Data Protection - Privacy Policy Statement

1998 (Security Number 10885256,Registration No. 22574291) All persons dealing with personal data must therefore follow the eight principles of “good information handling”, ensuring that:

  • Data is processed fairly and lawfully
  • Data is processed for specified purposes only
  • Data is adequate, relevant and not excessive
  • Data is accurate and up to date
  • Data is not retained for any longer than is necessary
  • Data is processed in accordance with the rights of individuals
  • Data is kept securely
  • Data is not transferred outside the European Economic Area unless the country can demonstrate adequate legal protection and security for that data.

Access to Information

Access to information within St. Luke’s Nursery will only be to the extent required by the task being undertaken and will also be restricted to those persons recognised by Nursery management as requiring such access to information in the course of their duties and responsibilities.

In the event of any breach of information security, no matter how minor, it must immediately be reported to Nursery Management to enable appropriate investigation and, if necessary a review of the adequacy of existing information security measures.

It is understood and accepted that all staff and other individuals have the right to access any personal information which is being processed or stored and is directly relevant to them.

Similarly, all parents, or where appropriate a person legally acting on a child’s behalf, have the right to access information held on computerised or manual records and which relates to themselves or their child.

This is commonly referred to as subject access, and is most often used by individuals who wish to see a copy of the information which an organisation holds about them. If an individual requests to see such data:

  • The request must initially be referred to Nursery management
  • There should be absolute clarity that the individual requesting sight of the data has the right to do so;
  • The individual must be told whether any personal data is being processed or stored;
  • The individual must be given a description of the personal data, the reasons it is being processed and/or stored, and whether the information will be, or has been given to any other organisation or persons;
  • The individual must be given a copy of the information;
  • The individual must be given details about the source(s) of the information;
  • The request must be dealt with within reasonable time limits but within 40 calendar days of a specific request, and the receipt of any appropriate fee.

(A fee of up to £10 may be charged to the individual making the information request to cover photocopying and postal charges)

Policy Review

This policy will be reviewed and updated annually in order to reflect best practice in information management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act (1998)