top of page

GDPR - Privacy & Data Protection

We comply with the Data Protection Act (DPA) 1998 and General Data Protection Regulation 2018 (GDPR) and any subsequent legislation on information handling and privacy. It is necessary for us to collect personal information about you and your child and sometimes we have to confirm or share information with other organisations.


We only collect and retain information for legitimate reasons and that is necessary for what we do. Primarily we collect information to provide effective care and learning to children and to follow good practices in the employment of staff. We believe that the collection and processing of this data is implicitly accepted by the individual agreement to the childcare contract or employment contract concerned. Acceptance of these contracts is given by the use of the service provided or by attendance at work.




Types of information that we collect and hold ;


  • Your and your child’s full name

  • Home address and telephone number

  • Your child’s date of birth

  • Your and your child’s religion and nationality

  • Photographs of yourself, your child and any emergency contacts

  • Your contact numbers and addresses of your emergency contacts

  • Your email address

  • Your child’s medical conditions

  • In some cases, your National insurance number.

  • Any court order information relating to yourself or your child

  • Birth certificate or passport number including date of issue


Whilst your child is with us we store information regarding:


  • Ongoing progress and development records

  • Photographs

  • Accident records

  • Medical records

  • Any relevant Safeguarding/ Child protection information (including photos if necessary)



We will keep data locked securely in the office filing cabinet, any data held electronically is password protected. We will try to make sure that the information about you is accurate and up to date when we collect or use it. You can help us with this by keeping us informed of any changes to the information we hold about you. We aim to keep information about you and your child securely and to protect against unauthorised change, damage, loss or theft. All information collected on paper forms is kept locked away. All computers and tablets are password protected. We will hold information about you and your child only for as long as the law says. After this, we will dispose of it securely and appropriately.




Types of information we collect and hold;


  • Name, address, date of birth and other contact information

  • Copies of certificates

  • Data required for DBS

  • Medial information

  • NI and tax information

  • References from previous employers


We only share any of the above information when requested to do so by the following entities:


  1. Ofsted

  2. Local Authority Children’s department or Safeguarding Team

  3. The Police



At LTNS we use digital records for nappy changes, food intake and sleep charts. However, if the system is not working on any given day this information still needs to be gathered. The same applies for registers for staff and children and other information as outlined below. If paper copies are used again due to a failure in the digital system then the following must be adhered to:


Nappy charts, Food charts, Sleep charts : Put into paper recycling after 3 months.


Staff signing in sheets, Child sign in registers, Outings forms, Risk assessments, Kitchen Food Temperature forms : Shredded and put into paper recycling after 1 year (kept for 1 year incase requested by Ofsted or LA)


Accident and Incident Forms, Medicine Forms : Scanned and saved for 20 years .


Children’s paper files : Shredded after they leave


Staff Paper files : Retained for 1 year and then shredded

Staff Payroll files : Retained for 3 years and then shredded

Accounting Information inc invoices, petty cash, credit cards etc : retained for 6 years and then shredded.


Please contact our Data Protection Officer; Alison Murray at if you have any questions or problems with the Data Protection Act 1998, General Data Protection Regulation 2018, the Human Rights Act 1998 or the Freedom of Information Act 2000. If we cannot help you, we will give you advice on where to get the information you may need. We will let you see the information we hold about you and correct it if it is wrong.


Record keeping


Children’s Records

There are record keeping systems in place that meet legal requirements; means of storing and sharing that information take place within the framework of the Data Protection Act and the Human Rights Act and GDPR. This policy and procedure is taken in conjunction with the Confidentiality Policy and our procedures for information sharing.

We keep two kinds of records on children attending our setting:

Developmental records

These include observations of children in the setting, photographs, video clips and samples of their work and summary developmental reports. These are usually kept in the playroom and can be freely accessed, and contributed to, by staff, the child and the child’s parents.


Personal records

These include registration and admission forms, signed consent forms, and correspondence concerning the child or family, reports or minutes from meetings concerning the child from other agencies, an ongoing record of relevant contact with parents, and observations by staff on any confidential matter involving the child, such as developmental concerns or child protection matters. These confidential records are stored in a lockable file or cabinet and are kept secure by the person in charge in an office or other suitably safe place. Parents have access to the files and records of their own children but do not have access to information about any other child.

Staff will not discuss personal information given by parents with other members of staff, except where it affects planning for the child's needs.  Staff induction includes an awareness of the importance of confidentiality in the role of the key person

Provider records

We keep records for the purpose of maintaining our business. These include:

  1. Records pertaining to our registration.

  2. Landlord or lease documents and other contractual documentation pertaining to amenities, services and goods.

  3. Financial records pertaining to income and expenditure.

  4. Risk assessments.

  5. Employment records of staff.


Our records are regarded as confidential on the basis of sensitivity of information, such as with regard to employment records and these are maintained with regard to the framework of the Data Protection Act and the Human Rights Act.

This policy and procedure is taken in conjunction with the Confidentiality and Client Access to Records policy and Information Sharing policy.

  1. All records are the responsibility of the officers of the management who ensure they are kept securely.

  2. All records are kept in an orderly way in files and filing is kept up-to-date.

  3. Financial records are kept up-to-date for audit purposes.

  4. Health and safety records are maintained; these include risk assessments, details of checks or inspections and guidance etc.

  5. Our Ofsted registration certificate is displayed.

  6. Our Employment Liability insurance certificate is displayed.

  7. All our employment and staff records are kept securely and confidentially.

  8. Records are retained for periods of time as per legal requirements (Data Protection Act or  Companies Act  or Charities Act  or Taxes Management Act and HMRC)



Confidentiality and client access to records


In our setting, it is our intention to respect the privacy of children and their parents and carers, while ensuring that they have access to the highest quality of preschool care and attention.

We aim to ensure that all parents and carers can share their information in the confidence that it will only be used to enhance the welfare of their children.

Confidentiality procedures

  • To ensure that all those using, and working in, the Nursery Schools can do so with confidence, we respect confidentiality in the following ways.

  • Parents have access to files and records of their own children but do not have access to information about any other child.

  • Staff will not discuss personal information given by parents with other members of staff, except where it affects planning for the child's needs. 

  • Staff induction includes awareness of the importance of confidentiality in the role of the key person.

  • Concerns or evidence relating to a child's personal safety are kept in a secure, confidential file and shared with as few people as possible.

  • Personal information about children, families and staff is kept securely in a lockable file whilst remaining as accessible as possible.

  • Issues to do with the employment of staff, whether paid or unpaid, remain confidential to the people directly involved with making personnel decisions.

  • Students on placements and training, are required to read our confidentiality policy and are required to respect it.


The above undertakings are subject to the paramount commitment of the nursery, which is to the safety and well-being of the child.  Please also see our policy on Child Protection.


Information sharing


We recognise that parents have a right to know that information they share will be regarded as confidential as well as be informed about the circumstances, and reasons, when we are obliged to share information.

We are obliged to share confidential information without authorisation from the person who provided it or to whom it relates if it is in the public interest. That is when:

  • It is to prevent a crime from being committed or intervene where one may have been, or to prevent harm to a child or adult; or

  • Not sharing it could be worse than the outcome of having shared it.


The decision should never be made as an individual, but with the back-up of company directors. The three critical criteria are:

  1. Where there is evidence that the child is suffering, or is at risk of suffering, significant harm.

  2. Where there is reasonable cause to believe that a child may be suffering, or at risk of suffering, significant harm.

  3. To prevent significant harm arising to children and young people or serious harm to adults, including the prevention, detection and prosecution of serious crime.


Our policy and procedures on information sharing provide guidance to appropriate sharing of information with external agencies.

Our procedure is based on the 7 golden rules for information sharing as set out in ‘Working Together to Safeguard Children 2018.’  


1. The General Data Protection Regulation (GDPR) Data Protection Act 2018 and human rights law are not barriers to justified information sharing but provide a framework to ensure that personal information about individual living persons is shared appropriately.


2. Be open and honest with the individual (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.


3. Seek advice from other practitioners, or your information governance lead, if you are in any doubt about sharing the information concerned, without disclosing the identity of the individual where possible.


4. Where possible, share information with consent, and where possible, respect the wishes of those who do not consent to having their information without consent if, in your judgement, there is a lawful basis to do so, such as where safety may be at risk. You will need to base your judgement on the facts of the case. When you are sharing or requesting personal information from someone, be clear of the basis upon which you are doing so. Where you do not have consent, be mindful that an individual might not expect information to be shared.


5. Consider safety and well-being: base your information sharing decisions on considerations of the safety and well-being of the individual and others who may be affected by their actions.


6. Necessary, proportionate, relevant, adequate, accurate, timely and secure: ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely.


7. Keep a record of your decision and the reasons for it- whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.


In our setting we ensure parents;


  • Receive information about our information sharing policy when starting their child in the setting and they sign a form to say that they understand circumstances when information may be shared without their consent. This will only be when it is a matter of safeguarding a child or vulnerable adult. This is on our settle form.

  • Have information about our Safeguarding Children and Child Protection policy; and

  • Have information about the circumstances when information will be shared with external agencies, for example, with regard to any special needs the child may have or transition to school.


Seek advice when there are doubts about possible significant harm to a child or others.

Managers contact children’s social care for advice where they have doubts or are unsure.

Share with consent where appropriate. Respect the wishes of children and parents not to consent to share confidential information. However, in the interests of the child, know when it is reasonable to override their wish.

Guidelines for consent are part of this procedure.

Managers are conversant with this and are able to advise staff accordingly. Consider the safety and welfare of the child when making a decision about sharing information – if there are concerns regarding ‘significant harm’ the child’s well-being and safety is paramount.

In our setting we:

  • Record concerns and discuss these with the setting’s DSL and Senior Management where necessary

  • Record decisions made and the reasons why information will be shared and to whom; and

  • Follow the procedures for reporting concerns and record keeping.


Our Child Protection procedure and GDPR policy set out how and where information should be recorded and what information should be shared with another agency when making a referral. Reasons for decisions to share information, or not, are recorded.

Fears about sharing information must not be allowed to stand in the way of the need to promote the welfare, and protect the safety, or children, which must always be the paramount concern.


Parents have a right to be informed that their consent to share information will be sought in most cases, as well as the kinds of circumstances when their consent may not be sought, or their refusal to give consent may be overridden.

We do this as follows:

  • Our policies and procedures set out our responsibility regarding gaining consent to share information and when it may not be sought or overridden.

  • We may cover this verbally when the child starts or include this in our prospectus.

  • Parents sign a form at registration to say they understand this.

  • Parents are asked to give written consent to share information about any additional needs their child may have, or to pass on child development summaries, to the next provider or school.

  • Copies given to parents of the forms they sign.


We consider the following questions when we need to share:

  • Is there legitimate purpose to sharing the information?

  • Does the information enable the person to be identified?

  • Is the information confidential?

  • If the information is confidential, do you have consent to share?

  • Is there a statutory duty or court order to share information?

  • If consent is refused, or there are good reasons not to seek consent, is there sufficient public interest to share information?

  • If the decision is to share, are you sharing the right information in the right way?

  • Have you properly recorded your decision?


All the undertakings above are subject to the paramount commitment of the setting, which is to the safety and well-being of the child

Updated July 2023

bottom of page