XP Kids Ltd
Data Protection Policy
At XP Kids we
respect the privacy of the children attending the Club and the privacy of their
parents or carers, as well as the privacy of our staff. Our aim is to ensure that
all those using and working at XP Kids can do
so with confidence that their personal data is being kept secure.
Our
lead person for data protection is Katie Cameron. The lead person ensures that
the Club meets the requirements of the GDPR, liaises with statutory bodies when
necessary, and responds to any subject access requests.
Confidentiality
Within
the Club we respect confidentiality in the following ways:
·
We
will only ever share information with a parent about their own child.
·
Information
given by parents to Club staff about their child will not be passed on to third
parties without permission unless there is a safeguarding issue (as covered in
our Safeguarding Policy).
·
Concerns
or evidence relating to a child’s safety, will be kept in a confidential file
and will not be shared within the Club, except with the designated Child
Protection Officer and the manager.
·
Staff
only discuss individual children for purposes of planning and group management.
·
Staff
are made aware of the importance of confidentiality during their induction
process.
·
Issues
relating to the employment of staff, whether paid or voluntary, will remain
confidential to those making personnel decisions.
·
All
personal data is stored securely on a password protected computer / passcode-locked
phone.
·
Students
on work placements and volunteers are informed of our Data Protection policy
and are required to respect it.
Information that we keep
The
items of personal data that we keep about individuals are documented on our
personal data matrix. The personal data matrix is reviewed annually to ensure
that any new data types are included.
Children and
parents:
We hold only the information necessary to provide a childcare service for each child.
This includes child registration information, medical information, parent
contact information, attendance records, incident and accident records and so
forth. Our lawful basis for processing this data is fulfilment of our contract
with the child’s parents. Our legal condition for processing any health-related
information about a child, is so that we can provide appropriate care to the
child. Once a child leaves our care we retain only the data required by
statutory legislation, insurance requirements and industry best practice, and
for the prescribed periods of time. Electronic data that is no longer required
is deleted and paper records are disposed of securely or returned to parents.
Staff: We keep
information about employees in order to meet HMRC requirements, and to comply
with all other areas of employment legislation. Our lawful basis for processing
this data is to meet our legal obligations. Our legal condition for processing data
relating to an employee’s health is to meet the obligations of employment law. We
retain the data after a member of staff has left our employment for the periods
required by statutory legislation and industry best practice, then it is
deleted or destroyed as necessary.
Sharing information with third parties
We
will only share child information with outside agencies on a need-to-know basis
and with consent from parents, except in cases relating to safeguarding
children, criminal activity, or if required by legally authorised bodies (eg
Police, HMRC, etc). If we decide to share information without parental consent,
we will record this in the child’s file, clearly stating our reasons.
We
will only share relevant information that is accurate and up to date. Our
primary commitment is to the safety and well-being of the children in our
care.
Some
limited personal information is disclosed to authorised third parties we have
engaged to process it, as part of the normal running of our business, for
example in order to take online bookings, and to manage our payroll and
accounts. Any such third parties comply with the strict data protection
regulations of the GDPR.
Subject access requests
·
Parents/carers
can ask to see the information and records relating to their child, and/or any
information that we keep about themselves.
·
Staff
and volunteers can ask to see any information that we keep about them.
·
We
will make the requested information available as soon as practicable, and will
respond to the request within one month at the latest.
·
If
our information is found to be incorrect or out of date, we will update it
promptly.
·
Parents
/carers can ask us to delete data, but this may mean that we can no longer
provide care to the child as we have a legal obligation to keep certain data.
In addition, even after a child has left our care we have to keep some data for
specific periods so won’t be able to delete all data immediately.
·
Staff
and volunteers can ask us to delete their data, but this may mean that we can
no longer employ them as we have a legal obligation to keep certain data. In
addition, even after a staff member has left our employment we have to keep
some data for specific periods so won’t be able to delete all data immediately.
·
If
any individual about whom we hold data has a complaint about how we have kept
their information secure, or how we have responded to a subject access request,
they may complain to the Information Commissioner’s Office (ICO).
GDPR
We comply with the requirements of the General
Data Protection Regulation (GDPR), regarding obtaining, storing and using
personal data.
This policy was adopted by: XP Kids Ltd
Date: 13/04/2021
To be reviewed: 13/04/2022
Signed; Katie Cameron
Written in accordance with the Statutory Framework for the Early Years
Foundation Stage (2017): Safeguarding and Welfare Requirements: Information and
records [3.68 -3.71].