Privacy Policy

Privacy Policy & Procedure-General Data Protection Regulation 2017
  • Privacy Policy & Procedure-General Data Protection Regulation 2017 Rubadubs nursery Limited aims to fulfil its obligations under the General Data Protection Regulation (GDPR) 2017 to the fullest extent. This policy sets out our commitment to protecting personal data and how that commitment is implemented in respect of the collecting, processing, using and sharing of personal data.

    We have appointed a Data Protection Co-ordinator who is responsible for ensuring our compliance with the GDPR.

    Contact details are:

    Name: Colette Short

    Telephone: 0208 699 0782


    We are registered with the Information Commissioners Office (ICO) registration reference Al047352. All staff, volunteers (and committee) will undertake training in the GDPR and will be aware of their responsibilities in collecting, using and sharing data. We have a privacy notice that sets out the lawful basis for processing the data, the legitimate interests for the processing, individual’s rights and the source of the personal data. We have a process in place to record any data breaches and a form for reporting breaches to the ICO and any investigations. We have a policy in place for retention of documents and archiving them. We have an asset register in place to record different types of information and documentation that we hold. This is updated regularly. We also have a spreadsheet showing how information is processed, stored and shared.



    This provision is aware that data protection legislation applies equally to children and staff. Article 5 of the GDPR sets out the principles that we work to.

    • Data must be processed fairly, lawfully and in a transparent manner.
    • Data must only be obtained for specified and lawful purposes.
    • Data must be adequate, relevant and not excessive (limited to what is necessary).
    • Data must be accurate and up to date.
    • Data must not be kept for longer than necessary.
    • Data must be securely kept.


    We use the GDPR rights for individuals.

    • The right to be informed.
    • The right to access.
    • The right to rectification.
    • The right to erasure.
    • The right to restrict processing.
    • The right to data portability.
    • The right to object.
    • Right in relation to automated decision-making and profiling.


    The following procedures apply to information held about children. 

    1. Children’s records will be stored securely. Paper files are locked in cabinets in the provision’s office. Electronic files stored (laptops, tablets and hard drives are stored and locked away). Computers within the provision are kept secure with appropriate software to ensure maximum protection against ransom and malware, which is regularly updated. All data is securely backed up.
    2. Information that is shared is done securely using a secure email system or password protection of the document.


    The following procedures apply to information held about staff. 

    1. A copy of their personal data is sent to each member of staff in January each year. This applies to all data, whether held on a computer or as a hard copy.
    2. Members of staff are required to read this information carefully and inform the manager at the earliest opportunity If they believe that anything is inaccurate or untrue, or if they are dissatisfied with the information in anyway.
    3. Requests for additional access must be sent to the manager. Each request will be judged in light of the nature of the information in question and the frequency with which it is updated. The member of staff will then be informed whether or not the request is granted. In the event of a disagreement the matter will be taken up under the formal grievance procedure. 
    4. If a request for additional access is granted, the information will be provided within 30 days of the date of the request. A fee will not be charged to gain access to the data. However, we can charge a “reasonable fee” if a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information.
    5. Data regarding staff Payroll is kept for 3 years after an employee leaves the company. Employee records (personal records, performance appraisals, employment contracts, etc.) are kept for 6 years after the employee leaves the company. All data of ex-employees are securely stored and locked away.


    The following procedures apply to any third parties that we are contracted with.

    We have contracts with the following organisations: 

    • TaylorCocks (Payroll company)
    • We have documents from each contractor confirming their compliance with GDPRE.
    • We have agreed safe sharing of information.
    • Confidentiality agreements are in place.