How We Keep Your Data Safe

At Snapdragons we understand how important it is to keep every child’s personal information safe. We follow the UK’s Data Protection Act 2018 and the General Data Protection Regulation (GDPR), and we invest in strong security measures, external audits, and are working towards certification in industry-recognised schemes such as UK Cyber Essentials & UKCE+. Whether you’re a current parent, a past parent, or a member of the team, you can be confident that we handle personal data responsibly, transparently, and with care at every stage of a child’s journey with us.

Our Commitment to Data Protection

ICO Registration & GDPR Compliance

Snapdragons Nurseries Ltd is a registered Data Controller with the UK Information Commissioner’s Office (ICO). We comply with the Data Protection Act 2018 and all twelve GDPR principles, ensuring that every piece of personal information is:

  • Collected and processed fairly and lawfully

  • Used only for specific, legitimate purposes

  • Accurate, relevant, and limited to what is necessary

  • Kept up to date and stored securely

  • Retained only for as long as required by law or legitimate operational needs

Legal Bases for Processing

We only process personal data when there is a valid legal reason, such as:

  • Consent: when parents, carers, or employees give clear permission for a specific purpose.

  • Contract: when it is necessary to fulfil an employment or childcare agreement.

  • Legal Obligation: when the law requires us to keep certain records, for example for safeguarding or funding

Everyone at Snapdragons has an important role to play in protecting personal information. We provide data-protection training during induction periods and are now expanding this with regular refresher sessions, internal and external audits as part of our upcoming improvements. These enhancements will ensure that every team member stays up to date with best practice. Our Data Protection Policy is supported by other policies, such as our Retention Policy, Data Handling Policy, and Data Breaches Procedure, creating a single, consistent framework for managing and protecting personal information. You can access all of our Data Protection policies at our policy website here.

Security Measures We Use

Access Control

Employees can access only the information they need for their role, limiting exposure of sensitive details.

Two-Factor Authentication

Every Snapdragons account is enforced by two-factor authentication (a password plus a unique time access code), making unauthorised access far less likely.

Strong Device Security

All of our devices (desktop & mobile) are enrolled in an MDM server which manages security profiles across the company and enforces Azure Directory enrolment and automatic time-outs on logins.

The devices can also be locked or wiped if lost, and check in with the server every 15 minutes. Mobile devices are IP gated to prevent unauthorised access when used on offsite locations.

Monitored Email & File Handling

Company email systems prevent mass transmission of sensitive data and restrict forwarding of confidential documents to outside parties.

We make use of sensitivity labels and server based rules to block unauthorised sharing with individuals outside of the company directory.

Paper records are locked away and never left where they could reveal a child’s identity

User Account Monitoring

We monitor company logins and systems to detect unusual activity and potential data loss, responding swiftly to any suspicious signs. Automated systems flag ‘risky’ events and block accounts that could be vulnerable, preventing further access until it has been assessed.

Regular Security Audits

Starting soon, Snapdragons will also invite independent external assessors to review our controls.

Cyber Essentials Verification

We are working toward UK Cyber Essentials accreditation to provide parents and carers with third-party assurance of our defences.

Ongoing Team Refreshers

In addition to the existing GDPR and Cyber induction training every employee undergoes, we are implementing annual refresher courses to keep every team member up to date with best practice.

Data Retention & Deletion

Our nursery systems are hosted or processed by carefully selected providers, such as Squarespace (website hosting), Cognito Forms (secure online forms), Microsoft (UK-based datacentres), Signable, and Connect Childcare / Famly (nursery management).

Each provider must meet strict confidentiality and security standards, and undergo independent third-party security audits, including Famly.

Because children’s learning journeys, observations and photos are stored within Connect Childcare / Famly, we hold these services to the highest standards of security. Our employee accounts on these systems are synchronised through Microsoft Azure, enabling fast, centralised and role-based access management, so only the right people can reach the right data.

Why We Keep Certain Records

UK childcare providers are legally required to keep some records for extended periods. For example, accident and incident reports, attendance registers, and safeguarding notes must be retained for up to 20 years to meet statutory and insurance requirements. These records can be essential if a historic safeguarding or legal query arises

How We Decide What to Keep

We follow a formal Retention Policy that sets clear timelines for every type of record. Each category - child files, employee records, financial documentation - has a defined retention period based on legal or regulatory guidance. If we ever keep information longer than these guidelines, we would document the reason. You can access our retention policy here.

Secure Storage & Access

While records are retained, they are locked, encrypted, and strictly access-controlled. Paper files are stored in locked cabinets; digital records are encrypted and protected by role based access control so only employees with a genuine need can view them.

Deletion and Disposal

When a record reaches the end of its retention period, it is securely destroyed:

  • Paper records are cross-cut shredded.

  • Digital files are deleted from systems and backups according to our Data Handling procedures

Your Right to Erasure

Under Article 17 of the UK GDPR you have the right to request that we erase you (and your child’s) personal data. We will honour these requests wherever possible, but this right cannot be exercised while a child is actively attending Snapdragons, because we must retain personal data to provide care and to meet safeguarding and legal requirements.

Even after a child leaves, some records, such as accident reports and statutory registers, must be kept for defined periods (up to 20 years) to comply with regulations and insurance obligations.

Handling Data Breaches

Even with strong protections in place, no organisation can promise that a breach will never occur. Snapdragons will, however, act quickly and transparently if something ever goes wrong.

Any suspected breach is recorded straight away in our secure Data Protection SharePoint by the Nursery Data Protection Controller (NDPC).

Critical incidents are escalated immediately to the Lead Data Protection Controller (LDPC) who assesses the situation and takes steps, such as shutting down affected systems, to minimise risk.

We are legally required to notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a serious breach. Where personal data is at risk, we inform affected families within 24 hours of ICO notification, providing clear information on what happened and practical steps they can take to protect themselves.

We will conduct a thorough investigation to identify how the breach occurred, working with our management team to contain the issue and prevent recurrence. If criminal activity is suspected, we liaise with the police and other relevant authorities.

Every breach triggers a formal review of our policies, technical controls, and staff practices.

Contact & Further Information

For further information you can contact our privacy team on privacy@snapdragonsnursery.com.