Home » Who We Are » GDPR Policy

GDPR Policy

General Data Protection Regulation Policy


GDPR stands for General Data Protection Regulation and replaces previous Data Protection directives (Data Protection Act 1998). It was approved by the EU Parliament in 2016 and is effective as of 25th May 2018.

GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individual data is not processed without their knowledge and is only processed with their ‘explicit’ consent (where it is not required either contractually or legally).

Hopscotch and GDPR

GDPR covers personal data relating to individuals. As a childcare provider Hopscotch is committed to protecting the rights and freedoms of individuals with respect to processing the personal data of children, parents, visitors and staff.

This document sets out Hopscotch’s GDPR policy including information on data sharing, data security and data breach protocol.

This policy document has been prepared with due regard and consideration for the Information Commissioner’s Office (ICO) at:


Hopscotch is registered with the ICO under registration reference: Z2446768 and has been registered since 2nd December 2010. Certificates are on display on display boards across all Hopscotch nurseries.

Hopscotch is a ‘Data Controller’ – A controller determines the purposes and means of processing personal data. (A processor is responsible for processing personal data on behalf of a controller.)

Responsibility for Hopscotch’s GDPR policy and data compliance is shared by Senior Managers at Hopscotch Head Office. No specific Data Protection Officer has been appointed, since this is not a requirement for Hopscotch.

GDPR is designed to protect personal data

GDPR is designed to protect individual rights in the following way:

  1. The right to be informed

Parents need to be informed what data we are collecting, what we do with it and who it is shared with. Hopscotch has a legal and contractual right to collect and process certain types of data. For the collection or processing of any other types of data, such as photographs, we will seek active consent and also provide a suitable and accessible method for withdrawal of consent.

  1. The right of access

Parents can request access to their own data at any time.

  1. The right to rectification

Personal data must be rectified if it is incorrect or incomplete.

  1. The right to erasure

Parents can request the deletion of their data where there is no compelling reason for its continued use. As a nursery we have guidelines on how long we need to retain certain records.

  1. The right not to be subject to automated decision-making including profiling.

Hopscotch does not use this type of process.

  1. The right to restrict processing

Parents can object to the processing of their data; meaning their records can be stored but must not be used in any way other than mentioned above.

  1. The right to object

Parents can object to their data being used for activities such as external marketing. Hopscotch does not pass on your data to a third-party for marketing purposes.

At any point a parent can make a request relating to their data and we will provide a response (within 1 month). If we have a lawful obligation to retain data (from Ofsted or the EYFS), we could refuse but we will inform you of the reasons for the rejection.

Individuals also have the right to lodge a complaint with the ICO. Full information about this is available at https://ico.org.uk/concerns/handling/

Sharing Information

We only share information about our children and parents with those organisations with which we have a legal requirement to share data or other organisations, which allow us to run our business in a safe, efficient and suitable manner.

Information is shared by Hopscotch with the following organisations:





  • Funding Loop
  • Local Education Authorities and Councils for obligations relating to Early Years and inclusion funding

And any appropriate organisations required for administering childcare

These organisations are also registered with the ICO.

Data Security

Paper copies of children’s and staff records are kept in a secure location at the Hopscotch Head Office.

Other personal data is also stored at various Hopscotch nursery locations where it is kept in locked filing cabinets. Members of staff can have access to these files but information taken from the files about individual children is confidential. Apart from archiving, these records remain on site at all times. These records are shredded after the retention period.

The Hopscotch data archive is kept at a secure location at Hopscotch Head Office.

Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children’s names, date of birth and sometimes address. These records are shredded after the relevant retention period.

Hopscotch collects a large amount of personal data every year including names and addresses of those on waiting lists. These records are shredded if the child does not attend or added to the child’s file and stored appropriately if they do attend.

Upon a child leaving Hopscotch and moving on to school or moving to another childcare setting, data held on the child may be shared with the receiving school or setting. Such information would be sent via post or email. This would be coordinated between the settings.

Hopscotch has a separate process for collecting personal data held visually in the form of photographs or video clips or sound recordings. Positive consent for the collection of this kind of data will be sought for children from their respective parent or guardian. Parents will also have the ability to easily withdraw their consent for this kind of data.

Access to all Hopscotch Office computers and other software accounts including email is password protected.

When a member of staff leaves the company these passwords are changed in line with this policy and our Safeguarding policy.

Any portable data storage used to store personal data, e.g. USB memory sticks and external hard drives are password protected and/or stored in secure locations.

Data Retention

We hold information in our archive for the following amount of time, as per legal requirements:

  • Staff Files 7 years
  • Records of complaints 5 years
  • Accident and incident forms 3 years
  • Children’s Information (incl. medical) 3 years
  • Attendance Registers 3 years
  • Nappy Rotas 6 months
  • Staff and Child sign-in registers 3 months

Data Breach Protocol

As per GDPR requirements, data breach notification to the ICO is mandatory

If any kind of data breach were to occur Hopscotch staff are required to:

  • Report certain types of personal data breach to the relevant supervisory authority (ICO). This must be done within 72 hours of becoming aware of the breach, where feasible.
  • If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, inform those individuals without undue delay.
  • Ensure we have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not we need to notify the relevant supervisory authority and the affected individuals.
  • Keep records of any personal data breaches, regardless of whether you are required to notify.

Book a visit

Book a visit

We will be in touch to arrange a time for your visit.

You can find us here

Website by ThoughtShift