Charlies House Childminding Privacy Policy – April 20th 2022
Data controller - Kayleigh Beard
Our contact details
Name: Charlies House Childminding and Nursery
Address: 352 Coggeshall rd, Braintree, Essex, CM7 9EH
Phone Number: 07833221793
E-mail: Charlieshousechildminding@live.com
The type of personal information we collect
We currently collect and process the following information:
· Personal identifiers, contacts, and characteristics (for example, name and contact details)
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you for one of the following reasons:
· Enquiries
· Addition to the waiting list
· Registering with the setting
· Purposes of legally caring for your children
We also receive personal information indirectly, from the following sources in the following scenarios:
· Other professionals and services involved with you and your family
We use the information that you have given us in order to provide quality personalised care and cover our legal obligations to Ofsted, HMRC, insurance companies, HSA and any other legal entity involved in safe running of the setting.
We may share this information with professionals or services involved with your family, emergency services.
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
(a) Your consent. You are able to remove your consent at any time. You can do this by contacting Charlies House Childminding
(b) We have a contractual obligation.
(c) We have a legal obligation.
(d) We have a vital interest.
(e) We have a legitimate interest
How we store your personal information
Your information is securely stored.
For registered families - We keep name, address, telephone numbers and child accident forms until the child turns 21 years and 3 months old We will then dispose your information by deletion of digitally archived information.
For enquiries and waiting list that do not take up a space, your information is destroyed when we know you will not be taking a space.
Your data protection rights
Under data protection law, you have rights including:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at charlieshousechildminding@live.com, 07833221793, 352 Coggeshall road, Braintree, Essex, CM7 9EH if you wish to make a request.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at Charlieshousechildminding@live.com, 352 Coggeshall road, Braintree, Essex, CM7 9EH.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Annex A – taken from www.ico.org.uk
What is personal data?
- The UK GDPR applies to the processing of personal data that is:
- wholly or partly by automated means; or
- the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
- Personal data only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
- Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
- Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
- If personal data can be truly anonymised then the anonymised data is not subject to the UK GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised.
- Information about a deceased person does not constitute personal data and therefore is not subject to the UK GDPR.
- Information about companies or public authorities is not personal data.
- However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.
What are identifiers and related factors?
- An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals.
- A name is perhaps the most common means of identifying someone. However whether any potential identifier actually identifies an individual depends on the context.
- A combination of identifiers may be needed to identify an individual.
- The UK GDPR provides a non-exhaustive list of identifiers, including:
- name;
- identification number;
- location data; and
- an online identifier.
- ‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal data.
- Other factors can identify an individual.
Can we identify an individual directly from the information we have?
- If, by looking solely at the information you are processing you can distinguish an individual from other individuals, that individual will be identified (or identifiable).
- You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual.
- If an individual is directly identifiable from the information, this may constitute personal data.
Can we identify an individual indirectly from the information we have (together with other available information)?
- It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal data.
- Even if you may need additional information to be able to identify someone, they may still be identifiable.
- That additional information may be information you already hold, or it may be information that you need to obtain from another source.
- In some circumstances there may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual. However, this is not necessarily sufficient to make the individual identifiable in terms of UK GDPR. You must consider all the factors at stake.
- When considering whether individuals can be identified, you may have to assess the means that could be used by an interested and sufficiently determined person.
- You have a continuing obligation to consider whether the likelihood of identification has changed over time (for example as a result of technological developments).
What is the meaning of ‘relates to’?
- Information must ‘relate to’ the identifiable individual to be personal data.
- This means that it does more than simply identifying them – it must concern the individual in some way.
- To decide whether or not data relates to an individual, you may need to consider:
- the content of the data – is it directly about the individual or their activities?;
- the purpose you will process the data for; and
- the results of or effects on the individual from processing the data.
- Data can reference an identifiable individual and not be personal data about that individual, as the information does not relate to them.
- There will be circumstances where it may be difficult to determine whether data is personal data. If this is the case, as a matter of good practice, you should treat the information with care, ensure that you have a clear reason for processing the data and, in particular, ensure you hold and dispose of it securely.
- Inaccurate information may still be personal data if it relates to an identifiable individual.