DATA PROTECTION AND CONFIDENTIALITY POLICY

UPDATED: 28 JUNE 2026

 

Little Wonderland Nursery Ltd holds a significant amount of personal information about the children in its care, their families, and the people who work within it. This information is gathered to keep children safe, deliver high quality care and education, and meet our legal obligations. We take our responsibility to protect it seriously, and all staff are expected to handle information with care, discretion, and professionalism at all times.

 

Confidentiality is a legal and professional duty. This policy sets out how we ensure personal information is handled lawfully, securely, and respectfully in line with data protection law and good practice.

 

This policy applies to all staff, apprentices, students, volunteers, agency workers, and contractors. The duty of confidentiality applies at all times, both during and outside of working hours, and continues after employment or placement ends.

Care Inspectorate and Legal Framework

We follow the legal requirements set out in the Health and Social Care Standards and accompanying regulations regarding the information we must hold about registered children, their families, and the staff working in the setting.

 

In meeting these requirements, we:

• Maintain accurate records and share information with parents, carers, relevant professionals, the Care Inspectorate, the police, social work services or health services where appropriate.
• Promote a two-way flow of information with parents and carers, and with other providers where a child attends more than one setting.
• Ensure records are accessible and available when required, even where stored securely off-site.
• Ensure parents can access records relating to their own child, unless an exemption applies under data protection law.
• Retain records for appropriate periods in line with our retention schedule, safeguarding requirements and legal obligations.
• Comply with the Freedom of Information (Scotland) Act 2002 where applicable.

 

The setting is registered with the Information Commissioner's Office (ICO) as a data controller. This reflects our responsibility for the lawful processing, retention, disposal and security of personal information, and our duty to respond appropriately to any data breaches.

Confidentiality in Practice

Confidential information includes children's personal and health data, safeguarding records, family circumstances, staff records, financial information, and any conversations in which sensitive matters are discussed. It applies to information in all forms, including paper records, electronic records, photographs, videos, and spoken information.

 

We maintain confidentiality by:

• Storing paper records securely in locked cabinets, with access limited to authorised staff only.
• Storing electronic records on secure, password-protected systems, with role-based access that is reviewed regularly.
• Sharing information only on a need-to-know basis. Information is never shared casually, with friends or family, or as part of conversations outside the setting.
• Ensuring that parents have access to records relating to their own child, but not to those of any other child, unless sharing is lawful and appropriate.
• Ensuring staff do not discuss personal information given by parents with other members of staff, except where it affects planning for a child's needs or welfare.
• Ensuring that issues relating to staff employment remain confidential to those directly involved in personnel decisions.
• Ensuring all staff, students, and volunteers understand that confidential information is only for use within the setting, or where sharing is necessary to support a child's best interests, meet legal duties, or protect a child from harm.
• Ensuring staff, students, and volunteers are aware of and follow the setting's Social Networking Policy in relation to confidentiality.
• Providing confidentiality and data protection training to all staff, students, and volunteers during induction and through regular refreshers.

 

Breaches of confidentiality are treated seriously and may result in disciplinary action, up to and including dismissal.

GDPR Compliance

In order to meet our requirements under the UK GDPR, we ensure:

• Our privacy notices and consent documentation are easily accessible and written in clear, plain language.
• Personal data is used only for the safe, operational, and regulatory requirements of running the nursery and is never shared or used for other purposes.
• All staff understand that individuals have the right to access their records, and to have records amended or deleted where appropriate, subject to other legal obligations.
• Staff understand and apply the relevant data protection principles when sharing or withholding personal information, including the processing conditions set out in the Data Protection Act 2018 and UK GDPR.
• Staff understand that safeguarding of children is a lawful processing condition that permits the sharing of special category personal data without consent where there is good reason to do so, where gaining consent is not possible or would place a child at risk, or where timely sharing will enhance a child's safeguarding.

 

Safeguarding and Information Sharing

Confidentiality must never prevent staff from sharing information needed to protect a child. The safety and wellbeing of the child is paramount and overrides all other confidentiality commitments.

 

Information may be shared without consent where:

• A child is at risk of significant harm.
• Seeking consent is unsafe, not possible, or would delay action needed to protect the child.
• Gaining consent would place the child at further risk.
• A crime is suspected.

 

In such cases, information may be shared with the Child Protection Co-ordinator, Education Safeguarding Lead, social work services, the Care Inspectorate, health professionals, the police, or any other relevant agency involved in protecting the child. All decisions to share information must be proportionate, necessary, and recorded in writing. Parents are informed where it is safe and appropriate to do so.

 

Any concerns or evidence relating to a child’s personal safety must be kept in a secure, confidential file and shared with as few people as possible on a need-to-know basis. If a child is considered at risk, the setting’s safeguarding and child protection procedures will override confidentiality. 

Data Retention and Secure Disposal

We keep records only for as long as necessary for legal, regulatory, and safeguarding purposes.

 

Our retention schedule is as follows:

• Child records, daily registers, parent consents and routine communications: 5 years after the child leaves the setting.
• Accident, incident, medication and reportable injury records: kept in line with legal requirements, with some records relating to children retained until 21, 22 or 25 years of age, depending on the nature of the incident.
• Safeguarding and child protection records (Chronologies): Shared to the child's next setting or school where appropriate a copy will be retained until the child reaches 25 years of age by Little Wonderland Nursery Ltd.
• Personnel, payroll, financial and training records: usually 3 to 7 years, depending on the type of record.
• Visitor signing-in records: retained as part of the child protection trail for an extended period where required.

 

Observation, planning and assessment records are kept in line with operational need and inspection requirements. Information relating to individual children may be passed to the next setting or school, or given to parents when the child leaves, where appropriate.

 

When retention periods expire, records are securely destroyed. Paper records are cross-shredded or disposed of as confidential waste, and electronic records are permanently deleted from all systems and devices.

Rights of Parents, Carers, and Staff

In line with UK GDPR, all individuals have the following rights in relation to their personal data:

• Parents and carers may request access to records relating to their child at any time, unless an exemption applies under data protection law, for example where disclosure may place a child at risk.
• Staff may request to see their own personnel file at any time.
• Individuals may request that their records are corrected, updated, or deleted where appropriate.
• Subject access requests are handled promptly in line with our legal obligations under UK GDPR.

Responsibilities

All staff, volunteers, and students are responsible for handling information with care and integrity in line with this policy. This is a condition of employment and placement.

 

The nursery manager is responsible for ensuring this policy is followed in daily practice, overseeing the correct handling of records, and ensuring staff are trained and compliant.

 

The Child Protection Co-Ordinator is responsible for decisions relating to the sharing of safeguarding information and for liaising with external agencies where necessary.

 

The Deputy Child Protection Co-Ordinator or other named lead for children requiring extra support, is responsible for ensuring that records relating to children with additional support needs are accurate, confidential, and shared appropriately with parents and relevant professionals.

 

The data protection lead holds overall responsibility for GDPR compliance, subject access requests, data audits, retention schedules, and the reporting of any breaches to the ICO where required.

Breaches of This Policy

Any member of staff who misuses confidential information, whether deliberately or through negligence, will be subject to disciplinary investigation. Depending on the seriousness of the breach, this may result in disciplinary action up to and including dismissal.

Serious or deliberate breaches may also be reported to relevant external bodies where appropriate, including the Information Commissioner’s Office, the Care Inspectorate, the police, social work services, or the Scottish Social Services Council.

Monitoring and Review

This policy is reviewed annually, or sooner if there are changes in legislation, national guidance, Care Inspectorate requirements, or data protection law. Staff are reminded of this policy during induction and through ongoing supervision and training.

Policy Review Record