GDPR Policy

Adventure HyndburnClose Crop2017

Policy on Data Protection and the General Data Privacy Regulation 2018


The General Data Privacy Regulation (known as GDPR) comes into force in May 2018. This regulation provides a more comprehensive structure to requirements relating to an organisation’s receiving, handling, using and disposing of data, as well as, the rights of individuals to their data. This policy sets out Adventure Hyndburn’s policy in implementing these requirements. This policy applies to service users, volunteers and employees.

Requirement of staff

It is requirement of all staff that they follow and meet the legal expectations of the regulation. Failure to do so could result in disciplinary action.

  1. Management responsibility. Supervision and oversight of the data protection policy and the procedures will be the responsibility of Personnel and Administrative Manager. Should this person not be available for consultation short term or longer term, it will be the responsibility of the Operations Manager directly or through delegation to ensure that oversight and supervision is maintained.
  2. Staff training. Data protection is included as a section in the Employee Handbook that is a requirement of all staff to read as part of their induction – staff sign to confirm that they have completed this task. The data protection section of the Handbook has been modified and refers to this policy. Data protection will form a component of the 7 minute briefs that update staff on a variety of topics. Staff that undertake a management role will have a specific session outlining their particular responsibility.
  3.  Registration with ICO.  Adventure Hyndburn is registered with Information Commissioner’s Office as an organisation that processes personal data.
  4. Privacy notices. The organisation has modified the website and Facebook page to ensure that they outline our obligations relating to data and our compliance with the GDPR. We have inserted a section in relevant forms that outlines our commitment to GDPR and the rights of individuals. We have also produced a notice to be displayed in the reception areas of buildings and a leaflet / agreement that will be available to users, as well as, given to parents whose children attend the nursery.
  5. Responding to requests – Adventure Hyndburn will respond to requests from people to access their information within one month of the request or sooner if possible. The process will involve:
  • Verification of the identity of the person applying
  • No charge will be made excepting in cases that are particularly complex or are repeat requests
  • Adventure Hyndburn will ensure that it does not disclose information that is the responsibility of third parties, but signpost users to the third party to request that they disclose that information. An example of this is letters from health professionals.
  • In rare instances where it is reasonable to judge that disclosure could result in harm to any individuals, information may be withheld, with the permission of the manager of the organisation.
  • Where we refuse to disclose or partially refuse to disclose, without undue delay and at the latest within one month, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.7. Deletion of Information.  Individuals will have the right to request that information is deleted from Adventure Hyndburn systems so long as the removal does not compromise the organisation’s legal responsibilities, and legal processes such Care Proceedings. In the event of the organisation refusing to delete, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy. Information regarding children and families
  • Timescales for deletion / disposal of information
  • 6. Correction of information. Information that an individual can clearly demonstrate is inaccurate will be immediately corrected or at most within one month. If the information has been disclosed to third parties, those third parties will be informed and the individual will be informed of the action taken in relation to third parties.
  • The organisation will follow the same principles as schools and colleges in that information relating to their overall attendance i.e. the Roll will be maintained indefinitely
  • Personal records relating to the daily activities etc. will be deleted after 6 years after they have left the provision
  • Exceptions to this would be information that related to possible legal requirements, such as any allegations of mistreatment or significant harm, significant accidents and consent forms will be kept to children reach the age of 21. Records relating to child protection matters will be kept till the child reaches the age of 25.

Information relating to staff and volunteers

All personal information would be disposed of after 6 years except the following which will be retained:

  • Outline of their period of employment / involvement and role as well as information that indicated levels of attendance
  • The outcome of their DBS checks
  • Their disciplinary record if that record related to any concerns that were communicated to the Disclosure and Barring Service
  • Any significant recorded allegation made by or involving the individual


Accident / Medical Records as specified by the Control of Substances Hazardous to Health will be kept for 40 years. Any accident / medical records relating to a significant injury that is reportable under RIDDOR (Reporting of Injuries, Diseases and Dangerous Occurrences Regulations) will be kept for a 3 years

Meeting Minutes / Financial Information

Financial information and minutes of formal organisational meetings will be kept for 6 years

  1. Appropriate collection  We are committed to ensuring  that the data that we collect    is the minimum that we need for our purposes. We will therefore audit our systems to ensure the data you collect is:

(a) the minimum data for legitimate business need and

(b) kept up-to-date.

  1. Appropriate disposal Adventure Hyndburn will follow the guidelines that apply to retaining information whether the information is financial, personal or professional. Our policy in relation to the disposal of information is to ensure that it is shredded either by members of staff or by contractors.
  2. Security – Paper Systems  Written Information that contains personal details will be retained within locked draws cupboards and filing cabinets. The access to offices where information is stored is restricted to members of staff. Only members of staff who require access to data are able to access the filing systems within. Information that is stored longer term is also stored within a secure Cardex System.
  3. Security - Electronic Systems.  Adventure Hyndburn operates several systems each with built in security. The iConnect system that contains information about Nursery Families has access only to members of staff. Families can access the information about their child, but not other children. Members of staff only have access to the information relating to the children they work with. All members of staff require a dedicated username and password to access any of the systems. Access to information will be on a “need to know” basis and is restricted to the manager responsible and worker/s directly working with a family. The general office system has sections such as Management Information where access is restricted to a small number of staff. The organisation uses an IT support company that has oversight of the system and ensures that all firewalls are effective and that data is protected with up to date software.
  4. Outsourcing  Any organisation which processes or manages data for the Adventure Hyndburn is required to confirm their compliance with the General Data Privacy Regulations. In addition permission will be sought before any such data is shared.

Review Date May 2021