GDPR stands for General Data Protection Regulation and replaces previous Data Protection directives (Data Protection Act 1998). It was approved by the EU Parliament in 2016 and is effective as of 25th May 2018.
GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individual data is not processed without their knowledge and is only processed with their ‘explicit’ consent (where it is not required either contractually or legally).
GDPR covers personal data relating to individuals. As a childcare provider Hopscotch is committed to protecting the rights and freedoms of individuals with respect to processing the personal data of children, parents, visitors and staff.
This document sets out Hopscotch’s GDPR policy including information on data sharing, data security and data breach protocol.
This policy document has been prepared with due regard and consideration for the Information Commissioner’s Office (ICO) at:
Hopscotch is registered with the ICO under registration reference: Z2446768 and has been registered since 2nd December 2010. Certificates are on display on display boards across all Hopscotch nurseries.
Hopscotch is a ‘Data Controller’ – A controller determines the purposes and means of processing personal data. (A processor is responsible for processing personal data on behalf of a controller.)
Responsibility for Hopscotch’s GDPR policy and data compliance is shared by Senior Managers at Hopscotch Head Office. No specific Data Protection Officer has been appointed, since this is not a requirement for Hopscotch.
GDPR is designed to protect individual rights in the following way:
Parents need to be informed what data we are collecting, what we do with it and who it is shared with. Hopscotch has a legal and contractual right to collect and process certain types of data. For the collection or processing of any other types of data, such as photographs, we will seek active consent and also provide a suitable and accessible method for withdrawal of consent.
Parents can request access to their own data at any time.
Personal data must be rectified if it is incorrect or incomplete.
Parents can request the deletion of their data where there is no compelling reason for its continued use. As a nursery we have guidelines on how long we need to retain certain records.
Hopscotch does not use this type of process.
Parents can object to the processing of their data; meaning their records can be stored but must not be used in any way other than mentioned above.
Parents can object to their data being used for activities such as external marketing. Hopscotch does not pass on your data to a third-party for marketing purposes.
At any point a parent can make a request relating to their data and we will provide a response (within 1 month). If we have a lawful obligation to retain data (from Ofsted or the EYFS), we could refuse but we will inform you of the reasons for the rejection.
Individuals also have the right to lodge a complaint with the ICO. Full information about this is available at https://ico.org.uk/concerns/handling/
We only share information about our children and parents with those organisations with which we have a legal requirement to share data or other organisations, which allow us to run our business in a safe, efficient and suitable manner.
Information is shared by Hopscotch with the following organisations:
And any appropriate organisations required for administering childcare
These organisations are also registered with the ICO.
Paper copies of children’s and staff records are kept in a secure location at the Hopscotch Head Office.
Other personal data is also stored at various Hopscotch nursery locations where it is kept in locked filing cabinets. Members of staff can have access to these files but information taken from the files about individual children is confidential. Apart from archiving, these records remain on site at all times. These records are shredded after the retention period.
The Hopscotch data archive is kept at a secure location at Hopscotch Head Office.
Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children’s names, date of birth and sometimes address. These records are shredded after the relevant retention period.
Hopscotch collects a large amount of personal data every year including names and addresses of those on waiting lists. These records are shredded if the child does not attend or added to the child’s file and stored appropriately if they do attend.
Upon a child leaving Hopscotch and moving on to school or moving to another childcare setting, data held on the child may be shared with the receiving school or setting. Such information would be sent via post or email. This would be coordinated between the settings.
Hopscotch has a separate process for collecting personal data held visually in the form of photographs or video clips or sound recordings. Positive consent for the collection of this kind of data will be sought for children from their respective parent or guardian. Parents will also have the ability to easily withdraw their consent for this kind of data.
Access to all Hopscotch Office computers and other software accounts including email is password protected.
When a member of staff leaves the company these passwords are changed in line with this policy and our Safeguarding policy.
Any portable data storage used to store personal data, e.g. USB memory sticks and external hard drives are password protected and/or stored in secure locations.
We hold information in our archive for the following amount of time, as per legal requirements:
As per GDPR requirements, data breach notification to the ICO is mandatory
If any kind of data breach were to occur Hopscotch staff are required to:
Processing your application.
Please do not refresh your browser