GDPR PRIVACY NOTICE

FOR CHILDREN REGISTERED AND ATTENDING COTTONTAILS DAY NURSERY
& PRESCHOOL AND THEIR PARENTS

WHAT IS THE PURPOSE OF THIS DOCUMENT?

Cottontails Day Nursery & Creative Kids Clubs is committed to protecting the privacy and security of your personal information.
This privacy notice describes how the Nursery collects and uses personal information about the Nursery children and the parents of the Children (known collectively as “you” or “your”), in accordance with the General Data Protection Regulation (GDPR).

Cottontails is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice. Please be aware that we will only use and hold data about you and your child that is necessary to the business functioning.

What is Personal Data?

Personal Data is any data that can be linked to a single person and which identifies them in some way. For example name and personal email address and/or any of the following: postal address, telephone numbers, marital status and date of birth.

This notice applies to Children and Parents. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical.

It is important that Children and Parents read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.

DATA PROTECTION PRINCIPLES

We will comply with data protection law. This says that the personal information we hold about you must be:

1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.

1

THE KIND OF INFORMATION WE HOLD ABOUT YOU

There are “special categories” of more sensitive personal data which require a higher level of protection, such as information about a person’s health or sexual orientation.

Children’s information

We will collect, store, and use the following categories of personal information about Children:

• Name

• Date of birth

• Birth certificates (photocopy and applicable to funded children only)

• Identification documentation (passport photocopy)

• Home address

• Dietary requirements

• Attendance information

• Current Doctors practice information

• Photographs and video clips of your Child

• Emergency contacts should Parents be unavailable in an emergency

• Learning Journals

• Records relating to individual Children e.g. care plans, common assessment frameworks, speech and language referral forms, EHAT forms etc.

• Accidents and pre-existing injuries forms both from Home and Nursery.

• Records of any reportable death, injury, disease or dangerous occurrence

• Observation, planning and assessment records of Children

• Reporting to the local council inline with legal obligations of a Nursery setting

  We may also collect, store and use the following “special categories” of more sensitive personal information:

• Information about a Child’s race or ethnicity, spoken language and nationality.

• Information about a Child’s health, including any medical condition, health and sickness records.

• Information about a Child’s accident or incident reports including reports of pre-existing injuries.

• Information about a Child’s incident forms / child protection referral forms / child protection case details / reports.

  Parents

  We will collect, store, and use the following categories of personal information about Parents:

  • Name

  • Date of birth.

  • Home address

  • NI number (funded child placements only)

  • Telephone numbers, and personal email addresses.

    We may also collect, store and use the following “special categories” of more sensitive personal information:

• Information about a Parent’s race or ethnicity, spoken language and nationality.

2

• Conversations with Parent’s/ Guardians in relation to the child’s care. This includes telephone conversations and emails.

• Conversations with Parents where Employees of the Nursery deem it relevant to the prevention of radicalisation or other aspects of the governments Prevent strategy.

Q. HOW IS YOUR PERSONAL INFORMATION COLLECTED?

Children and Parents/ Guardian:
We collect personal information about Children and Parents/ Guardian through the enrolment process and until the Children stop using the Nursery’s services. We will then retain the information (in a dormant state) for a further 21 years as per our legal obligation.

Q. HOW WE WILL USE INFORMATION ABOUT YOU?

We will only use your personal information when the law allows us to. Most commonly, we will use Your personal information in the following circumstances:

1. To contact you as the Parent/ Guardian of a child within our care. This may relate to the day to day running of the nursery, invoicing or in the case of an emergency, relating to your child. We may contact you by phone or email directly or via the Famly app.

2. Where we need to comply with a legal obligation for funding, child protection and safeguarding, or retaining your child’s records (in a dormant state) for 21 years after leaving our setting.

3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

1. Where we need to protect your interests (or someone else’s interests). 2. Where it is needed in the public interest or for official purposes.

Situations in which the Nursery will use personal information of Children

We need all the categories of information in the list above (see Children section within the Paragraph entitled ‘The Kind of Information We Hold About You’) primarily to allow us to perform our obligations including our legal obligations to Children. The situations in which we will process personal information of Children are listed below.

• Upon consent from the Parents, Personal Data of Children will be shared with schools for progression into the next stage of their education.

• Personal information of Children will be shared with local authorities without the consent of Parents where there is a situation where child protection is necessary.

• The personal information of Children will be shared with local authorities without the consent of Parents for funding purposes and for child protection and safeguarding purposes.

• Ofsted will be allowed access to the Nursery’s systems to review child protection records.

  • To ensure we meet the needs of the Children

  • To enable the appropriate funding to be received

  • Report on a Child’s progress whilst with the Nursery

  • T o check safeguarding records

  • To check complaint records

  • T o check attendance patterns are recorded

3

• When a Child’s Progress Report is given to its Parent in order for that Parent to pass the same Progress Report to a school for application or enrolment purposes

Situations in which the Nursery will use personal information of Parents

We need all the categories of information in the list above (see Parents section within the Paragraph entitled ‘The Kind of Information we Hold About You’) primarily to allow us to perform our contracts with Parents and to enable us to comply with legal obligations.

The situations in which we will process personal information of Parents are listed below.

• The personal information of Parents will be shared with local authorities without the consent of Parents for funding purposes and for child protection and safeguarding purposes.

• To report on a Child’s attendance

• To be able to contact a Parent or a Child’s emergency contact about their Child

• To ensure nursery fees are paid – which will include child’s name for reference.

  If Parents fail to provide personal information

  If Parents fail to provide certain information when requested, we may not be able to perform the respective contracts we have entered into with Parents, or we may be prevented from complying with our respective legal obligations to Children and Parents.

  Change of purpose

  We will only use your personal information for the purposes for which we collected it, unless we consider it necessary to use it for another reason, compatible with the original purpose.

  Please note that we may process a Child’s or a Parent’s personal information without their respective knowledge or consent, as relevant to the circumstances, in compliance with the above rules, where this is required or permitted by law.

  HOW WE USE SENSITIVE PERSONAL INFORMATION

  “Special categories” of ‘sensitive personal information’ require higher levels of protection and will only be collected with justification. This information will further be stored securely. We have in place an appropriate safeguarding policy document of which we are required by law to maintain when processing such data.
  Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect a Child or a Parents’ interests (or someone else’s interests) and the Child or Parent as is appropriate is not capable of giving consent, or where the Parent has already made the information public.

  INFORMATION ABOUT CRIMINAL CONVICTIONS

  We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so, which includes but is not limited to Disclosure and Barring Service (“DBS”) checks. We will collect information about criminal convictions as part of the recruitment process for employees or we may be notified of such information directly by you.

  We will use information about criminal convictions and offences in the following ways:

• As a screening process for staff recruitment

• Stored within a child’s profile (if relating to a personal holding parental responsibility/ of relation to

  the child) in line with national safeguarding policies

• Information regarding criminal convictions may be passed onto third party services when we have

  reasonable and justified reason to do so, in line with our legal obligations

4

AUTOMATED DECISION-MAKING

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

1. Where we have notified Parents of the decision and given the Parent as is appropriate 21 days to request reconsideration.

2. Where it is necessary to perform the contract with a Parent and appropriate measures are in place to safeguard the Child’s or the Parent’s rights as is appropriate.

3. In limited circumstances, with explicit written consent from the Parent, as is appropriate, and where appropriate measures are in place to safeguard Parent rights.

If we make an automated decision on the basis of any particularly sensitive personal information, we must have either explicit written consent from a Parent as is appropriate, or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard a Parents rights as is relevant in the circumstances.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision- making, unless we have a lawful basis for doing so and we have notified the Parent as is appropriate in the circumstances.

DATA SHARING

We may have to share, Child or Parent data with third parties, including third-party service providers and other entities in the group.
We require third parties to respect the security of your data and to treat it in accordance with the law.

Q. Why might the Nursery share Child or Parent personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

Which third-party service providers process my personal information?

”Third parties” includes third-party service providers (including contractors and designated agents), local authorities, regulatory bodies, schools and other entities within our group. The following third-party service providers process personal information about you for the following purposes:

• Local Authorities – for funding and monitoring reasons (e.g. equal opportunities and uptake of funded hours)

• Regulatory bodies – for ensuring compliance and the safety and welfare of the children

• Schools – to provide a successful transition by ensuring information about the child’s progress and

  current level of development and interests are shared

• Famly app – This interactive system uses information submitted to monitor day to day management of the nursery, including daily registration of children, attendance monitoring and reporting (by parents via the app and by nursery staff), invoicing and payments, a communication platform between home and nursery with emailing and text messaging services etc.

  This software allows the Nursery to log and track individual children’s attainment (Learning Journal) against the EYFS and is accessible by the child’s parent/ guardian (with permissions and a registered email address) at any time online.
  Your details are not passed on to any third parties. It is also used to store personal information on each child and his or her parents/guardians such as:-

5

• Name

• Date of birth

• Home address

• Emergency contact details

• Dietary requirements

• Attendance information

• Current Doctors practice information

• Health records

• Funding codes

• Gender

• Religion

• Ethnic Origin

• Spoken languages (Home/ ‘mother tongue’)

• Communications between Home and Nursery

• Individuals attainment against the EYFS via observations from Home and Nursery, with

  descriptions and virtual notes.

  Please note, children registered with the nursery before the 26th July 2019, under previous Nursery ownership, have stored information on the following systems:

• Childsplay (now dormant) – This system and its owners use information submitted to provide you with further information to assist you such as Invoices, text messaging services etc. Your details are not passed on to any third parties. It is also used to create nursery registers, track move up dates from room to room and to store personal information on each child and his or her parents/guardians such as:-

  • Name

  • Date of birth

  • Home address

  • Emergency contact details

  • Dietary requirements

  • Attendance information

  • Current Doctors practice information

• 2 simple app (now dormant) – This software app provides a simple and powerful way to log children’s achievements against the Early Years profile. This system and its owners use information submitted by us to provide us to do the following:

Take photographs with the device’s camera Write virtual notes
Select the children who are being observed Tag the observation with the learning objective

that is submitted to this app by us is:

Child’s name
Gender
Date of Birth
Current nursery room
Observations/photographs (These may also have a description/virtual note).

This software is legal obligations.

Q. How secure is my information with third-party service providers and other entities in our group?
All our third-party service providers and other entities in the group are required to take appropriate security

• • • •

The information

• • • • •

no longer active at the setting and children’s information will be stored securely in line with our

6

measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

When might you share my personal information with other entities in the group?

We will share your personal information with other entities in our group.

What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.

We may also need to share your personal information with a regulator or to otherwise comply with the law.

DATA RETENTION How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy which is available in a file situated at the front of the building. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer a Child benefiting from the Nursery’s services or a Parent, as is appropriate, we will retain and securely destroy your personal information in accordance with our data retention policy OR applicable laws and regulations.

RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

• Request erasure of your personal information. This enables Parents to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to

7

processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

• Request the restriction of processing of your personal information. This enables Parents, as is appropriate, to ask us to suspend the processing of personal information about you for example if you want us to establish its accuracy or the reason for processing it.

• Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the manager in writing.

What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to

access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

CHANGES TO THIS PRIVACY NOTICE

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

BREACH NOTIFICATIONS

If a breach has been made, it is the responsibility of Cottontails to notify the information Commissioners Office (ICO) of any breach within 72 hours of becoming aware of the breach.

If you have any questions about this privacy notice, please contact the Management Team at the