEOPLE HR (ONLINE HR)

We may also share data with 

Survey Monkey (Yearly surveys on your Little Beehive Experience)
Facebook (Private Groups / Public Page) 
Bank Of Scotland Online Banking (Refunds) 

However, you can opt out of this as these are non-vital resources.

 

 

Computer servicing and Repair 
From time to time our computers need to be fixed. We will do everything in our power to make sure that your data will not leave our offices, however, in some circumstances, this isn’t possible. In cases like this, we use GDPR compliant computer repair companies who have strict data protection policies.

 

 

8.  Social Media
Little Beehive Nursery use Facebook as a means to communicate positive messages about the organisation. They are updated with regular posts showing a selection of the activities for children, news and special offers. This is carefully managed by the Little Beehive Nursery Marketing Manager (Matthew Martin)

 

All photographs of children used on the Little Beehive Nursery Facebook page require parents’ consent before they are posted. Photos are not to be posted on this or any social media or internet sites without this consent. Nursery managers must ensure that parents complete a consent form and that the appropriate permissions for the use of photographs has been given.

 

Nurseries are not permitted to set up or post on social media sites not controlled and managed by Little Beehive Nursery without prior agreement with Senior Management.

 

We are not responsible for any social media groups which are detached from the company and have been set up by parents such as forum groups. It is recommended that you inform parents that we have no control of the content or data sharing of these forums and there is a risk of their information being shared without their consent.

 

Below are links to the privacy policies for the social media platforms used by Little Beehive Nursery, you should familiarise yourself with these if you are using these forums to post information about Little Beehive Nursery.

 

Facebook: https://www.facebook.com/about/privacy  

 

 

9.  GDPR Provisions
Audit
The Little Beehive Nursery Data audit:

·         what personal data we collect

·         how we process the data

·         the lawful basis in which we process

·         the purpose for processing

·         who we share data with and why

·         how long we hold it for

·         where it is stored and

·         the rights of the data subject

The privacy notices are available upon request.

 

Privacy by Design and Default
Little Beehive Nursery as the data controller shall implement appropriate technical and organisational measures to ensure that by default, only personal data necessary is used for each specific purpose of processing. Little Beehive Nursery will also (where deemed necessary) follow data protection principles such as data minimisation to protect the rights of the data subject by implementing appropriate technical and organisational measures, such pseudonymisation.

 

 

10.  Data Subject Rights
Subject Access Requests (SAR)
The personal data collected and held by Little Beehive Nursery remains the property of the Data Subject and therefore they retain the right to know what information we hold on them, where it is held and for what purpose. Under the GDPR we are aware of our legal obligations to provide a copy of the data, free of charge and without undue delay and at the latest within one month of a request on receiving a Subject Access Request (SAR).

 

Little Beehive Nursery reserve the right to refuse or charged for information if the SAR is manifestly unfounded or excessive. We will inform the Data Subject of this within one month of the request and provide information as to why it has been refused or why a charge has been requested.

 

Right to be Forgotten
A Data Subject has the right to ask Little Beehive Nursery to erase his/ her personal data and cease further dissemination of the data. The right to be forgotten will not be available where we are under contract with the Data Subject or we hold the data to meet legal requirements. If personal data has been disclosed to third parties where possible, we are required to inform them about the erasure of personal data.

 

Right to Rectification
A Data Subject has the right to request that we rectify inaccurate or incomplete personal data concerning him/ her. If such personal data has been disclosed to third parties where possible these third parties will be informed. We will take steps to correct inaccurate or incomplete data as soon as practicable after becoming aware of it. We would always aim to have this completed and the Data Subject be advised of the action taken within one month.

 

Right to Object
A Data Subject has the right to object to the processing of their data where it is used for direct marketing, research, statistical analysis, for legitimate interests or the performance of a task in the public interest. Where a Data Subject objects to Little Beehive Nursery having their data for these purposes, we will no longer process the personal data and inform the Data Subject when this has been actioned. We will assume the Data Subject is removing consent for the data to be used in that way and remove this from our systems.

11.  Reporting Breaches
All Little Beehive Nursery employees who are aware that a data breach has occurred should report the breach to their manager and the Data Protection Officer. The Data Protection Officer will then ensure that the breach is recorded on the Data Breach Register. Further information on how to report a breach is available in the Data Protection Breach Guidance document.

 

High/Medium Risk Breaches
Little Beehive Nursery are required under the GDPR to notify the Information Commissioners Office of a high risk data breach, where the breach is likely to result in a risk for the right and freedoms of the individual. Little Beehive Nursery will report the breach within 72 hours of first becoming aware of the breach. Little Beehive Nursery will also notify the individual concerned directly and advise them of what is being done to manage the risk.

 

 

12.  Monitoring
Information Audit
The Information Audit register is a centralised log for all information that is held and processed by Little Beehive Nursery. The register outlines what information is held, what lawful process the data fits into, where the data is held, how long the data is held for, who has access, and whether the data is shared with any third parties.

 

Each Head of department is responsible for the data they hold in their department or in software systems managed by them and ensuring all the information in the asset register is correct.

 

Third Party Processor Register
The Third-Party Processor Register is a centralised log which holds the names and contact details of all the third-party organisations Little Beehive Nursery has shared data with.

 

Management, Disposal and Retention Guidance
The Disposal and Retention Schedule is included in this guidance document and sets out the timeframes for how long documents will be stored within the company for and give information on when and how they should be disposed of.

 

Data Breach Register
The Data Breach Register is a centralised log for all data breaches to be recorded. All staff members are required to record their breach in this register along with the action taken and whether the ICO have been notified.

All nurseries are required to log data breaches on the RIVO software.

National Support Centre breaches are logged by the GDPR Co-ordinator on the RIVO software.

 

Subject Access Request Register
The Subject Access Request Register is a centralised log for all subject access requests to be recorded. This should include the name of the requester, the date of request and the date of completion.

13.  Complaints
Little Beehive Nursery is fully committed to protecting the privacy of individuals and complying with the General Data Protection Regulation (GDPR). We will do our best to investigate any complaints from Data Subjects and have put together a Complaints Protocol to show how we will do this.

 

If you are unhappy with our handling of a SAR or have concerns with how we handle data, please let us know and we will try and resolve the issue. If you are still unsatisfied, you have the right to contact the Information Commissioners Office and raise a concern with them.

They can be contacted on: https://www.ico.org.uk/concerns/ or 0303 123 1113.

 

 

14.  Training and Awareness
Little Beehive Nursery recognises that most staff in the course of their work will come into contact with personal data and endeavours to provide information, training and support to all employees to assist them in collecting, storing, processing and disposing of personal data.

 

Data Protection Training
·         All Staff must complete training _______________

All staff members are encouraged to read this policy along with the assisting protocols and guidance documents to ensure compliance.

 

Data Protection Support
Data protection support is provided by the Data Protection Officer (DPO) and the GDPR co-ordinator. They will provide guidance and information to anyone who needs advice or support in complying with the GDPR or our data protection policy and procedures. They can be contacted on:

Email: Matt@Littlebeehivenursery.co.uk

Telephone: 01334 208 166

 

Employees should familiarise themselves with this policy and other relevant data protection protocols and guidance. Employees who fail to comply and as a result cause a significant data breach may face disciplinary action. Each incident will be assessed on a case-by-case basis.

 

15.  Definitions
Personal Data:                                        Information related to an identifiable natural person that can be used to directly or indirectly identify the person.

Sensitive Data:                                        Special categories of personal data listed in Article 9 of the GDPR.

Controller:                                                  A controller is the entity that determines the purposes, conditions     and means of the processing of personal data.

Data Subject:                                          A natural person whose personal data is processed by a controller or processor.

Processor:                                                  An entity that processes personal data on behalf of a controller.

Consent:                                                    A freely given, specific and informed indication of the subjects’ wishes to allow the processing of personal data relating to him or her.

Data Protection Officer:                         A     person       responsible        for      overseeing        data      protection         strategy       and

implementation to ensure compliance with GDPR.

Data Breach:                                           A  breach  of  security  leading  to  an  accidental  or  unlawful  destruction,  loss, alteration or unauthorised disclosure of personal data.

Breach Notification:                               A notification to the Information Controller where a breach is likely to ‘result in a

risk of the rights and freedoms of individuals’. This must be done within 72 hours of first becoming aware of the breach.

Profiling:                                                    Any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person. Including to analyse or predict performance, economic situation, health, personal  preferences, behaviour, location or movements.

Third Party:                                             A natural or legal person, authority or body other than the data subject, controller or processor, who under the direct authority of the controller or processor are authorised to process personal data.

Data Processing:                                     Any operation or set of operations which is performed on personal       data or on

sets of personal data.

Supervisory Authority:                            An Independent public authority which is established by a Member State pursuant

to Article 51.

Recipient:                                                   A natural or legal person, public authority, agency or other body, to which the personal data are disclosed, whether a third party or not.

Confidential Waste:                                Any  document  containing  personal  information  that  can  be  used  to  identify

individuals.

Subject Access Request:                        A request sent from a Data Subject to a Data Controller requesting information

about themselves.

Consent:                                                    Freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Recipient:                                                   An entity to which the personal data is disclosed.

Data Portability:                                     The requirement for controllers to provide the data subject with a copy of his or her

data in a format that allows for easy use with another controller.

Privacy Impact Assessment:                   A tool used to identify and reduce the privacy risk of entities  by analysing the

personal data that are processed and the policies in place to protect that data.

ICO:                                                          The information Commissioners Officer is the UK's Independent body set up to uphold information rights

« back to news

Our Latest News

  • Lorem ipsum dolor sit amet news article image

    Play, the foundations of education.

    In this blog, I take a look at play and how important it is in early education. At the nurseries we promote it and we want parents/carers to be aware of how important play can be in establishing the best foundations for your child's future. 

    Read more