At Snapdragons Nurseries Ltd, we promise to keep your data safe and private and only use your personal information to manage your account and provide tailored care to your child.
Your privacy is protected by law and the General Data Protection Regulation (GDPR) which says that we are allowed to use personal information only if we have a proper reason to do so. This includes sharing outside of Snapdragons Nurseries Ltd. The law says we must have one of more of these reasons:
- To fulfill a contract we have with you, or
- When it is our legal duty, or
- When it is in our legitimate interest, or
- When you consent to it.
A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. If we rely on our legitimate interest, we will tell you what that is.
From time to time, we will need to contact you, via phone, email or the Parent Zone app to provide you with nursery updates, share relevant news or send your monthly invoices.
The categories of child information that we collect, hold and share include
- Personal information and contacts (such as name, date of birth and address)
- Characteristics (such as ethnicity, language, nationality, country of birth)
- Attendance information (such as sessions attended, absences and absence reasons)
- Assessment information (such as development records, progress reports and observations)
- Medical information (such as immunisation records, allergy information or dietaries)
- Safeguarding information (such as court orders and professional involvement)
- Special educational needs (including the needs and ranking)
Why we collect and use this information
We use child data:
- to support child learning
- to monitor and report on child progress
- to provide appropriate care
- to assess the quality of our services
- to comply with the law regarding data sharing
The lawful basis on which we use this information
We collect and use child information under GDPR Article 6, 1b, 1c and 1f, as well as Article 9, 2a and 2c.
Collecting child information
Whilst the majority of child information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the GDPR, we will inform you whether you are required to provide certain child information to us or if you have a choice in this. Data will be collected via your registration form and parent contract, as well as through a selection of introduction forms when your child begins the nursery. You may also be asked to sign local authority forms, such as funding consent.
Storing child data
We hold child data for up to seven years from their start date with Snapdragons Nurseries Ltd, or two years from their last day. Data on our forms is collected through Cognito Forms and initially held in a US-based datacentre, before being moved to permanent storage on a secure Microsoft-owned datacentre, hosted in the EU. Data is then removed from Cognito Forms and not stored there longer than is necessary to process the intial data.
Who we share child information with
We routinely share child information with:
- schools or settings that the child attends after leaving us
- our local authority
- Sharing of child information
We do not share information about our children with anyone without consent unless the law and our policies allow us to do so.
Data collection requirements:
To find out more about the data collection requirements placed on us by the Department for Education, go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
Requesting access to your personal data
Under data protection legislation, parents have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational records, contact your Nursery Manager or Nursery Data Protection Officer.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/
Right to be forgotten
Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. Whilst a child or employee still attends Snapdragons, the right may not be exercised, as the personal data is still necessary for the purpose for which we originally collected it for.
Authorised third parties
We use a number of authorised third-parties to provide our services. They are not permitted to use information we share with them for any other purpose.
Secure hosting of Snapdragons Nursery is essential to both us and our families. That is why we entrust Squarespace, an industry leader in secure website hosting, to protect all of our website data.
Cognito Forms provide processing of all forms on our website, allowing us to capture the information we need for your child’s registration or your job application. Their data is stored on Amazon datacentres in the United States. Data is only temporarily stored with Cognito Forms before being moved to Snapdragons’ own servers (see 8.3. Microsoft) upon verification by a manager.
All customer and employee data, and the servers that process this data, are securely managed by Microsoft, geo-replicated in real time to multiple datacenters in the United Kingdom and Europe. Microsoft has more security certifications than any other cloud provider. More information about these security measures can be found in the Office 365 Trust Center.
Your personal data will be input into the Connect Childcare system, which helps us manage our nurseries. Your data is held in secure data centres hosted by Memset and Amazon Web Services and can only be accessed by authorised personnel.
To comply with Ofsted requirements, visitors to our nurseries must sign in to confirm they are on site. Snapdragons have selected Envoy as their visitor management system, as it allows high levels of flexibility for managing our visitors and high security for your data. Their data is stored on secure datacentres in the United States. We remove all visitor data older than one year, although you may request to have your personal information removed at any time before this time elapses. Please email us at firstname.lastname@example.org with your name, nursery visited and the date of the visit to make this request.
Notice of Breach of Security
We will notify you if there was a breach of your personal information. If a security breach causes an unauthorised intrusion into our system that materially affects you or your information, then we will notify you as soon as possible and later report the action we took in response.
Safeguarding Your Information
We work hard to keep your information safe and secure. We take reasonable and appropriate measures to protect personal information from loss, misuse, and unauthorised access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal information. We rely on Microsoft and Connect Childcare to safeguard the physical and technical security of your information, and we have documented and enforced controls to limit access to, and to protect your information.
Questions & Concerns
Please email us at email@example.com if you have any questions about the privacy or accuracy of your information!
43 Bath Road,
Last modified: May 19th 2018