top of page

PRIVACY NOTICE AND DATA PROTECTION

 

Introduction

 

Whytebeams Nursery is registered with the UK Information Commissioners Office (ICO) reference number Z7870795. Whytebeams Nursery is the Data Controller for the purposes of the Data Protection Act. Personal data is protected in accordance with data protection laws and used in line with your expectations. This privacy notice explains what personal data we collect, why we collect it, how we use it, the control you have over your personal data and the procedures we have in place to protect it. When we refer to “we”, “us” or “our”, we mean Whytebeams.

 

Why we collect personal data and the legal basis for handling your data

 

The lawful basis on which we use this information: as reflected in Article 6 of the General Data Protection Regulation May 2018 which states ‘Processing shall be lawful only if and to the extent that processing is necessary for compliance with a legal obligation to which the controller is subject.’

 

  1. Pupil data is collected, stored and may be shared on a statutory basis as required by our local authority under the Education Act 1996. This is a ‘Legal Obligation’

  2. Pupil data collected on a voluntary basis and the legal basis for this is ‘consent.’

  3. For children with a specific medical condition we collect, keep and share data on the legal basis that it is part of our ‘contract.’

  4. We use parents’ email addresses to send invoices and important communications to them by email. The legal basis for this is that it is part of our ‘contract.’

 

We use personal data about you and your child in order to provide childcare and early education services and to fulfil the contractual arrangement you have entered into. This includes using your data in the following ways:

 

  1. to meet your child’s needs and support their wellbeing and development

  2. to effectively manage any special education, health or medical needs of children in our care.

  3. to carry out regular assessment of your child’s progress and to identify any areas of concern

  4. to monitor and report on children’s progress

  5. to contact you or another named person in the case of an emergency

  6. to process your claim for free childcare and early education, if applicable

  7. to send you information, emails, invoices and updates and respond to any questions you ask

  8. To ensure parent access to Tapestry

  9. To comply with our safeguarding duties.

  10. To assess the quality of our services and to enable us to raise standards.

  11. To comply with the law regarding data sharing.

  12. To meet statutory requirements to collect and provide information that the local authority require.

  13. To meet legal obligations under the EYFS Early Years Statutory Framework 2017 and Education Act 1996.

 

What information we collect

 

We do not share information about our children or families with anyone without consent unless the law or our policies allow us to do so. Whilst the majority of information you provide to us is mandatory and part of our contract with you, some of it is voluntary.  In order to comply with GDPR please note, information in italics can be given voluntarily and may be withdrawn or amended by emailing info@whytebeams.co.uk 

 

The categories of information that we process:

 

FILES - For each child we collect and store a file containing hardcopies of the following:

 

  • Personal information - collected via our enrolment form and completed by parents, such as: child’s name, date of birth, address, parent’s names and contact details, who has parental/legal responsibility, details of further family members such as siblings and ages, who lives at home, family circumstances and history, birth details, dietary and health requirements, medical and allergy,  information, diagnosed special needs, health care plans, immunisations, previous childhood diseases and illnesses, doctor’s name, address and contact details, name and telephone numbers of friends or relatives who may be contacted in an emergency and of other persons authorised to collect the child and collection password set by parents, other settings attended.

  • Characteristics - such as ethnicity, language, nationality, general information about the child – first language and other languages spoken at home.

  • Other agency information - if the child has been referred to any professional service or is under the care of other professionals (e.g. SALT, OT, Paediatrics).

  • Permissions – detailing what we have your permission for with regard to wipes, suncream, medication, creams, plasters, accompanying your child in an emergency, photos, videos, keeping EYFS records.

  • EYFSP - Early Years Foundation Stage Profile, including long observations, assessments, progress and development notes, 2-year progress check if applicable, Transfer Sheet.

  • Development reports – a report of a child’s age stage and development.

  • Attendance information - such as sessions attended, number of absences and reasons for absence.

  • Other information - such as the child’s start date, sessions and date they are expected to start school. Comments from parents/carers/professionals such as parental meetings, parent’s comments and keyworker notes.

  • SEN – notes are kept if children have special educational needs, and a SEND file may be created.

  • NHS letters - in relation to a child’s specific medical need or condition.

  • Family photos – if provided by parents.

 

This list is not exhaustive, but all information requested is required to best support the child.

 

 

 

 

 

Whytebeams children’s records will be:

 

  1. Collected, processed and stored in line with the data protection act 1998 and GDPR 2018.

  2. A positive record of the child’s achievements via the learning journey.

  3. An honest and accurate reflection of progress, development and challenges.

  4. An accurate record of relevant and required information in the child’s file.

  5. Confidential between the staff and the parents/carers and ultimately the next setting (except in safeguarding circumstances and during Ofsted inspections.)

  6. Handed to Ofsted as part of an inspection or investigation; they may also be handed to local authority staff conducting a S11 audit as long as authorisation is seen.

  7. Available to all those authorised to see them and make entries in them, this being the setting manager, deputy or designated safeguarding lead or deputy, the child’s key person and other key persons at the setting. Children’s personal files are not handed over to anyone else to look at.

  8. Available to the child’s parents/carer upon request.

  1. Kept safely in a locked cupboard or filing cabinet.

  2. Updated regularly with notes made the same day or as soon as reasonably possible.

  3. Forwarded to the child’s next setting.

For further details see our policies on Observation & Assessment, Tapestry and Privacy Notice.

 

Other information we collect:

 

  1. Incident, accident, notification of injury forms and behaviour logs

  2. Records of medication parents have given us consent to give to children whilst in our care

  3. Safeguarding and General Welfare logs and concerns and notes, if the family/child has an allocated social worker, if the child has a child protection plan or court order in place

  4. Attendance information such as sessions attended, number of absences and the reasons

  5. Complaints

Funding Forms, EYPP and DAF

 

The information on funding forms is collected for and shared with our Local Authority, Croydon Council, for the purpose of providing government funding and ascertaining eligibility. We collect the following information from parents via the ‘Croydon Free Entitlement Parental/Carer Agreement.’

 

  • Child’s name, date of birth, parents’ names, family address, number of funded weeks claimed per term, parents’ signatures.

  • For families receiving benefits: parents’ names, child’s date of birth, National Insurance numbers and or National Asylum Support Service Number (NASS). This may enable us to claim additional funding called EYPP (Early Years Pupil Premium.)

  • For children aged 3-4 in receipt of child Disability Living Allowance and claiming funding, the child’s DLA reference is requested so we may claim Disability Access Fund (DAF).

 

 

To claim funding, we collect and share the following personal data with our local authority at Croydon Council via their secure online portal.

 

  1. Child’s full name, date of birth, address, ethnicity, first language and gender.

 

Croydon Council are the data controller for all early years funding information. Croydon Council shares some of the information we provide with the Department for Education (DfE). Croydon Council’s Privacy Policy can be viewed at https://www.croydon.gov.uk/democracy/data-protection-freedom-information.

To find out more about the data collection by the DfE go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.

 

Who we share your data with

 

  1. Ofsted, during an inspection or when there has been a complaint about the childcare and early education service

  2. the local authority, if you claim up to 30 hours free childcare

  3. the governments eligibility checker as above, if applicable

  4. our insurance underwriter, where applicable

  5. ‘Tapestry’ to create your child’s learning journal

 

We will also share your data:

 

  1. if we are legally required to do so, for example, by a law enforcement agency, court

  2. to enforce or apply the terms and conditions of your contract with us

  3. to protect and care for your child and other children; for example, by sharing information with social services, the police and medical services such as the NHS.

  4. if it is necessary to protect our rights, property or safety or to protect the rights, property or safety of others.

  5. with the school or setting that your child will be attending, when they transfer, if applicable

  6. if we transfer the management of the setting out or take over any other organisation or part of it, in which case we may disclose your personal data to the prospective seller or buyer so that they may continue using it in the same way.

 

We will never share your data with any organisation to use for their own purposes.

 

Tapestry Records and Data

 

We use a secure software package called Tapestry which is an online learning journal of children’s progress. We send parents a link inviting them to join Tapestry and view and accept their terms and conditions. This enables parents to see their child’s learning journey and add their own notes, comments, and All About Me section. Staff input and upload observations, notes, photos and videos via Tapestry. Observations are then categorised under the EYFS framework and published or uploaded. Staff use this

 

 

data and their own knowledge to create development reports via Tapestry which enables staff to monitor children’s progress.

To see full details of Tapestry’s security and privacy use the following links: https://tapestry.info/privacy-policy.html

https://www.tapestry.info/security.html?_gl=1*m6gsam*_ga*Mzc3MTcxMDEwLjE2ODQyMzE3MDI.*_ga_YTD0612SQZ*MTY4NjA0NzI3MS4zLjAuMTY4NjA0NzI3MS4wLjAuMA..

 

What personal information we enter onto Tapestry:

 

  1. Child’s name, date of birth, parents’ names and email addresses, for the purpose of creating and sharing their child’s learning journal with them.

When children leave Whytebeams, our admin team download children’s learning journal as a PDF to their Tapestry account and inform parents it is ready. Parents can then view it or download. Once this has been done and after the child leaves, we make the account inactive unless parents have another child with us.  If the child moves to a setting which uses Tapestry the file may be transferred.

 

How do we protect your data?

 

We take the security of your personal data seriously. We have internal policies and strict controls in place to try to ensure that your data is not lost, accidentally destroyed, misused, or disclosed and to prevent unauthorised access. Where we engage third parties to process personal data on our behalf, they are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

 

Where do we store your data?

 

Data is held securely. We are a ‘pack away’ setting and rent our premises from St Antony’s Church. They are responsible for the overall security of the building. We have our own storage cupboards and lockable areas within the premises. We keep paper records in a locked filing cabinet and lockable cupboards. Laptops and iPads are password and pin protected and laptops have antivirus software. Confidential documents and data are kept in a locked filing cabinet within a locked room. Only the manager and deputy and owner have access to this.

 

Any data you provide to us electronically is stored on secure computers or servers located within the UK or European Economic Area. We may also store paper records in locked filing cabinets. Any third-party data processors will also store your data on secure servers which may be situated inside or outside the European Economic Area. They may also store data in paper files.

 

How long do we retain your data?

 

We retain your data in line with our retention policy and a summary is below:

 

  1. You and your child’s data, including registers are retained 3 years after your child no longer uses the setting, or until our next Ofsted inspection after your child leaves our setting.

 

  1. Medication records, accident and incident records are kept for longer according to legal requirements.

  2. Learning journeys are maintained by Tapestry after your child leaves and the account becomes inactive in line with their own policy and are available at your request.

  3. In some cases (child protection or other support service referrals), we may need to keep your data longer, only if it is necessary in order to comply with legal requirements. We will only keep your data for as long as is necessary to fulfil the purposes it was collected for and in line with data protection laws.

 

Data is destroyed securely once these periods have passed.

 

Staff, Volunteer, Work placement and Adults Working Alongside Children

 

Staff Records and data

 

As part of our obligations including safer recruitment, EYFS requirements, Safeguarding, GDPR and Continued Professional Development, staff records will be created and updated regularly. They are collated and kept in accordance with our Retention Policy and GDPR Checklist. Staff are provided with our GDPR checklist outlining what data we keep, why and how long for and what the lawful basis is. Staff will sign a statement acknowledging that we shared this information with them and are aware they can review this by arrangement. It is stored securely – please see ‘How we store your data.’

 

Staff information we collect and process

 

Name, address, date of birth, telephone number, next of kin in case of emergency, allergies/medical information, permissions and agreements, application form or CV, DBS certificate or number, references, annual statements of suitability and disclosure of any convictions, contact details and confidentiality agreements,  NI number and tax code, salary details, copies of examination and qualification certificates, training records, supervision records, agreements and annual appraisals, staff accident record, disciplinary and grievance records, and comments relevant to the staff member’s time with us such as an agreed time of or compassionate leave. Anything else relevant to their employment.

 

Individual staff records are marked confidential and stored in a locked filing cabinet, in a locked cupboard. Management and owners are the only keyholders.  

 

Volunteers, Work Experience and Work Placement Persons

 

Those volunteering, on work experience or working regularly alongside children complete a contact, confidentiality and agreement form which is kept securely in a locked filing cabinet whilst they are on placement or working with us.  It is destroyed when they leave or stop working with us. Their emergency contact details will be placed in our register in case of emergency for the term/s they are with us.

As the data will be collected via a form to be completed by the person requesting a placement, they will be aware of the data we are keeping and will be made aware of the lawful basis for this.

 

The personal data we collect and process for those volunteering or on work experience includes:

 

Name, address, date of birth, telephone number, next of kin in case of emergency, allergies/medical information, permissions and agreements, DBS certificate or number, if applicable, details of school, college or employer, course name, statements of suitability and disclosure of any convictions, confidentiality agreements, copies of examination and qualification certificates where applicable.

 

Requesting access to your personal data

 

Under data protection legislation, parents and pupils have the right to make a request access to information about them that we hold. This can be done by contacting Kate Searle, Nursery Administrator

at info@whytebeams.co.uk 

 

You also have the right to:

 

  1. request access to information about you that we hold including child records

  2. have your personal data rectified if it is inaccurate or incomplete

  3. request the deletion or removal of personal data where there is no evidence for its continued processing.

  4. to restrict our processing of your personal data e.g. Permitting storage, but no further processing.

  5. object to decisions being taken by automated means

 

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/

 

Contact

If you would like to discuss anything in this privacy notice, please contact:

Kate Searle at : info@whytebeams.co.uk 

 

Last updated 1st December 2025

©2026 Whytebeams Nursery

Proudly created with Wix.com

bottom of page