Privacy and Data Protection Policy

Caroline Elizabeth Evans

Privacy Policy

I take your privacy seriously, and in accordance with the General Data Protection Regulation I commit to the following:

As part of my role in working with you I will be asking you for personal data about you and your child/ren in order to deliver my services to you. The type of data I collect will very much depend on the services you have contracted me for.

I must have a legal basis for collecting this data, and there are six lawful bases:

  1. Consent:

The individual has given clear consent for me to process their personal data for a specific purpose.

  1. Contract:

The processing is necessary for a contract you have with me, or because they have asked me to take specific steps before entering into a contract.

  1. Legal obligation:

The processing is necessary for me to comply with the law (not including contractual obligations).

  1. Vital interests:

The processing is necessary to protect someone’s life.

  1. Public task:

The processing is necessary for me to perform a task in the public interest or for my official functions, and the task or function has a clear basis in law.

  1. Legitimate interests:

The processing is necessary for my legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

I will be processing your data under the following bases: Contractual, Legitimate Interest and Consent.

Where I require consent, I will provide a way for you to positively make a decision about the information that you make available and how this is shared.    

This information will be collected by me, Caroline Evans, as part of my working relationship with you. I will be asking for this data either verbally or via email and recording it either in hand written paper form or digitally. I may need to review the data with you at regular intervals to make sure that it is up to date. The data will be collected in order to fulfil my contractual obligations to you. Some of the data may be special category “sensitive” data and will be handled accordingly.

The information that I may require will be:

  • Child’s name
  • Child’s date of birth
  • Child’s age
  • Child’s address
  • Parents’ names, addresses, contact numbers
  • Who has parental responsibility for the child
  • Emergency contact names, addresses and contact number
  • Child’s doctor’s name and contact number
  • Health clinic/health visitor
  • Child’s NHS number
  • Any allergies/medical history/ requirements
  • Information about immunisations
  • Whether the child has any special educational needs or disabilities
  • Ethnic group
  • Religion
  • Home language
  • Specific information pertaining to any parenting issues that you are facing in relation to the services that you have contracted from me, at times this may include photographs or video clips. For example those clients using my consultancy service would not be required to share with me Emergency contact details however if I was acting in Loco Parentis then these would be required. With your consent data may be shared, when necessary, with the following people: 
  • The data will only be used for the contracted purpose and will only be shared with others with your express permission unless there is a legal obligation for me to share any of the date with a third party – for example a child protection issue.
  • Not all of the above data may be needed.
  • The data I require will vary from client to client and will be dependent on the services that you use.
  • Other professionals supporting your child, for example your childcare provider, health care professionals etc.
  • The local safeguarding children’s board or Social Services Referral and Assessment Team if I ever have any concerns about the safety of your child.
  • Contact details may be shared with agencies and/or other parents to receive a reference for my services with your express consent.
  • Written testimonials / letters of reference may be shared with clients and online (website etc) with any identifying features removed (names etc) unless I have your express consent to keep them in.

If you want to see a copy of the information I hold about you or your child then please contact me -

Tel: 0044 7708 108371 Email: caroline@carolineelizabethevans.com

I am required by law to keep some information after we have stopped working together. I am required to retain invoices and other contractual information for 10 years in line with my local tax organization. I am required to keep consultation notes for 7 years for insurance purposes and incident or accident logs I am legally obliged to retain for 21 years and 5 months. After this time all data will be securely destroyed.

Please see my data protection policy below for further information on data sharing, safe storage and your rights to access your data.

 

Data Protection Policy

 

In order to provide a quality service to you and comply with legislation, I will need to request information from clients about themselves, their child and family. Some of this will be personal data.  

I take clients privacy seriously. Article 23 of the General Data Protection Regulation (GDPR) stipulates that we must only collect and hold data that is absolutely necessary for the completion of our duties and processed in accordance with the seven principles below:

  1. I must have a lawful reason for collecting personal data, and must do it in a fair and transparent way. I will be clear about what data I am collecting, and why.
  2. I must only use the data for the reason it is initially obtained. This means that I may not use a person’s data to market a product or service to them that is unconnected to the reasons for which they shared the data with me in the first place.
  3. I must not collect any more data than is necessary. I will only collect the data I need to hold in order to do the job for which I have collected the data.
  4. I will ensure that the data is accurate, and ask parents to check annually and confirm that the data held is still accurate.
  5. I will not keep data any longer than needed. I must only keep the data for as long as is needed to complete the tasks it was collected for.
  6. I must protect the personal data. I am responsible for ensuring that I and anyone else charged with using the data, processes and stores it securely. 
  7. I will be accountable for the data. This means that I will be able to show how I (and anyone working with me) am complying with the law.

Procedure (how I put the statement into practice)

The GDPR recognizes the need for compliance and accountability and as such I have put procedures in to place to minimize data breeches and uphold the integrity of your data. I have determined which of the lawful basis allow me to retain your date as outlined in my privacy policy and I am recording all the necessary elements in a data register. All data processing activities are now undertaken with these aspects in mind.

I have registered with the Information Commissioner’s Office, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

I expect clients to keep private and confidential any sensitive information they may accidentally learn about me or my family, unless it is a child protection issue.

I will be asking clients for personal data about themselves and their child/ren in order to deliver the consultancy and childcare services I provide. This Data is necessary for me to comply with my contractual obligations and to provide the best possible service.

Storage

I will keep all paper-based records securely locked in my office or when travelling they will be kept on my person or in a secure location.

Data kept electronically on my computer, externally or in cloud storage and on my smart phone, including digital photos or videos will be stored securely. My devices will be password protected and emails will be encrypted. You may wish to check that the data that you send to me is also sent securely, when returning my questionnaire for example which may contain sensitive data.

Backup files will be stored on protected external hard drives or memory sticks, which I will lock away when not being used. Firewall and virus protection software are in place.

Sensitive data will be stored securely and disposed of securely as soon as the retention period ends.

Clients have the right to inspect the data records I keep at any time. They will be provided without delay and no later than one month after the request, which should be made in writing. I will ask clients to regularly check that the data is correct and update it where necessary.

Information sharing

The data will only be used for the contracted purpose and will only be shared with others with your express permission unless there is a legal obligation for me to share any of the date with a third party – for example a child protection issue, or the tax office may request copies of my invoices in which case will have access to your name and address.

With your consent date may be shared, when necessary, with the following people:

  • Other professionals supporting your child, for example your childcare provider, health care professionals etc.
  • The local safeguarding children’s board or Social Services Referral and Assessment Team if I ever have any concerns about the safety of your child.
  • Contact details may be shared with agencies and/or other parents to receive a reference for my services with your express consent.
  • Written testimonials / letters of reference may be shared with clients and online (website etc) with any identifying features removed (names etc) unless I have your express consent to keep them in.

Record keeping

I keep a data register which outlines the data I collect, why it is collected, how it is stored and how long this data is retained for.

Certain personal data is retained during my accounting process.

For my childcare services:

I record all accidents on an appropriate form.

The appropriate organisations will be informed of any serious incident.

I will only share information if it is in a child’s best interests to do so. For example in a medical emergency I will share medical information with a healthcare professional. If I am worried about a child’s welfare I have a duty of care to follow the Local Safeguarding Children Board procedures and make a referral. Where possible I will discuss concerns with you before making a referral.

Data retention policy and Safe disposal of data

Some of the data I collect needs to be retained for a set period of time for legal or contractual reasons. The local Tax authority requires me to keep contracts and invoices for 10 years and consultation notes are retained for 7 years in line with the advice from my insurer. Accident or incident reports are retained for 21years and 5 months in line with current guidelines.

Data will be disposed of in a secure manner as soon as it is no longer required (usually straight into the wood burning stove!) Regular checks will be made to dispose of data.

Suspected breach

If I suspect that data has been accessed unlawfully, this will be investigated with due diligence and in a timely fashion. GDPR stipulates that if a breech has occurred breach notification is mandatory where the data breach is likely to “result in a risk for the rights and the freedoms of individuals”. Where this is the case I will inform the relevant parties immediately and report to the Information Commissioner’s Office within 72 hours. I will keep a record of any data breach.

Your Rights  

The right to be informed – this is what my privacy policy is for and why it is written in simple language. Should you need further clarifications on any part of these polices please do not hesitate to get in touch.

The right of access to personal data through subject requests – this means that you have the right to see the data that I collect about you and I will provide this as soon as possible, this time frame should not exceed 1 month. Any request to see the data must be made in writing.

The right to rectification – you have a right to correct inaccurate personal data.

The right to erasure – this means that in certain cases you have the right to request that your data be erased should you feel it is no longer necessary for me to keep it, if you withdrawn consent or you feel the data has been unlawfully processed. You can exercise your right to erasure if there is no overriding reason for me to keep such data (including but not limited to the data retention periods for contractual / legal reasons).

The right to restrict processing – in certain circumstances a client may request that the data is no longer processed, but the data is still retained.

The right to object – in certain circumstances you have the right to object to data processing, in particular in relation to direct marketing. Your objection can be made verbally or in writing.

The right to data portability – you have the right to request to move data from one service provider to another.

Rights related to automated decision making including profiling

More detailed information on your rights can be found here:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

Should you wish to make a complaint regarding the way your data is collected or processed and are unable to come to a satisfactory conclusion with myself you can contacting my supervising body. In the UK this is www.ICO.org.uk and in France www.CNIL.fr

For any further clarifications on this Data Protection policy do not hesitate to contact me.

 

Date policy written: 24.05.2019

Policy due for renewal: 24.05.2020

This policy supports the following safeguarding and welfare requirements: In England - Meeting the Early Years Foundation Stage Safeguarding and Welfare Requirements.

Data protection template provided by Pacey.org.uk in line with current GDPR guidelines 25 May 2018