Data Protection, Privacy, and other Information...
Your Privacy
At The Old Railway House, we are committed to protecting your privacy.
We are registered with the ICO (Information Commissioner’s Office www.ico.org.uk) and renew our registration annually.
We have previously complied with the requirements of the Data Protection Act 1998 (DPA), however there are several new elements and significant enhancements which require a more coherent and focused approach to data protection. We are currently updating all our records and processes to ensure that we are fully compliant with the data protection standards introduced by the General Data Protection Regulation (GDPR) on 25 May 2018.
Our Privacy Statement describes how we implement certain regulations as laid out in the GDPR 2018 including what data we collect, how we use it, how we protect it and what your rights are.
The Director/s, along with the Nursery Manager, and Assistant Manager (whom we have also appointed as Data Protection Co-ordinator), are responsible for ensuring compliance.
Any new forms and/or documents created from 25th May 2018 will, by default, have been created with new protection laws in mind.
What information do we collect?
We hold the data that you provide/have provided to us upon registration and during the period that we look after your child (as well as any period following this that we are legally bound to hold information).
We collect and use information under lawful bases established by the GDPR. For much of the information we hold, we have a legal, contractual and legitimate interest to do so, in ways you would reasonably expect us to. This is balanced against your rights under data protection laws.
Examples of the information we hold about you and your child/children:
- Your name, your contact details (including address, telephone number/s, email address etc.), DOB, NI number etc.
- Your child's name, their DOB, sessions attended, dietary/allergy information, photographs, ethnicity etc.
- Details about your family and other dependants etc.
How we collect data about you...
We mainly collect data upon your registration with us. We also ask you to update your details when anything changes and carry out regular update checks to ensure that the data we hold is correct and relevant.
What we use your information for...
We predominantly use your information to contact you about your child, and for the legal and business reasons associated you accessing our services, such as invoicing, internal record keeping, keeping you informed about nursery in general.
We are committed to ensuring that your information is secure, and the appropriate measures are in place to safeguard and secure the information that we collect.
We will only keep your data for as long as we need it legally, with consent, contractually, for vital interest, legitimate interest, or as a matter of public task.
Sharing your personal information...
We will only ever use data for its intended purpose, and we will not pass on, sell or otherwise distribute your personal information, or that of your child/children, unless we are legally, consensually, contractually obliged to do so, or if it is for reasons of vital interest, legitimate interest, or matter of public concern.
For example, it would be our legal interest to disclose certain information to regulatory bodies (i.e. OFSTED), safeguarding and welfare bodies (i.e. to Walsall Children's Services). It is our legitimate interest to share certain information with government departments, local authorities (i.e. Walsall Council, Family Information Services), for the purpose of funding etc. We are required to share certain data with official bodies (such as HMRC or the Department for Work and Pensions (DWP) on a statutory basis.
Any sharing of data in these ways would always be secure and/or encrypted.
Securing your personal data…
We take measures to ensure that the data we hold about you and your child is safe and secure.
We implement various strategies, controls, policies and measures to keep your data secure, and we keep these measures under review.
We protect data using encryption, password protection, firewalls, anti-virus software, physical controls (i.e. locked cabinets, doors) etc.
Yours and your child’s data is only accessible to employees who require it to carry out their job responsibilities.
Further details about how we keep your data safe and secure are available within our GDP file which is kept in the management office at nursery and available to view at any time.
Retention of your personal data…
We will only retain your personal data for as long as is necessary for the purposes described within our asset register. This means that the retention periods will vary according to the type of the data and the reason that we have the data in the first place.
To ensure future compliance, we will have procedures in place regarding our retention periods which we will keep under review, taking into account our reasons for processing your personal data and the acceptable basis for doing so.
Website...
Our website has been created using Weebly. Weebly adheres to regulations set out within the new GDPR guidelines. Confirmation of this can be found within our asset register.
Our website collects anonymous information about which pages have been visited, what referral site (if any) was used (i.e. Google, Instagram, Facebook etc.). Our website collects stats on unique visitors and page views. These analytics do not collect any personal information about you. This information helps us to improve our website. We only use this data for statistical analysis.
Should you choose to contact us via our website via email form, our website collects the information you input (name, email address, telephone number, details about your child’s age, sessions etc.).
This information is emailed to our nursery email address and held on our website ‘Dashboard’. Both are password protected and only accessible by Management and Directors.
This data would only be used for the purpose of the initial request and/or to contact you about a nursery event that may be of interest (if consent given) and would be cleared after two years.
Links to other websites...
Our website may contain links to other websites of interest. Once you have used these links to leave our site, you should note that we do not have any control over that other website.
We cannot therefore be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement.
You should exercise caution and look at the privacy statement applicable to the website in question.
Over the years, we have benefitted from the many recommendations and referrals parents have made to other parents about our nursery. We try to support other local businesses where we can, so from time-to-time, may share things via our website, social media etc., that may be of interest to our parents. Please note we are not affiliated with any company/organisation/individual that we may share details of, nor have we received any financial compensation for doing so, unless explicitly stated. Companies who we might share details of have their own pricing structures and business models and we are not involved in any way in their practices, nor can we recommend their products or services as we may not have used them personally/professionally (again, unless otherwise stated).
Social media...
If you contact us on social media, we will be able to view your profile according to your own privacy settings. We will only contact you via direct message if you have contacted us via this method first (consent) or if it is urgent to do so as a last resort (vital interest) - this only applies if you engage with us on social media, i.e. by 'liking' our Facebook page, or 'following us' on Instagram. We may invite you to ‘follow’ or ‘like’ our social media pages, but we would never contact you via your profile unnecessarily.
We will never disclose personal information, or upload photos containing items that could be used to identify you or your child on social media. Our main use of social media will be to notify parents of urgent messages (for example nursery closures, maintenance issues etc.), to inform parents about events taking place at nursery, and/or to share general information about activities/celebrations etc. at nursery, or safety messages/other useful information.
In addition to our core business purposes, we may use your data to invite you to family celebrations days/events, and/or any ‘extra-curricular’ activities you may be interested in for you or your child. You can choose to ‘opt-out’ of being contacted about this sort of item at any time by advising the Nursery Manager or Assistant Manager in writing (via email or letter).
GDPR Policy...
You can read our GDPR Policy here.
We also have an ‘Asset Register’ available on site should you wish to see it, which details each piece of data we hold, for what reason, who has access to it, and for how long it is kept. Please note this is an ongoing document and may not be fully complete and/or updated at a point you request to see it.
If you believe that any information we are holding on you or your child/children is incorrect or incomplete, please write to or email us as soon as possible, at the below address. We will promptly correct any information found to be incorrect.
Queries or concerns?
You have rights under the GDPR relating to your personal information. Under the GDPR, you have the right to request access to information about you that is held by an organisation. To make a request for your personal information held by The Old Railway House Nursery Ltd., please see the contact details below, and your request will be dealt with within 30 days.
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with the Director via the Nursery Manager or Data Protection Co-ordinator (Assistant Manager) in the first instance. This does not affect your right to complain to the Information Commissioner’s Office (ICO) (ico.org.uk). You can find out more about your rights under the GDPR here: https://ico.org.uk/your-data-matters/.
In the instance of a data breach, we must notify the ICO within 72 hours of it first coming to our attention. Failure to comply will result in a fine.
If you have any queries about this Privacy Notice or how we process your personal information, please contact us , or write to us and send it to: FAO: Director, The Old Railway House Nursery Ltd., 15 Station Road, Aldridge, Walsall, WS9 8NU.
We reserve the right to change policies relating to data protection and GDPR at any time. If we do, then we will post on our website and/or via social media/nursery newsletter etc. that our policies have been updated.
Last Updated: AT 25.05.2018