Privacy Policy - Information Security Policy

Data Protection-Information Security Policy

The Management and Staff of St.Luke’s Pre-school Nursery are committed to protecting and promoting the welfare of young children.

To operate effectively, St.Luke’s Pre-school Nursery needs to collect and use information about staff, children and parents who come into the Nursery. St.Luke's is also obliged to collect and use personal information in order to satisfy its obligations to Ofsted and other regulatory bodies.

In the collection, storage and use of this information, St.Luke’s Pre-School Nursery recognises its responsibility to comply with the Data Protection Act 1998, which regulates the use of personal data.

This responsibility is not restricted to sensitive data but applies to all data, including name and address lists.

The Data Protection Act (1998)

The Act establishes very high standards for the handling of personal information, thereby protecting individual rights to privacy. The act regulates how personal information is collected, handled, stored and used and applies equally to personal information held both electronically and on paper.

St. Luke’s Pre-school Nursery has notified the Information Commission that it holds personal data about individuals  and consequently is registered under the Data Protection Act 1998 (Security Number 10885256,Registration No. 22574291) All persons dealing with personal data must therefore follow the eight principles of “good information handling”, ensuring that:

  • Data is processed fairly and lawfully
  • Data is processed for specified purposes only
  • Data is adequate, relevant and not excessive
  • Data is accurate and up to date
  • Data is not retained for any longer than is necessary
  • Data is processed in accordance with the rights of individuals
  • Data is kept securely
  • Data is not transferred outside the European Economic Area unless the country can demonstrate adequate legal protection and security for that data.

Access to Information

Access to information within St. Luke’s Nursery will only be to the extent required by the task being undertaken and will also be restricted to those persons recognised by Nursery management as requiring such access to information in the course of their duties and responsibilities.

In the event of any breach of information security, no matter how minor, it must immediately be reported to Nursery Management to enable appropriate investigation and, if necessary a review of the adequacy of existing information security measures.

It is understood and accepted that all staff and other individuals have the right to access any personal information which is being processed or stored and is directly relevant to them.

Similarly, all parents, or where appropriate a person legally acting on a child’s behalf, have the right to access information held on computerised or manual records and which relates to themselves or their child.

This is commonly referred to as subject access, and is most often used by individuals who wish to see a copy of the information which an organisation holds about them. If an individual requests to see such data:

  • The request must initially be referred to Nursery management
  • There should be absolute clarity that the individual requesting sight of the data has the right to do so;
  • The individual must be told whether any personal data is being processed or stored;
  • The individual must be given a description of the personal data, the reasons it is being processed and/or stored, and whether the information will be, or has been given to any other organisation or persons;
  • The individual must be given a copy of the information;
  • The individual must be given details about the source(s) of the information;
  • The request must be dealt with within reasonable time limits but within 40 calendar days of a specific request, and the receipt of any appropriate fee.

(A fee of up to £10 may be charged to the individual making the information request to cover photocopying and postal charges)

Policy Review

This policy will be reviewed and updated annually in order to reflect best practice in information management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act (1998)