Personal data must be protected. 

This relates to any personal data processed using computers, as well as personal data contained within any kind of filing, including paper-based files.

GDPR defines personal data as:

“Any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The GDPR includes the following rights for individuals:

the right to be informed;

the right of access;

the right to rectification;

the right to erasure;

the right to restrict processing;

the right to data portability;

the right to object; and

the right not to be subject to automated decision-making including profiling.

The GDPR (General Data Protection Regulation) is concerned with respecting the rights of individuals when processing their personal information. This will be achieved by being open and honest with clients (children and parents) about the use of information about them and by following good data handling procedures. The regulation is mandatory and all organisations that hold or process personal data must comply.

The regulation contains 6 principles.

Personal data should be processed fairly, lawfully and in a transparent manner.

Data should be obtained for specified and lawful purposes and not further processed in a manner that is incompatible with those purposes.

The data should be adequate, relevant and not excessive.

The data should be accurate and where necessary kept up to date.

Data should not be kept for longer than necessary.

Data should be kept secure.

The categories of children’s information that we process include:

personal identifiers and contacts (such as name, contact details and address, parents’ details, information on who can collect the child)

characteristics (such as ethnicity, home language)

safeguarding information (such as court orders and professional involvement)

special educational needs

medical needs (such as doctors’ information, child health, allergies, medication and dietary requirements)

attendance and fees (such as sessions attended, reasons for absence, fees owed and payments received)

behavioural information (such as sanctions, exclusions and any relevant alternative provision put in place)

Why we collect and use children’s information

We collect children’s and families’ information via registration forms and parent/clwb contracts, and updates via e-mail and letter. We also collect survey data every year.

We collect and use children’s information for the following purposes:

to support pupil learning through play

to monitor children’s wellbeing and progress

to provide appropriate pastoral care

to assess the quality of our services

to keep children safe (food allergies, medication, emergency contact details)

to meet the statutory duties placed upon us by CIW

to process payments and create invoices

How does Cymer Ofal comply with the regulation?

Cymer Ofal Cyf is the data controller of the personal information provided to the company. The person responsible for the data within the company is Rebecca Gibbs. To ensure its compliance to the Data Protection Act, Cymer Ofal will:

have a clear retention policy for handling personal data and ensure it is not held for longer than is necessary

ensure that all staff are aware of the retention policy and follow it

respond to subject access requests (sometimes called personal data requests) within one month

if there is a personal data breach that is likely to result in a risk to the rights and freedom of an individual, inform the ICO within 72 hours and, if the risk is deemed to be high, also inform the individual concerned.

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing children and families’ information are:

collecting and processing children and families’ information is necessary for the purposes of fulfilling the contract;

obtaining consent for taking and using photographs.

In addition, we will on occasion need to process special category personal data (concerning health, ethnicity, religion) or criminal records information (such as when carrying out DBS checks) in accordance with rights or duties imposed on us by law, including as regards safeguarding and employment, or by explicit consent when required. These reasons will include:

Condition a.) of GDPR – Article 9: The data subject has given explicit consent to the processing of personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

In relation to child safeguarding, employment of staff and DBS checks, condition d.): Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

For legal and regulatory processes (for example child protection and health and safety) and to comply with our legal obligations and duty of care, condition ): Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

To safeguard children’s welfare and provide appropriate medical care, and to take appropriate action in the event of an emergency, incident or accident, condition h.): Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

Storing data

We hold pupil data securely for the set amount of time outlined in our Data Retention Schedule.

Children and families’ information is kept securely.

Information will not be kept for longer than is necessary.

While there is no set period of time set out within the GDPR, our Data Retention Policy sets out our established timeframe.

Records in relation to safeguarding concerns will also need to be kept in accordance with the Local Safeguarding Children Board’s requirements.

Where we are processing your personal data with your consent (e.g. photographs), you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please let us know.

Sharing information

We do not routinely share clients’ information.

In accordance with our Confidentiality Policy and guidance from the Local Safeguarding Children’s Board, we share information with Social Services, CIW and the emergency services as required.

A client’s right to request their personal data

Under data protection legislation, parents/guardians and pupils have the right to request access to information about them that we hold.

You also have the right to:

to ask us for access to information about you that we hold

to have your personal data rectified if it is inaccurate or incomplete

to request the deletion or removal of personal data where there is no compelling reason for its continued processing

If a child wants to see their personal data, or a parent/guardian wants to see personal data about their child, they can make a Subject Access Request. A subject access request should be in writing and include:

full name, address and contact details

any information used by the organisation to identify the child or family (account numbers, unique ID’s etc.)

details of the specific information required and any relevant dates.

what is being asked for: information, withdrawal of consent, request to delete etc.

Cymer Ofal will respond to Subject Access Requests within the one-month timeframe stipulated by GDPR legislation. Fees may only be required for Subject Access Requests under GDPR if the requests are “manifestly unfounded or excessive”.

If Cymer Ofal refuses a request, we must inform the individual within one month:

why we have refused the request

that the individual has the right to complain to the supervisory authority and to a judicial remedy.