General data Protection Regulation

The General Data Protection Regulation (GDPR) is an EU law that came into effect on 25th May 2018 and replaced the Data Protection Act 1998. The changes will remain in place after the UK has left the EU.
GDPR will give individuals greater control over their own personal data.
GDPR principles:
GDPR will condense the Data Protection Principles into six areas, which are referred to as the Privacy Principles. They are:
1. Settings must have a lawful reason for collecting personal data and must do it in a fair and transparent way.
2. Settings must only use the data for the reason it is initially obtained.
3. Settings must not collect any more data than is necessary.
4. It has to be accurate and there must be mechanisms in place to keep it up to date.
5. Settings cannot keep it any longer than needed.
6. Settings must protect the personal data.
These privacy principles are supported by a further principle – accountability. This means that settings must not only do the right thing with data but must also show that all the correct measures are in place to demonstrate how compliance is achieved. Any staff will be trained on data protection, and a named data protection officer (Louise Lawson) appointed. Documentation on policies, procedures and training is a key part of any effective compliance programme.
Consent for data collection must be freely given, specific, informed and unambiguous.
It must be specific, granular, clear, prominent, opt-in, properly documented, and easily withdrawn. It must be opt-in and not silent. It must be separate from other terms and conditions. There must be a simple way for people to withdraw their consent.

Individuals have the following rights:
• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• the right not to be subject to automated decision-making including profiling.

Subject Access Requests
Parents/Carers have the right to request information about the data we hold. Children need to get consent from a person holding “parental responsibility”.

I will have a month to comply, although:
• I can refuse or charge for requests that are manifestly unfounded or excessive
• if I refuse, I must say why, and allow the person to complain to the supervisory authority and to a judicial remedy.

Please read my Privacy Notice and Informed Consent Form for further information.

Why I Collect Data 
My Lawful Bases for processing data are:
Contract: the processing is necessary for a contract I have with the individual.
Legal obligation: the processing is necessary for me to comply with the law.
• Working Together to Safeguard Children 
• What to do if you’re worried a child is being abused 
• Norfolk Safeguarding Children Board (NSCB) guidance 
• Revised Early Years Foundation Stage 
• Multi-agency Statutory Guidance on Female Genital Mutilation  
• Protecting children from radicalisation: The Prevent Duty  
• Keeping Children Safe in Education  
• Disqualification Under the Childcare Act 2006  
• Inspecting Safeguarding in Early Years Education and skills Settings
Public task: the processing is necessary for me to perform a task in the public interest or for my official functions, and the task or function has a clear basis in law.
• Working Together to Safeguard Children  
• What to do if you’re worried a child is being abused 
• Norfolk Safeguarding Children Board (NSCB) guidance 
• Revised Early Years Foundation Stage  
• Multi-agency Statutory Guidance on Female Genital Mutilation  
• Protecting children from radicalisation: The Prevent Duty  
• Keeping Children Safe in Education 
• Disqualification Under the Childcare Act 2006  
• Inspecting Safeguarding in Early Years Education and skills Settings 

Who will I share this data with?
Shared data will be used to identify as soon as possible if there are any areas where additional support may benefit your child/family. The data will be used to enable partnership working between named professionals, to put such plans in place to ensure children are on track to meet their full potential, and overcome any difficulties they may have. Information about children will be obtained from parents and carers via oral, written or electronic means. 
I may share information with:
• The child’s Parents and carers
• 0-19 Norfolk Healthy Child Programme
• Norfolk County Council Achievement and Early Years’ Service
• Norfolk Children’s Centres
• Norfolk Health Professionals
• Norfolk Pre-Schools, Schools, Nurseries and Childminders (i.e. other Settings that the child attends)
• Children’s Services
• Multi Agency Safeguarding Hub (MASH)
• Early Help Hub
• Department for Education
• Ofsted
• Department for Health
• Primary Care Trusts
• Qualifications and Curriculum Development Agency
• The Learning Records Service

How I Store / Share / Delete Personal Data:
Electronic data is stored on the Setting’s mobile phone, laptop, iPad tablet, Facebook page, Social Media sites and platforms, advertising displays and on my website.
I also keep paper records confidential and secure.
Data is provided electronically to families via the secure Baby’s Days System.
Data is provided electronically to other professionals via secure email. I use the commonly used format Microsoft Office 365 Message Encryption for secure emails.
I destroy paper / written records and delete digital data from computers, tablets, cameras, memory devices, Baby’s Days System after the timescales shown in our Data Privacy Notice.

Data Breaches and Data Protection Impact Assessment

Data breaches may occur due to:
• Inaccurate data being held.
• Inadequate disclosure controls are in place, which increase the likelihood of information being shared inappropriately. 
• The context in which information is used or disclosed can change over time, leading to it being used for different purposes without people’s knowledge. 
• The sharing and merging of datasets can allow organisations to collect a much wider set of information than individuals might expect. 
• Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, presents a greater security risk. 
• A retention period is not established so information might be used for longer than necessary.
• Procedures are not in place in order to detect, report and investigate potential data breaches.

Vulnerable people may be particularly concerned about the risks of identification or the disclosure of information. 

Data breaches are prevented by carrying out Data Protection Impact Assessments.
A DPIA is required where two or more organisations seek to pool or link sets or personal data.
DPIA’s must decide which privacy solutions should be used, and record risks, including possible intrusions on privacy. Corporate risks, including regulatory action, reputational damage, financial loss, loss of confidentiality or any other significant economic or social disadvantage, must be considered. The named Data Protection Officer must sign off each risk, and the reasons behind their decisions.

Privacy Solutions

I have devised data retention periods that only keep data for as long as is necessary, before I securely destroy that information.
I implement appropriate technological security measures, such as key pad locks on mobile phone, password entry on iPad tablet and computers, limited information carried in Emergency Bags, photos deleted from iPhone and iPad at end of use.
Data is securely backed up onto external storage devices and secure cloud, so that it can be retrieved should there be a failure in technology, allowing normal service to be resumed.
I ensure that information on display around the Setting, on display boards, on the website and social media, doesn’t identify children.
I ensure that other adults in the setting are properly trained and are aware of potential privacy risks. 
I produce guidance for other adults in the setting on how to use IT systems and how to share data if appropriate. 
I use systems which allow individuals to access their information more easily and make it simpler to respond to subject access requests. 
I take steps to ensure that individuals are fully aware of how their information is used and how they can contact me for assistance if necessary. 
I select data processors (Baby’s Days, CPOMS) who will provide a greater degree of security and ensure that agreements are in place to protect the information which is processed on my behalf. 
I produce data sharing agreements which make clear what information will be shared, how it will be shared and who it will be shared with (Informed Consent Form).

Make a complaint:

If you think your data has been misused or that the organisation holding it hasn’t kept it secure, you should contact me. If you’re unhappy with my response or if you need any advice you should contact the Information Commissioner’s Office (ICO).

ICO helpline
Telephone: 0303 123 1113 
The ICO can investigate your claim and take action against anyone who’s misused personal data. You can also visit their website for information on how to make a data protection complaint.

If you wish to access your personal data, or that of your child, then please contact Louise Lawson on 01692 598291 

If you require more information about how the LA and/or DfE store and use this data please go to the following websites:

If you are unable to access these websites, please contact the LA or the DfE as follows: 

Information and Intelligence Team 
County Hall, 
Room 530, 
Martineau Lane, 
NR1 2DL 
Tel: 01603 223913 

Public Communications Unit 
Department for Education 
Sanctuary Buildings 
Great Smith Street 
tel: 0870 000 2288

Reviewed by Louise Lawson Feb 2023