top of page


Whytebeams Nursery is registered with the UK Information Commissioners Office (ICO)
reference number Z7870795. Whytebeams Nursery is the Data Controller for the purposes of
the Data Protection Act. Personal data is protected in accordance with data protection laws and
used in line with your expectations. This privacy notice explains what personal data we collect,
why we collect it, how we use it, the control you have over your personal data and the
procedures we have in place to protect it. When we refer to “we”, “us” or “our”, we mean
Why we collect personal data and the legal basis for handling your data
The lawful basis on which we use this information : as reflected in Article 6 of the General Data
Protection Regulation May 2018 which states ‘Processing shall be lawful only if and to the extent
that processing is necessary for compliance with a legal obligation to which the controller is
 Pupil data is collected, stored and may be shared on a statutory basis as required by our
local authority under the Education Act 1996. The legal basis is ‘Legal Obligation’
 Other pupil data and information is collected on a voluntary basis and the legal basis for
this is ‘consent.’
 For children with medical conditions or allergies we collect, keep and share data and the
legal basis that it is part of our ‘contract.’
 We collect and use parent’s contact details and legal basis for this is that it is part of
our ‘contract.’
We use personal data about you and your child in order to provide childcare and early education
services and to fulfil the contractual arrangement you have entered into. This includes using
your data in the following ways:
• to meet your child’s needs and support their wellbeing and development
• to effectively manage any special education, health or medical needs of your child whilst at
the setting.
• to carry out regular assessment of your child’s progress and to identify any areas of concern
• to monitor and report on children’s progress.
• to contact you or another named person in the case of an emergency.
• to process your claim for free childcare and early education, if applicable.
• to send you information, emails, invoices and updates and respond to any questions you ask.
• To ensure parent access to Tapestry.
• To comply with our safeguarding duties.
• To assess the quality of our services and to enable us to raise standards.
• To comply with the law regarding data sharing.
• To meet statutory requirements to collect and provide information that the local authority
• To meet legal obligations under the EYFS Early Years Statutory Framework 2017 and
Education Act 1996.

What information we collect
Initially we may collect information via our contact form on our website or by email. Our primary
method of collecting data is via our enrolment form and upon a child’s start via Tapestry. We do
not share information about our children or families with anyone without consent unless the law
or our policies allow us to do so. Whilst the majority of information you provide to us is
mandatory and part of our contract with you, some of it is voluntary. In order to comply with
GDPR please note, information in italics can be given voluntarily and may be withdrawn or
amended by emailing
The categories of information
Child Records - For each child we collect and store a file containing hardcopies of the following
 Personal information - collected via our enrolment form and completed by parents, such
as: child’s name, date of birth, address, parent’s names and contact details, who has
parental/legal responsibility, details of further family members such as siblings and
ages, who lives at home, family circumstances and history, birth details, dietary and
health requirements, medical and allergy, information, diagnosed special needs, health
care plans, immunisations, previous childhood diseases and illnesses, doctor’s name,
address and contact details, name and telephone numbers of friends or relatives who
may be contacted in an emergency and of other persons authorised to collect the child
and collection password set by parents, other settings attended or childminders or
 Characteristics - such as ethnicity, language, nationality, general information about the
child – first language and other languages spoken at home.
 Other agency information - if the child has been referred to any professional service
or is under the care of other professionals (eg. SALT, OT, Paediatrics).
 Permissions – detailing what we have your permission for with regard to wipes, suncream,
medication, creams, plasters, accompanying your child in an emergency, photos, videos,
keeping EYFS records.
 EYFSP - Early Years Foundation Stage Profile, including long observations, assessments,
progress and development notes, 2 year progress check if applicable, Transfer Sheet.
 Development Tree – a visual depiction of a child’s age stage and development.
 Attendance information - such as sessions attended, number of absences and reasons
for absence.
 Other information - such as the child’s start date, sessions and date they are expected
to start school. Comments from parents/carers/professionals such as parental meetings,
parent’s comments and keyworker notes.
 SEN – notes are kept if children have special educational needs and a SEND file may be
 NHS letters - in relation to a child’s specific medical need or condition.
 Family photos – if provided by parents.
This list is not exhaustive but all information requested is required to best support the child.

Whytebeams children’s records will be:
 Collected, processed and stored in line with the data protection act 1998 and GDPR
 A positive record of the child’s achievements via the learning journey.
 An honest and accurate reflection of progress, development and challenges.
 An accurate record of relevant and required information in the child’s file.
 Confidential between the staff and the parents/carers and ultimately the next setting
(except in safeguarding circumstances and during Ofsted inspections.)
 Handed to Ofsted as part of an inspection or investigation; they may also be handed to
local authority staff conducting an audit as long as authorisation is seen.
 Available to all those authorised to see them and make entries in them, this being the
setting manager, deputy or designated safeguarding lead or deputy, the child’s key
person and other key persons at the setting. Children’s personal files are not handed
over to anyone else to look at.
 Available to the child’s parents/carer upon request.
 Kept safely in a locked cupboard or filing cabinet.
 Updated regularly with notes made the same day or as soon as reasonably possible
 Forwarded to the child’s next setting.
For further details see our policies on Observation & Assessment, Tapestry and Privacy Notice.
Other information we collect :
 Incident, accident, notification of injury forms and behaviour logs
 Records of medication parents have given us consent to give to children whilst in our
 Safeguarding and General Welfare logs, concerns and notes, if the family/child has an
allocated social worker, if the child has a child protection plan or court order in place.
 Attendance information such as sessions attended, number of absences and the reasons
 Complaints
Funding Forms, EYPP and DAF
The information on funding forms is collected for and shared with our Local Authority, Croydon
Council, for the purpose of providing government funding and ascertaining eligibility. We collect
the following information from parents via the ‘Croydon Free Entitlement Parental/Carer
 Child’s name, date of birth, parents’ names, family address, number of funded weeks
claimed per term, parents’ signatures.
 For families receiving benefits: parents’ names, child’s date of birth, National Insurance
numbers and or National Asylum Support Service Number (NASS).This may enable us to
claim additional funding called EYPP (Early Years Pupil Premium.)
 For children aged 3-4 in receipt of child Disability Living Allowance and claiming funding,
the child’s DLA reference is requested so we may claim Disability Access Fund (DAF).

To claim funding, we collect and share the following personal data with our local authority at
Croydon Council via their secure online portal.
 Child’s full name, date of birth, address, ethnicity, first language and gender.
Croydon Council are the data controller for all early years funding information. Croydon Council
shares some of the information we provide with the Department for Education (DfE). Croydon
Council’s Privacy Policy can be viewed at
To find out more about the data collection by the DfE go to
Who we share your data with
• the local authority, if you claim up to 30 hours free child care or during an audit.
• the governments eligibility checker as above, if applicable
• our insurance underwriter, where applicable
• Ofsted, during an inspection or when there has been a complaint about the childcare and
early education service.
• ‘Tapestry’ to create your child’s learning journal

We will also share your data:
• if we are legally required to do so, for example, by a law enforcement agency, court
• to enforce or apply the terms and conditions of your contract with us.
• to protect and care for your child and other children; for example, by sharing
information with social services, the police and medical services such as the NHS.
• if it is necessary to protect our rights, property or safety or to protect the rights,
property or safety of others.
• with the school or setting that your child will be attending, when they transfer, if
• if we transfer the management of the setting out or take over any other organisation or
part of it, in which case we may disclose your personal data to the prospective seller or
buyer so that they may continue using it in the same way.
We will never share your data with any organisation to use for their own purposes.
Tapestry Records and Data
We use a secure software package called Tapestry which is an online learning journal of
children’s progress. We send parents a link inviting them to join Tapestry and view and accept
their terms and conditions. This enables parents to see their child’s learning journey and add
their own notes, comments, and complete the ‘All About Me’ section. Staff input and upload
observations, notes, photos and videos via Tapestry. Observations are then categorised under
the EYFS framework and published or uploaded. Staff use this data and their own knowledge to

create a visual Development Tree which will is uploaded to Tapestry with the original kept in the
child’s paper file. This enables staff to monitor children’s progress.
To see full details of Tapestry’s security and privacy use the following links:*m6gsam*_ga*Mzc3MTcxMDEwLjE2ODQyMzE3
What personal information we enter onto Tapestry:
 Child’s name, date of birth, parents’ names and email addresses, for the purpose of
creating and sharing their child’s learning journal with them.
When children leave Whytebeams, our admin team download children’s learning journal as a PDF
to their Tapestry account and inform parents it is ready. Parents will receive a notification that
it is ready and can then view it or download it by a certain date. Once this has been done, the
child will be made ‘inactive’ and we make the parent account inactive unless parents have another
child with us. If parents do not download the file within the time set by Tapestry, they will be
issued a notification that the link has expired. We can request a reactivation but failure by
parents to download their child’s PDF will result in the account being made inactive for reasons
of data protection. If the child moves to a setting which uses Tapestry the file may be
How do we protect your data?
We take the security of your personal data seriously. We have procedures and safeguards in
place to help protect your personal information from being lost, accidentally destroyed, misused,
or disclosed and to prevent unauthorised access. Where we engage third parties to process
personal data on our behalf, they are under a duty of confidentiality and are obliged to
implement appropriate technical and organisational measures to ensure the security of data.
Where do we store your data?
We are a ‘pack away’ setting and rent our promises from St John the Baptist Church. They are
responsible for the overall security of the building. However, we have own own procedures and
security in place and regularly monitor security and report any concerns. We have our own
storage cupboards and lockable areas within the Church Hall. The church do not have keys or
access to these areas. We keep paper records in our own locked cupboards and filing cabinets.
Laptops and ipads are password and pin protected and laptops have antivirus software.
Confidential documents and data are kept in a locked filing cabinet within a locked cupboard.
Only the manager and deputy and owner have access to this.
Any data you provide to us electronically is stored on secure computers or servers located
within the UK or European Economic Area. We may also store paper records in locked filing
cabinets. Any third party data processors will also store your data on secure servers which may
be situated inside or outside the European Economic Area. They may also store data in paper
How long do we retain your data?

We retain the data we collect for different periods of time in line with our retention policy and
a summary is below:
• You and your child’s data, including registers are retained 3 years after your child no
longer uses the setting, or until our next Ofsted inspection after your child leaves our
• Medication records, accident and incident records are kept for longer according to legal
• Learning journeys are maintained by Tapestry after your child leaves and the account
becomes inactive in line with their own policy and are available at your request.
• In some cases (child protection or other support service referrals), we may need to keep
your data longer, only if it is necessary in order to comply with legal requirements. We
will only keep your data for as long as is necessary to fulfil the purposes it was collected
for and in line with data protection laws.
Data is destroyed securely once these periods have passed.
Requesting access to your personal data
Under data protection legislation, parents and pupils have the right to make a request access to
information about them that we hold. This can be done by contacting Kate Searle, Nursery
You also have the right to:
 request access to information about you that we hold including child records
 have your personal data rectified if it is inaccurate or incomplete
 request the deletion or removal of personal data where there is no evidence for its
continued processing.
 to restrict our processing of your personal data eg. Permitting storage, but no further
 object to decisions being taken by automated means
If you have a concern about the way we are collecting or using your personal data, we request
that you raise your concern with us in the first instance. Alternatively, you can contact the
Information Commissioner’s Office at
If you would like to discuss anything in this privacy notice, please contact:
Whytebeams Nursery, St John The Baptist Church Centre, 48 Dale Road, Purley, Surrey, CR8
Email :
Last updated June 2023

bottom of page