health 

ADMINISTERING MEDICATION POLICY

ALLERGY and ANAPHYLAXIS POLICY

ASTHMA POLICY        ‎ ​‎​‎

INFECTIOUS DISEASES POLICY AND PROCEDURE

SMOKING / VAPING POLICY

PHYSICAL ACTIVITY POLICY

safety

ADVERSE WEATHER POLICY

ALCOHOL AND DRUGS  POLICY

Front Door and Security Policy

CCTV POLICY               ‍ 

CHILD PROTECTION AND SAFEGUARDING POLICY AND PROCEDURE

CONFIDENTIALITY POLICY

GDPR POLICY               

E-SAFETY POLICY        ‍ 

FIRE AND EMERGENCY EVACUATION PROCEDURE

HEALTH AND SAFETY POLICY

MISSING CHILD POLICY AND PROCEDURE

SAFER SLEEP POLICY ‍ 

staff

COMPLIMENTS AND COMPLAINTS POLICY

EMPLOYMENT OF SUITABLE PEOPLE POLICY & PROCEDURE

EQUAL OPPORTUNITIES POLICY

EYFS OBSERVATION, ASSESSMENT AND PLANNING POLICY AND PROCEDURE

OUTDOOR PLAY POLICY

OUTINGS POLICY AND PROCEDURE

STRANGER DANGER    ‍ 

PHYSICAL CONTACT POLICY

POSITIVE BEHAVIOR POLICY AND MANAGEMENT POLICY

WHISTLEBLOWING POLICY

KEYWORKER POLICY

mENOPAUSE POLICY

Parents

Babysitting policy

CHILD ABSENCE AND PUNCTUALITY POLITY

PACKED LUNCH POLICY

PAYMENT OF CHILDCARE FEES POLICY

WORKING IN Partnership With Parents Policy

Early years food policy

GDPR Policy (General Data Protection Regulation Policy)

Background
GDPR stands for General Data Protection Regulation and replaces previous Data Protection directives (Data Protection Act 1998). It was approved by the EU Parliament in 2016 and is effective as of 25th May 2018. 

GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes and that individual data is not processed without their knowledge and is only processed with their ‘explicit’ consent (where it is not required either contractually or legally). 

Wild Monkeys Childcare and GDPR 
GDPR covers personal data relating to individuals. As a childcare provider Wild Monkeys Childcare Ltd (the company) is committed to protecting the rights and freedoms of individuals with respect to processing the personal data of children, parents, visitors and staff. 

This document sets out the company’s GDPR policy including information on data sharing, data security and data breach protocol. 

This policy document has been prepared with due regard and consideration for the Information Commissioner’s Office (ICO) at: 
https://ico.org.uk/

The company is registered with the ICO under registration reference: ZA084863 and has been registered since 7th November 2014. Certificates are on display on boards across all Wild Monkeys Nurseries.  
The company is a ‘Data Controller’ – A controller determines the purposes and means of processing personal data. (A processor is responsible for processing personal data on behalf of a controller.) 
Valerie Wild is responsible for The company’s GDPR policy and data compliance. 

GDPR is designed to protect personal data
GDPR is designed to protect individual rights in the following way: 

1. The right to be informed 
Parents need to be informed what data we are collecting, what we do with it and who it is shared with. The company has a legal and contractual right to collect and process certain types of data. For the collection or processing of any other types of data, such as photographs, we will seek active consent and also provide a suitable and accessible method for withdrawal of consent. 

2. The right of access
Parents can request access to their own data at any time. 

3. The right to rectification
Personal data must be rectified if it is incorrect or incomplete. 

4. The right to erasure 
Parents can request the deletion of their data where there is no compelling reason for its continued use. As a nursery we have guidelines on how long we need to retain certain records. 

5. The right not to be subject to automated decision-making including profiling. 
The company does not use this type of process. 

6. The right to restrict processing 
Parents can object to the processing of their data; meaning their records can be stored but must not be used in any way other than mentioned above. 

7. The right to object
Parents can object to their data being used for activities such as external marketing. The company does not pass on your data to a third-party for marketing purposes. 

At any point a parent can make a request relating to their data and we will provide a response (within 1 month). If we have a lawful obligation to retain data (from Ofsted or the EYFS), we could refuse but we will inform you of the reasons for the rejection. 

Individuals also have the right to lodge a complaint with the ICO. Full information about this is available at 
https://ico.org.uk/

Sharing Information 
We only share information about our children and parents with those organisations with which we have a legal requirement to share data or other organisations, which allow us to run our business in a safe, efficient, and suitable manner. 

Information is shared by the Company with the following organisations: 

Famly – parent app
Local Education Authorities and Councils for obligations relating to Early Years and inclusion funding and any appropriate organisations required for administering childcare.

iSEND - https://localoffer.eastsussex.gov.uk/privacy#PrivacyPolicy
These organisations are also registered with the ICO. 

Data Security 
Paper & digital copies of children’s and staff records are kept in a secure location at the company’s main setting. 

Other personal data is also stored at other nursery locations, where it is kept in locked cupboards. Members of staff can have access to these files, but information taken from the files about individual children is confidential. Apart from archiving or transport, these records remain on site at all times. These records are shredded after the retention period. 

The Company’s data archive is kept at a secure location at Wild Monkeys main setting. 

Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children’s names, date of birth and sometimes address. These records are shredded after the relevant retention period. 

The Company collects a large amount of personal data every year including names and addresses of those on waiting lists. These records are shredded if the child does not attend or added to the child’s file and stored appropriately if they do attend. 

Upon a child leaving the Company and moving on to school or moving to another childcare setting, data held on the child may be shared with the receiving school or setting. Such information would be sent via post or email. This would be coordinated between the settings. 

The company has a separate process for collecting personal data held visually in the form of photographs or video clips or sound recordings. Positive consent for the collection of this kind of data will be sought for children from their respective parent or guardian. Parents will also have the ability to easily withdraw their consent for this kind of data. 

Access to all Company computers and other software accounts including email is password protected. 
When a member of staff leaves the company, these passwords are changed in line with this policy and our Safeguarding policy. 

Any portable data storage used to store personal data, e.g. USB memory sticks and external hard drives are password protected and/or stored in secure locations. 

Data Retention 
We hold information in our archive for the following amount of time, as per legal requirements: 

• Staff Files - 7 years.
• Records of complaints - 5 years.
• Accident and incident forms - 3 years.
• Children’s Information (incl. medical) - 3 years. 
• Accidents / pre-existing injuries forms – Until the child turns 25 years.
• Safeguarding Records / cause for concern forms - Until the child turns 25 years.
• Accidents reportable to Ofsted - Until the child turns 25 years.
• Attendance Registers - 3 years.
• Nappy Rotas - 6 months.
• Staff and Child sign-in registers - 3 months.

Data Breach Protocol 
As per GDPR requirements, data breach notification to the ICO is mandatory If any kind of data breach were to occur the Company staff are required to: 
​
Report certain types of personal data breach to the relevant supervisory authority (ICO). This must be done within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, inform those individuals without undue delay. 
Ensure we have robust breach detection, investigation, and internal reporting procedures in place. This will facilitate decision-making about whether or not we need to notify the relevant supervisory authority and the affected individuals. 

Keep records of any personal data breaches, regardless of whether you are required to notify. 

Policy Last Reviewed: January 2025

Policy Review Date: January 2026