At South Hill Park Pre-school we believe we are compliant with the General Data Protection Regulation (GDPR) 2018. The Manager, Deputy Manager, admin staff, and Trustees have all received GDPR training.

Admissions and Personal Information

Before a child joins the Pre-school, parents/carers are required to complete admission forms. These forms are securely stored on the premises and include essential information such as:

• Full names, addresses, and telephone numbers of parents/carers and the child.

• At least one additional emergency contact

• Relevant medical details and other essential information that supports the child’s care.

It is essential that the admission forms are completed in full and that parents notify the Pre-school promptly of any changes to the information provided.

Personal Records and Confidentiality

• Paper records (e.g. enrolment forms, emergency contact details) are kept in locked cabinets.

• Digital records (e.g. attendance, medical details) are stored on password-protected systems with limited access.

We maintain individual child records which may include:

• Signed consent forms

• Correspondence with families

• Reports from meetings involving the child

• Observations on confidential matters

• Records of communication with parents/carers

Staff may occasionally use voice recorders to capture conversations with children, supporting the development of their ‘learning and development story’. These recordings are deleted immediately after transcription.

All records are stored securely in a locked cabinet and access is restricted to staff on a ‘need to know’ basis. Where confidential matters are brought to the Committee’s attention, identifying details of the child and family are withheld unless:

1. There is a legal obligation to disclose the information (e.g. under child protection laws or a court order). 

2. The safety or well being of the child or others is at risk and disclosure is necessary to protect them.

3. Consent has been given by the child’s parent/guardian for the information to be shared.

4. Disclosure is necessary for the Committee to perform its statutory functions effectively and all reasonable efforts have been made to maintain confidentiality where possible.

Data Handling and Parental Access

South Hill Park Pre-school is registered with the Information Commissioner’s Office (ICO) as a data controller. This registration permits us to store personal, financial and service related information.

Parents have the right to access their own child’s records but cannot access information about any other child.

To request access:

• A written request must be submitted.

• The Pre-school will respond within 14 days.

• Where third parties are mentioned, we will seek their written consent before disclosure.

• If consent is withheld, the relevant information will be redacted.

• A meeting will be arranged to discuss the file’s contents if needed.

Data Protection

• Daily attendance is recorded and total session numbers are displayed within the premises.

• Fire drills and accident records are maintained with incidents signed by the staff member dealing with it and countersigned by the parent/carer.

• Students are informed of the confidentiality policy and are required to follow it.

• All Committee Trustees sign a confidentiality agreement upon joining.

Learning and Development Stories

Each child’s ‘learning and development story’ remains the property of their family. Parents are welcome to view and discuss the folder with their child’s Key Person.

When taken home, parents are responsible for the folder's safekeeping and must return it the next working day or upon request.

At Pre-school:

• Folders are securely stored on site.

• Staff may update notes at home but are prohibited from taking full personal data off site.

• Staff agree to a confidentiality clause included in the staff handbook.

• All photos are downloaded and printed only on the Pre-school’s computer.

• Staff will have full child information when conducting home visits.

When a child leaves the Pre-school, their EYFS Transfer Record will be shared and discussed with the parent wherever possible before being passed to the next provider. If a parent wishes to view the record before it is sent, they must contact the Pre-school within 5 working days of leaving.

Visitors and Confidentiality

All visitors are asked to read our visitor requirements, which include information about privacy and confidentiality. They must sign to confirm they have read and understood these requirements.

Data Breaches

Data breach incidents (e.g. lost files, misdirected emails) are logged and reported appropriately.

Retention and Disposal of Data

Personal records are kept only as long as necessary (e.g. per regulatory guidelines). 

Outdated records are shredded or securely deleted (e.g. when a child leaves and after the required retention period).

Photos and Videos

During admissions Parents/guardians sign a permission form to specify their permissions on how images of their child can or cannot be used (e.g. displays, website, Facebook).

Information Sharing

Staff share information with outside agencies (e.g. speech therapists, health visitors) only with parental consent, unless there’s a safeguarding concern.

Privacy Notices

Parents receive a privacy notice when enrolling their child, explaining what data is collected, how it’s used and their rights.

Last reviewed June 2025