Principle and statement of intent
GDPR – General Data Protection Regulation came into effect on 25 May 2018, and replaced the Data Protection Act of 1998. Bumbles Day Care is fully committed to complying with the new regulations and we have undertaken a review and assessment of our processes and procedures to ensure we are fully accountable.
In order to comply with HSST minimum standards, Bumbles Day Care needs to gather and process relevant information (data) about staff, parents, children and professionals and others (data subjects) involved in the day to day running of the group. This will be done in accordance with the principles specified in the procedures in this policy. A designated person (data controller) will decide what information is required and how it is obtained. This information will be handled by a person(s) (data processors) acting on the instructions of the data controller and in accordance with the procedures and principles of GDPR. Our Management Team monitor compliance with the GDPR and other data protection laws via our data protection policies, awareness-raising, training, and audits within Bumbles Day Care. As a small organisation we have not appointed a specific Date Protection Officer.
By adhering to this policy, Bumbles Day Care will ensure that personal data is processed fairly and lawfully and collected for specified, explicit and legitimate purposes. This applies to data held on paper and by electronic means. Bumbles Day Care recognises its responsibility to ensure that all persons acting on behalf of the group are made aware of this policy and receive necessary training.
Data collection and processing
To comply with the law Bumbles Day Care collects and stores information relating to individuals and in doing this we comply with GDPR principles. Article 5 of the GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is not compatible with these purposes; further processing for archiving purposes shall not be considered to be incompatible with the initial purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up to date, every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed are erased or rectified without delay.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability – How we comply with General Data Protection legislation
Only relevant personal data will be collected. The person(s) from whom it will be collected will be informed of its uses and of any possible disclosures that may be made. Our registration forms have been reviewed and include our Privacy Statement.
Any updates or amendments to the information we hold for individuals must be notified to us by email to – email@example.com.
Every member of staff is a data processor and is therefore accountable. They must be aware of and follow GDPR rules.
Manual data will be stored in a secure place only accessible to those with a legitimate reason to view or use that data.
Electronic data will be protected by password. For computers connected to the internet, a firewall system is used and the monitors are positioned to ensure that information is not visible to a casual observer.
Sensitive personal data, e.g. medical records/child protection records/interview material will be stored using a coding system and access will be strictly limited (on a need to know basis) and recorded.
When a Processor is used to handle data on behalf of Bumbles Day Care we will have a written contract that sets out both parties responsibilities and liabilities and require the processor to take appropriate measures to ensure the security of processing and obliging it to assist the controller in allowing individuals to exercise their rights under the GDPR.
Data Security Breach
We have procedures in place to manage any Data security breach and/or Personal data breach
The Management Team will be notified and will follow GDPR guidelines on assessing, managing and reporting to the ICO/DPC (Information Commissioners Office/Data Protection Commissioner).
Bumbles Day Care is committed to creating and improving our security features on an ongoing basis.
The consent of the data subject will be obtained before Bumbles Day Care discloses personal information to any organisation or individual.
All requests for disclosure will be in writing and telephone enquiries advised accordingly.
In cases of child protection, the law requires the disclosure of information without consent, to relevant social Services personnel and P.S.N.I. officers.
If a request for information relating to child protection is received by telephone, steps should be taken to ensure that such information is disclosed to identifiable personnel (i.e. seek verification of identity) and only if the individual is entitled to receive that information (authorisation).
It is advisable to disclose such information only to those known to be involved in child protection. If doubt exists, ask enquirer to route enquiry through a known channel. Always call an enquirer back and be very alert if the number given is that of a mobile telephone number.
Requests from parents for a printed list of children’s names and addresses will be politely refused.
Personal data (including images) will not be used in newsletters, websites or in other media without the consent of the data subject
A record will be kept of any data disclosed so that the recipient can be informed should data be updated or amended at a later date.
The Data Controller(s) will review personal data regularly and delete information which is no longer required.
The Data Controller(s) will keep a deletion file and record the type of deletion and the date on which it occurred.
The Data Controller(s) will seek advice from the Labour Relations Agency before deleting information regarding the recruitment and selection of employees.
The Data Controller(s) will not delete information relating to accidents on the premises or child protection issues until the required statutory period has expired.
GDPR Individual Rights
- The right to be informed.
- The right of access.*
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- The right not to be subject to automated decision-making including profiling.
Bumbles Day Care will request an email sent to firstname.lastname@example.org for any information requests or changes in respect of any of these individual rights. On receipt of an email we will respond without undue delay and at the latest within one month of receipt.
If a request is excessive or complex and we need more time to respond we will notify the individual within one month and explain the reason for delay.
If we are unable to comply with a request, (for legal reasons) we will notify the individual without undue delay and at the latest within one month of receipt giving our reasons.
We reserve the right to charge an administration fee for any requests that are excessive or complex. We will advise the fee and our reasons for charging without undue delay and at the latest within one month of receipt.
* In the event of a request for access, where there is a child protection issue, Social Services/Gateway must be made aware that the parent/carer has requested this information.
GLOSSARY OF TERMS USED IN GENERAL DATA PROTECTION REGULATION
- Data: Any information relating to a data subject: e.g. child, parent/carer, staff, management.
- Data Subject: The person to whom the information relates: e.g. child, parent/carer, staff, management.
- Data Controller: Bumbles as a separate entity is the Data Controller. However, responsibility for data protection matters is delegated to an individual, e.g. Manager. The Data controller acting in accordance with GDPR principles decides how the required information will be obtained, processed, stored, updated, disclosed and disposed of.
- Data Processor:
- ICO: Processes data on the instructions of the Data Controller
In the case of Bumbles Day Care, Members of the Management Team assume the role of the Data Protection Officer – responsible for understanding the GDPR rules and ensuring that our setting is compliant
Information Commissioner’s Office – The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals
Data Security Breach
Article 5 of the GDPR concerns the ‘integrity and confidentiality’ of personal data. One of the principles states that personal data shall be:
“Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”
Following GDPR guidelines, at Bumbles Day Care we have procedures and systems in place to ensure that how we manage and store data is compliant with GDPR principles. This policy details the procedures we will follow in the event that we experience a data security breach.
A data security breach is considered to be any loss of, or unauthorised access to Bumbles data, normally involving personal or confidential information held on behalf of our Parents, staff and / or volunteers. A data security breach is considered Gross Misconduct if a member of staff is found to be responsible, and would be handled with appropriate disciplinary action following investigation.
Data security breaches include:
- The loss or theft of data: or equipment on which data is stored by Bumbles Day Care, e.g. tablet, folder, laptop, Phone.
- Inappropriate access controls allowing unauthorised use – we have a clear desk policy, any cabinets holding personal data must be kept locked
- Human error e.g. information sent to the incorrect recipient (checking email addresses)
- Hacking attacks – anti-virus software in place and current
- Information obtained by deception (know who you are talking to)
Data security breaches will vary in impact and risk depending on the content and quantity of data involved, the circumstances of the loss and the speed of response to the incident. If the data security breach is considered substantial, then the appropriate authorities will be contacted.
Managing a Data Security Breach
The following procedure outlines the main steps in managing a breach and will help ensure that all breaches are dealt with effectively and efficiently. This procedure outlines the stages which should be completed following the initial containment of the breach. The individual stages may run concurrently.
Security Breach Procedure
Containment and recovery as soon as a data security breach has been detected or is suspected the following steps should be taken:
- Identify who should lead on investigating and managing the breach
- Establish who should be aware if the breach
- Identify and implement any steps required to contain the breach
- Identify and implement any steps required to recover any losses and limit the damage of the breach
- If appropriate inform the authorities
Throughout the breach, the data controller and management team will process information:
- Records will be kept of what action has been taken and by whom. Appendix D provides an activity log template to record this information.
- Copies of any correspondence relating to the breach should be retained.
- Personal and Confidential information have the same definition as in Bumbles Confidentiality Policy. Personal information is defined as any information relating to an individual who can be identified either from the data, or from that information used in conjunction with other information that may be available. Confidential information is, privileged or proprietary information that could cause harm, (including reputational damage), to Bumbles or individuals if compromised through alteration, corruption, loss, misuse or unauthorised disclosure.
Assessment of Risk
All data security breaches must be managed according to their risk.
Following the immediate containment of the breach, risks associated with it should be assessed in order to identify an appropriate response. The checklist in Appendix A should be used to help identify the exact nature of the breach and potential severity. This information can then be used to establish the action required.
Notification of Breach
Consideration is required as to whether any individuals, third parties or other stakeholders should be notified of the breach. This will depend on the nature of the breach, and any notification must be carefully managed.
Management won’t disclose information before the full extent of the breach is understood.
When disclosure is required, we must ensure that it is clear, complete and serves a purpose.
The notification breach checklist in Appendix B, should be used to identify potential stakeholders who should be notified and to establish what information should be disclosed.
The manager must be involved in the notification process and no message should be sent without approval.
Evaluation and Response
It is important to investigate the causes of the breach and evaluate Bumbles response to it.
A brief report on the breach, how it was dealt with and recommendations on how to prevent the breach reoccurring and similar risks should be written, see Appendix C.
All significant breaches must be reported to the proprietor.
Police – in the case of criminal activity
Individuals whose data has been compromised
Information Commissioner’s Office (ICO) – All serious breaches should be reported within 72 hours.
Social Services / Gateway team in terms of Child Protection
Others – e.g. banks where steps may be required to protect accounts.
WHAT TO SAY :
The Manager / Proprietor will advise on the content of any message sent. Any notification message should not be sent without careful consideration, it is important that we understand the extent of the breach and are able to provide useful information, whilst at the same time if there are important steps that individuals need to take this should be communicated promptly. Notifications will be sent in writing, never over the phone so that we have a reference to influence our timeline in Bumbles.
You should consider including the following:
Details of the what happened and when the breach occurred
What data was involved
What steps have been taken to contain the breach and prevent reoccurrence
Advice on what steps they should take e.g. contact banks
How will you help and keep them informed (if necessary)
Provide multiple ways to be contacted
Activity, Decision, Instruction or Briefing (A, D, I or B)
COMPLETED BY WHO
B – received notification of personal data available on website
Informed Website Administrator and requested immediate page take down
K Burke /