Privacy Notice

What this Privacy notice is for

Responsibility for Data Protection

Why the Kindergarten needs to process personal data

Types of data processed by the Kindergarten

How the Kindergarten collects data

Who has access to personal data and who the Kindergarten shares it with

How long we keep personal data

Keeping in touch and supporting the Kindergarten

Your rights

Data accuracy and security

Queries and complaints



What this Privacy notice is for

This Notice provides information about how the Kindergarten will use personal data about individuals including: its staff; its current, past and prospective children; volunteers and parents, carers or guardians (referred to in this Notice as ‘parents’). This information is provided to you because Data Protection Law gives individuals rights to understand how their data is used. Staff, parents, and volunteers are all encouraged to read this Privacy Notice and understand the Kindergarten’s obligations to its entire community. This Privacy Notice also applies alongside any other information that the Kindergarten may provide about a particular use of personal data, for example when collecting data via an online or paper form. This Privacy Notice applies in addition to the Kindergarten’s other relevant terms and conditions, policies and procedures, including:

-Any contract between the Kindergarten and its staff and parents;

-The Kindergarten’s policy/procedure on taking, storing and using images of children;

-The Kindergarten’s retention of records policy;

-The Kindergarten’s safeguarding, and health and safety policies including as to how concerns or incidents are recorded; and

-The Kindergarten’s ITSM policies, including its ITSM policy, e-safety policy, and internet code of conduct.

Anyone who works for, or acts on behalf of the Kindergarten (including staff, volunteers, and service providers) should be aware of and comply with this Privacy Notice and the Kindergarten’s data protection policy which provides further information about how personal data about individuals will be used.

Responsibility for Data Protection

The Kindergarten has appointed Kate Lavender as Data Protection Officer, who will deal with all your requests and enquiries concerning the Kindergarten’s uses of personal data (see section on Your Rights below) and endeavour to ensure that all personal data is processed in compliance with the Kindergarten’s policies and Data Protection Law. The email address for queries concerning matters arising from this Notice is This email address is being protected from spambots. You need JavaScript enabled to view it.

Why the Kindergarten needs to process personal data

In order to carry out its ordinary duties to staff, children and parents, the Kindergarten needs to process a wide range of personal data about individuals as part of its daily operations. Some of this activity by the Kindergarten will be needed to fulfil the Kindergarten’s legal rights, duties or obligations – including those under a contract with its staff or parents of its children. Other uses of personal data will be made in accordance with the legitimate interests of the Kindergarten or the legitimate interests of another, provided that such interests are not outweighed by the impact on individuals and provided it does not involve special or sensitive types of data.

The Kindergarten expects that the following uses will fall within that category of its (or its community’s) ‘legitimate interests’:

  • For the purposes of confirming the identity of prospective children and their parents);
  • To provide care and education services to children and for monitoring children’s progress and care and educational needs
  • To meet the requirements of the EYFS;
  • Maintaining relationships with alumni, and the Kindergarten community including with its parents’ associations, including direct marketing or fundraising activity;
  • For the purposes of management, planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as tax, diversity or gender pay gap analysis);
  • To enable relevant authorities to monitor the Kindergarten’s performance and to intervene or assist with incidents as appropriate;
  • To give and receive information and references about past, current and prospective children;
  • To safeguard children’s welfare and provide appropriate care;
  • To monitor (as appropriate) use of the Kindergarten’s IT and communication systems in accordance with the Kindergarten’s use of email, the internet and social media policy, which can be found in the Policies Folder;
  • To make use of photographic images of children in the Kindergarten’s publications, on the Kindergarten’s website and, where appropriate on the Kindergarten’s social media channels in accordance with the Kindergarten’s policy/procedure on taking, storing and using images of children;
  • To carry out or cooperate with any Kindergarten or external complaints, disciplinary or investigation process; and
  • Where otherwise reasonably necessary for the Kindergarten’s purposes, including to obtain appropriate professional advice and insurance for the Kindergarten. To assess and make decisions on applications for the Free Places Programme.

In addition, the Kindergarten will on occasion need to process special category personal data (for example, regarding health, ethnicity, religion) or criminal records information (such as when carrying out DBS checks) in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required. These reasons will include:

  • To safeguard children's welfare and provide appropriate (and where necessary, medical) care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual's medical condition or other relevant information where it is in the individual's interests to do so: for example for medical advice, for social protection, safeguarding, and cooperation with police or social services, for insurance purposes or to caterers or organisers of Kindergarten trips who need to be made aware of dietary or medical needs;
  • To provide educational services in the context of any special educational needs of a child;
  • To provide care and education in the context of any religious beliefs;
  • To make claims for funding;
  • In connection with employment of its staff, for example DBS checks, welfare, union membership or pension plans;
  • As part of any Kindergarten or external complaints, disciplinary or investigation process that involves such data, for example if there are SEN, health or safeguarding elements; or
  • For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.

Types of data processed by the Kindergarten

This will include by way of example:

  • names, addresses, telephone numbers, e-mail addresses and other contact details;
  • bank details and other financial information (e.g. about staff for purposes of payroll), including National Insurance numbers;
  • past, present and prospective children’s admissions and attendance (including information about any special needs), and learning journey at a previous and/or current setting;
  • personnel files, including in connection with academics, employment or safeguarding; where appropriate, information about individuals' health and welfare, and contact details for their next of kin;
  • references given or received by the Kindergarten about staff, and relevant information provided by previous settings and/or other professionals or organisations working with children;
  • correspondence with and concerning staff, children and parents past and present; and
  • images of children (and occasionally other individuals) engaging in Kindergarten activities, (in accordance with the Kindergarten’s policy on taking, storing and using images of children).

How the Kindergarten collects data

Generally, the Kindergarten receives personal data from the individual directly (including, in the case of children, from their parents). This may be via a form, or simply in the ordinary course of interaction or communication (such as email or written assessments). However, in some cases personal data will be supplied by third parties (for example another setting, or other professionals or authorities working with that individual); or collected from publicly available resources.

Who has access to personal data and who the Kindergarten shares it with

Occasionally, the Kindergarten will need to share personal information relating to its community with third parties, such as:

  • professional advisers (e.g. lawyers, insurers, PR advisers and accountants); government authorities (e.g. HMRC, DfE, police or the local authority); and
  • appropriate regulatory bodies e.g. OFSTED;
  • NHS services.

For the most part, personal data collected by the Kindergarten will remain within the Kindergarten, and will be processed by appropriate individuals only in accordance with policies and procedures (i.e. on a ‘need to know’ basis). Particularly strict rules of access apply in the context of:

  • healthcare plans, including medical record, held and accessed only by the Kindergarten’s staff and appropriate medical staff under their supervision, or otherwise in accordance with express consent; and
  • wellbeing or safeguarding files.

However, a certain amount of any relevant information for children with food allergies and medical conditions (e.g. asthma) will need to be provided to staff more widely in the context of providing the necessary care that the child requires. Likewise, a certain amount of any relevant information for children with SEN will need to be provided to staff more widely in the context of providing the necessary care and education that the child requires.

You are reminded that the Kindergarten is under a duty imposed by law and statutory guidance (including Keeping Children Safe in Education) to record or report incidents and concerns that arise or are reported to it, in some cases regardless of whether they are proven, if they meet a certain threshold of seriousness in their nature or regularity. This is likely to include file notes on personnel or safeguarding files, and in some cases referrals to relevant authorities such as Children’s Services or the police. For further information about this, please view the Kindergarten’s Safeguarding and Child Protection Policy.

Finally, in accordance with Data Protection Law, some of the Kindergarten’s processing activity is carried out on its behalf by third parties, such as IT systems, web developers or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the Kindergarten’s specific directions.

How long we keep personal data

The Kindergarten will retain personal data securely and only in line with how long it is necessary to keep the data for a legitimate and lawful reason. Typically, the legal recommendation for how long to keep ordinary staff and personnel files and children’s files is up to 7 years following departure from the Kindergarten. However, incident reports and safeguarding files will need to be kept much longer, in accordance with specific legal requirements. For more information, please refer to the Kindergarten’s Information and Records policies.

If you have any specific queries about how our information and records policies are applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact Kate Lavender, data protection officer in writing by email on This email address is being protected from spambots. You need JavaScript enabled to view it. . However, please bear in mind that the Kindergarten will often have lawful and necessary reasons to hold on to some personal data even following such request.

A limited and reasonable amount of information will be kept for archiving purposes, for example; and even where you have requested we no longer keep in touch with you, we will need to keep a record of the fact in order to fulfil your wishes (see section on Requests that cannot be fulfilled below).

Keeping in touch and supporting the Kindergarten

The Kindergarten will use the contact details of parents, alumni and other members of the Kindergarten community to keep them updated about the activities of the Kindergarten, or alumni and parent events of interest, including by sending updates and newsletters, by email. Unless the relevant individual objects, the Kindergarten will also:

  • Contact parents and/or alumni by email in order to promote the Kindergarten and its community;
  • Use tools to monitor the effectiveness of our communications with you, including email tracking (which, for example, records when an e-mail from us is opened).

Should you wish to limit or object to any such use, or would like further information about them, please contact the data protection officer, Kate Lavender in writing by email. You always have the right to withdraw consent, where given, or otherwise object to direct marketing or fundraising. However, the Kindergarten is nonetheless likely to retain some of your details (not least to ensure that no more communications are sent to that particular email).

Your rights

Individuals have various rights under Data Protection Law to access and understand personal data about them held by the Kindergarten, and in some cases to ask for it to be erased or amended or have it transferred to others, or for the Kindergarten to stop processing it – but subject to certain exemptions and limitations.

Any individual wishing to access or amend their personal data, or wishing it to be transferred to another person or organisation, or who has some other objection as to how their personal data is used, should put their request in writing by email to the data protection office at This email address is being protected from spambots. You need JavaScript enabled to view it. .

The Kindergarten will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits (which is one month in the case of requests for access to information).

The Kindergarten will be better able to respond quickly to smaller, targeted requests for information. If the request for information is manifestly excessive or similar to previous requests, the Kindergarten may ask you to reconsider, or require a proportionate fee (but only where Data Protection Law allows it).

Requests that cannot be fulfilled

You should be aware that the right of access is limited to your own personal data, and certain data is exempt from the right of access. This will include information which identifies other individuals (and parents need to be aware this may include their own children, in certain limited situations – please see further below), or information which is subject to legal privilege (for example legal advice given to or sought by the Kindergarten, or documents prepared in connection with a legal action). The Kindergarten is also not required to share any confidential reference given by the Kindergarten itself for the purposes of the education, training or employment of any individual.

You may have heard of the "right to be forgotten". However, the Kindergarten will sometimes have compelling reasons to refuse specific requests to amend, delete or stop processing your (or your child's) personal data such as, for example, to comply with a legal requirement, or where it falls within a legitimate interest identified in this Privacy Notice. All such requests will be considered on their own merits.

Child requests

Children can make subject access requests for their own personal data, provided that, in the reasonable opinion of the Kindergarten, they have sufficient maturity to understand the request they are making (see section Whose Rights? below). A child of any age may ask a parent or other representative to make a subject access request on his/her behalf.

Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of younger child, the law still considers the information in question to be the child’s. For older children, the parent making the request may need to evidence their child's authority for the specific request.

Parental requests, etc.

information requests are handled. Parents may not have a statutory right to information, but they and others will often have a legitimate interest or expectation in receiving certain information about children without their consent. The Kindergarten may consider there are lawful grounds for sharing with or without reference to that child.

Parents will in general receive educational and wellbeing updates about their children. Where parents are separated, the Kindergarten will in most cases aim to provide the same information to each person with parental responsibility, but may need to factor in all the circumstances including the express wishes of the child.


Where the Kindergarten is relying on consent as a means to process personal data, any person may withdraw this consent at any time (subject to similar age considerations as above). Examples where we do rely on consent are: for example, certain types of uses of images and certain types of fundraising activity. Please be aware however that the Kindergarten may not be relying on consent but have another lawful reason to process the personal data in question even without your consent. That reason will usually have been asserted under this Privacy Notice, or may otherwise exist under some form of contract or agreement with the individual (e.g. an employment or parent contract.

Whose right?

The rights under Data Protection Law belong to the individual to whom the data relates. However, the Kindergarten will often rely on parental authority or notice for the necessary ways it processes personal data relating to children – for example, under the parent contract, or via a form. Parents and children should be aware that this is not necessarily the same as the Kindergarten relying on strict consent (see section on Consent above).

In general, the Kindergarten will assume that children’s consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the child's activities, progress and wellbeing, and in the interests of the child's welfare. That is unless, in the Kindergarten's opinion, there is a good reason to do otherwise.

However, where a child seeks to raise concerns confidentially with a member of staff and, in the Kindergarten's opinion, there is a good reason to share information; for example where the Kindergarten believes disclosure will be in the best interests of the child or other children, or if required by law; the information will be shared as relevant.

Parents are required to respect the personal data and privacy of others, and to comply with the Kindergarten’s Policies and Procedures. Staff are under professional duties to do the same covered under the relevant staff policy and code of conduct.

Data accuracy and security

The Kindergarten will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify the Kindergarten of any significant changes to important information, such as contact details, held about them.

An individual has the right to request that any out-of-date, irrelevant or inaccurate or information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law); please see above for details of why the Kindergarten may need to process your data and of who you may contact if you disagree.

The Kindergarten will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to Kindergarten systems. All staff and volunteers will be made aware of these policies and their duties under Data Protection Law and receive relevant training.

This privacy notice

The Kindergarten will update this Privacy Notice from time to time. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable.

Queries and complaints

Any comments or queries on this Notice should be directed in writing to Kate Lavender, the compliance manager, by email on This email address is being protected from spambots. You need JavaScript enabled to view it.

If an individual believes that the Kindergarten has not complied with this Privacy Notice or acted otherwise than in accordance with Data Protection Law, they should utilise the Kindergarten’s Complaints Policy and should also notify the data protection officer in writing by email. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with the Kindergarten before involving the regulator.