GDPR PRIVACY NOTICE
This GDPR Privacy Notice is intended to add to and extend our existing policies pertinent to Data Protection – including Information Security, Documentation & Information, Acceptable Use (of electronic devices), Staff Development & Training; as well as the regulations and requirements of the Data Protection Act, Freedom of Information Act and the new EU GDPR legislation.
The aim of this GDPR Privacy Notice is to explain what additional measures BOSH, as an organisation, has, and/or will be taking to ensure that we are compliant with the new data protection expectations and requirements of the new GDPR regulations applicable to all organisations across the EU.
Data Protection Officer
for BOSH is designated as Jon Langston.
of the personal data of BOSH customers, children and staff are:
- Julia Child, self-employed finance manager for BOSH;
- Orient Consultancy, third party web developers of the BOSH website;
- Evidence For Learning (E4L), which is a third party software tool used for recording and storing evidence for child(ren)’s learning and development.
Legal Basis We Rely On
The law on data protection sets out a number of different reasons for which a company may collect and process personal data.
- Consent – We collect and process data, with individual consent, when you register with BOSH as we need to store and use this data in order to provide the BOSH childcare services for your child(ren).
- Legal Compliance – If the law requires us, for example for a safe-guarding issue, we may need to process your, or child(ren)’s, personal data.
Purpose of Personal Data Processing
BOSH stores information related to its staff, customers and their children in order to carry out its responsibilities and duties as a diligent childcare provider. This may include confidential information about individuals and that which is protectively marked.
BOSH does not share this information with any third parties, other than the joint controllers mentioned above, who need the information to support the BOSH business. BOSH does not use any of the personal data stored for any reason other than to assist in the running of the BOSH childcare services – either for the customers and their children or for the management of staff employed by BOSH.
Categories of Personal Data
The type of data stored by BOSH is provided in more detail in the BOSH Documentation & Information policy, however, it is mainly of the form of:
- Customers – contact information, authority forms, registration form, BOSH account information;
- Children – age, gender, any relevant special dietary or health needs, immunisation details, attendance records and potentially any information related to incidents, behavioural issues, accidents; as well as photographs, video and written evidence gathered using the E4L iPad application;
- Staff – contact information, bank details, training & qualification details, Personal Development Plans, job specification and employment contract, and potentially any disciplinary information.
BOSH retains financial data as long as it is legally required to do so (7 years at time of writing); it retains customer data for a maximum of one year after a customer has stopped using BOSH childcare services OR until the account has been settled and closed with a zero balance, whichever is the later; a child’s data is always associated with a customer’s data and therefore retained for the same period of time – any exceptional additional data retained about a child is erased as soon as practicably and legally possible after the child has ceased using the BOSH services. E4L evidence personal data is bundled into a PDF document (Learning Journey) and emailed to parents/carers and then the data is erased.
BOSH stores all of its personal data for customers and children and staff electronically wherever possible. When electronic, it is protected by secure accounts accessed using encrypted passwords and memorable words, stored securely on our website database or on our OneDrive cloud storage. When hard copy (printed) it is only when absolutely necessary to undertake our services or for Ofsted regulatory requirements, it is usually temporary and is anonymously confidentially shredded, by a certified third party, when no longer used.
Personal data is not stored on personal staff devices and only on one designated device per BOSH club, which is securely password and/or pin protected and is only used by the Play Manager, or the Data Protection Officer. Access by multiple members of staff using the same login/password is not permitted.
Rights of Individuals
Individuals for whom BOSH controls and processes personal data have various rights regarding their personal data. BOSH provides parents/carers, of children that are cared for by BOSH, their own personal secure website account which allows a parent/carer to see the following personal data that BOSH controls:
- parent/carer contact data;
- parent/carer security (login) data;
- all personal data related to the parent/carer’s child(ren) – including age, gender, relevant dietary/health needs and attendance registers.
Parents/carers are able to rectify any mistakes with this data via this same mechanism. If parents/carers notify BOSH of changes to their personal details, BOSH can make these rectifications on their behalf.
BOSH are automatically notified of any parent/carer updates in their data, so this change can be replicated in the third party Quick Books accounting database where necessary, which BOSH will automatically implement when making such rectifications on behalf of parents/carers.
When a parent/carer ceases to use BOSH services, the access to this data is de-activated; parents are sent a final Learning Journey from the E4L application, if available, for their child(ren) and their website and E4L accounts are erased. All third party personal data stored in the QuickBooks BOSH database is erased as soon as the parent/carer’s financial account has been finalised (i.e. has a zero balance).
Personal data held for Holiday Club only users will be retained until BOSH deems them to have become inactive and they are no longer required for financial records OR when a Holiday Club user requests that their account is closed and erased and they have paid all monies owing to BOSH. As with all other parent/carer/child personal data, holiday club user/child data is not used for any other purpose than the providing of the childcare services and the collection of monies owing to BOSH.
Annual audits of personal data are conducted at the end of each academic year, in August, when any old data, due for deletion, is erased.
All personal data controlled by BOSH is either provided by the individuals concerned, or else has been recorded by a member of BOSH staff during the provision of the childcare services. No personal data is sourced from any third party.
All individuals, for whom BOSH control or process data, have had to explicitly provide permission for BOSH to store their personal data. BOSH are unable to provide childcare services for children without this specific permission, so it is a condition of using BOSH services, this is a regulatory and safe-guarding requirement and a business necessity, in terms of being able to charge for the services and/or to pay staff for their work.
- Parents/Carers – Permission is explicitly sought to store personal data regarding parents/carers and their child(ren). This is achieved on the BOSH Registration Form. Parents/Carers are informed about the BOSH GDPR policies and procedures at registration.
- Staff – Employees are informed of their responsibilities pertaining to GDPR legislation, with respect to parents/carers and their children, at induction. Employees are informed of their rights pertaining to GDPR legislation, with respect to their personal data stored by BOSH, at induction and are explicitly asked for permission when they sign their contract of employment and when they complete their personal details form.
- Third-Parties – The Joint Controllers referred to above are required to sign a declaration that they have agreed to BOSH policies and have read and understood their responsibilities with respect to GDPR legislation.
Erasure of Personal Data
In addition to the procedures above concerning the deletion of personal data for parents/carers and their children, staff records are also subject to retention and deletion procedures.
Disciplinary data is only stored for as long as is required under the provisions in the BOSH Employee Handbook. Employee Personal Data is stored for a period of 7 years after a member of staff has ceased to be employed by BOSH, in-line with financial data retention requirements.
Any requests for information, for details of the personal data held by BOSH, by any individual, will be processed within the statutory 30 days, under GDPR legislation. The data will be provided in one of the following formats, as chosen by the requestor: email text, CSV format or printed.
This Policy will be reviewed on a regular basis to ensure that at the very minimum the organisation is following relevant legislation.
Reviewed January 2019