PolicyAndPlay Policy Template Updated 2024

[Your Setting Name]

Policy: GDPR & Data Protection Version: 2.0 Review date: [Date]

PolicyAndPlay template: Replace all [bracketed placeholders]. This policy is aligned to the UK GDPR (as retained under the Data Protection Act 2018) and is suitable for childminders and small nurseries acting as data controllers.

GDPR & Data Protection Policy

1. Introduction

[Setting Name] is committed to protecting the privacy and security of personal data we hold about children, their families, and staff. This policy explains what data we collect, why we collect it, how we keep it safe, and what rights individuals have.

As a childcare provider, we act as a Data Controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Our Data Protection Lead is: [Your Name]
Contact: [email address]

We are registered with the Information Commissioner's Office (ICO): [ICO Registration Number — or "Registration pending"]

  Do I need to register with the ICO? Most childminders who process personal data for purposes other than their own personal use must register with the ICO. Registration costs £40/year for small organisations. Check ico.org.uk to confirm your obligation and register online.

2. What Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Children

Full name, date of birth, address
Photograph (for identification and learning journeys)
Medical information: allergies, conditions, medications, immunisation status
SEND status and education, health and care plans (EHCPs)
Observation notes, assessments, and learning journey records
Accident and incident records
Free childcare entitlement (15/30 hours) — funding records

2.2 Parents and Carers

Full name, address, phone number, email address
Emergency contact details
Parental responsibility status
Financial information: payment records, direct debit details (where applicable)
Any court orders or safeguarding concerns relevant to the child

2.3 Staff and Volunteers

Full name, address, contact details
DBS check details and dates
Qualifications and training records
References and employment history
Payroll and tax information

3. Why We Process Personal Data — Lawful Basis

Data type	Purpose	Lawful basis (UK GDPR)
Child's name, DOB, address	Registration and identity verification	Contract (Art 6(1)(b))
Medical / health information	Keeping the child safe; duty of care	Vital interests (Art 6(1)(d)) + explicit consent for special category data (Art 9(2)(a))
Observation records / learning journeys	EYFS requirement to track development	Legal obligation (Art 6(1)(c))
Photographs of children	Learning journeys, parent communication	Legitimate interests (Art 6(1)(f)) + parental consent
Financial/payment records	Invoicing, tax compliance	Contract + legal obligation
Funding claims (15/30 hours)	Claiming free childcare funding	Legal obligation
Staff DBS records	Safer recruitment / Ofsted requirement	Legal obligation
Accident and incident records	Health & safety; Ofsted requirement	Legal obligation

4. How We Keep Data Secure

4.1 Physical data

Paper records are stored in a locked filing cabinet at [location]
Only the data protection lead has access to the cabinet
Documents are not left visible or accessible to other parents, children, or visitors
Sensitive documents are disposed of by shredding

4.2 Digital data

Digital records are stored on a password-protected device
Cloud storage (if used): [e.g. Google Drive, iCloud] — protected with a strong password and two-factor authentication
Learning journey apps (if used): [e.g. Tapestry, Evidence Me] — all accounts are password protected and set to private
We do not store personal data on unencrypted USB drives
Devices are locked when not in use and secured if lost or stolen

4.3 Sharing data

We will only share personal data with third parties where:

The parent has given explicit consent (e.g. sharing with a childminder network app)
We have a legal obligation to do so (e.g. Ofsted inspection, statutory safeguarding referral)
It is necessary to protect the child's vital interests

We do not sell, rent, or share personal data for marketing purposes.

5. Retention Periods

Record type	Retention period
Children's records (registration, obs, learning journeys)	Until the child turns 25 (or 21 if no injury/accident involved)
Accident / injury records	Until the child turns 21, or 3 years minimum
Safeguarding records	Indefinitely (in line with LSCP guidance)
Financial/payment records	7 years (HMRC requirement)
Staff records	7 years after employment ends
DBS check records	6 months after check date (number only retained thereafter)
CCTV footage (if used)	31 days maximum unless required for investigation

6. Your Rights Under UK GDPR

Parents, carers, and staff have the following rights regarding their personal data:

Right of access — You can request a copy of all data we hold about you or your child (Subject Access Request). We will respond within one month.
Right to rectification — You can ask us to correct inaccurate data.
Right to erasure — You can ask us to delete data we no longer need, unless we have a legal obligation to retain it.
Right to restrict processing — You can ask us to pause processing of your data while a complaint is being investigated.
Right to object — You can object to processing based on legitimate interests.
Right to withdraw consent — Where processing is based on consent (e.g. photographs), you can withdraw consent at any time.

To exercise any of these rights, contact: [Your email address]

7. Data Breaches

A data breach is any accidental or unlawful loss, destruction, disclosure, or access to personal data. If a breach occurs:

The data protection lead is informed immediately
The breach is contained where possible (e.g. changing passwords, recovering lost documents)
The breach is assessed for risk to individuals
If the breach poses a risk to individuals, the ICO is notified within 72 hours
Affected individuals are notified if there is a high risk to their rights and freedoms
All breaches are recorded in our Data Breach Log, regardless of severity

8. Photography and Social Media

We obtain written consent from parents before photographing children, stating the purpose and where images will be stored
Photographs are used only for learning journeys and communication with the child's parents — never shared publicly without explicit consent
We do not post images of children on personal or business social media accounts without specific, separate consent from parents
Children are never identified by name alongside a photograph in any publicly accessible platform

9. Policy Review

This policy is reviewed annually or when data protection law changes. Next review: [Date]

If you have a concern about how we handle your data that we cannot resolve, you have the right to complain to the ICO: ico.org.uk | 0303 123 1113

Signature of Data Protection Lead

Date signed