Skip to content
Wise Owls Childcare logo
Parent Portal Book a club Book a tour

DATA PROTECTION, PRIVACY AND COOKIES POLICY

 

Purpose 

This policy aims to ensure the safety, confidentiality, and professionalism of Wise Owls Childcare staff, children and families when using social media, mobile devices, iPads, and our digital systems. 

DP leads 

Wise Owls Childcare is not legally required to appoint a Data Protection Officer. Responsibility for data protection compliance sits with the Operations Director and the Head of Sales, Marketing and Communications who can be contacted by email to info@wiseowlschildcare.co.uk  

Data Protection 

GDPR covers personal data relating to individuals. As a childcare provider, Wise Owls Childcare is committed to protecting the rights and freedoms of individuals with respect to processing the personal data of children, parents, visitors and staff. 

In compliance with UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018, this document sets out Wise Owls Childcare’s Confidentiality (Privacy) and Dat Protection commitments and includes information on our data sharing, data security and data breach protocol. 

Since 2009 we have been registered as a Data Controller with the Information Commissioner’s Office (ICO number Z1961923) and have a Digital Device Usage Policy which all employees must follow to ensure cyber security at all times.  

Privacy 

Wise Owls Childcare treats all personal information and records for staff, children and parents confidentially.  These records are only made accessible to those who have a legal right or a professional need to see them.  

All records kept about staff, children and their families are considered confidential, to avoid exploitation.  This includes (but is not limited to):  

  • Addresses, email addresses, telephone numbers  
  • Registers and attendance data  
  • Medication and health forms  
  • Accident and incident reports  
  • Safeguarding records  
  • Digital records stored on approved systems  

A copy of children’s personal and contact details are available in our secure online systems and are only accessible by staff with authorisation. These records include:  

  • Parent/carer contact details  
  • Emergency contacts  
  • Medical and dietary needs  
  • Special Educational Needs 
  • GP information  
  • Home address  

Parents register and update their child’s details via the organisation’s secure online system. 

 

Sharing Information 

We only share information about our children, staff and parents with those organisations with which we have a legal requirement to share data or other organisations, which allow us to run our business in a safe, efficient and suitable manner. 

Information is only shared by Wise Owls Childcare with external organisations where it is necessary in the care and safety of a child or employee, for example but not limited to OFSTED, Local Authority (funding), Caterer (dietary requirements). 

For our day nurseries, some basic details are shared with other parents when communicating via the Famly Newsfeed. The parent’s or child’s surname will not be shared via the newsfeed on Famly. 

We will not normally share personal data with anyone else, but may do so where: 

  • There is an issue with a child or parent/ carer that puts the safety of our staff at risk. 
  • We need to liaise with other agencies – we will seek consent as necessary before doing this. 
  • Our suppliers or contractors need data to enable us to provide services to us – for example, IT companies. When doing this, we will only appoint suppliers or contractors which can provide sufficient guarantees that they comply with data protection law. 

We will also share personal data with law enforcement and government bodies where we are legally required to do so, including for: 

  • The prevention or detection of crime and/or fraud. 
  • The apprehension or prosecution of offenders. 
  • The assessment or collection of tax owed to HMRC. 
  • In connection with legal proceedings. 
  • Where the disclosure is required to satisfy our safeguarding obligations. 

We may also share booking information with legal parent/guardians once proof of legal parental responsibility has been established. 

 

Secure Data Storage and Access  

  • Any personal details of employees, children and their families are stored securely in our online systems, and any printed documentation is stored in secure, locked cabinets within the office and retained as per our Data Retention Policy. 
  • Only authorised staff have password protected access to personal data in our digital systems. 
  • Ony staff with approved DBS have access to personal data. 
  • Staff contact details may need to be shared internally for work‑related purposes only, and only where a clear business need it identified. 

 

Use of Images, Videos and Social Media   

When using photos or videos for advertising, marketing, or social media, only children and staff with explicit, documented parental permission will be included, and no child’s name or staff member’s name will be shared. 

 We follow our cyber security policy and recommendations; with multi factor authentication in place and passwords adhering to cyber security best practice.  

 

Confidential Conversations  

Each setting provides a private space, typically a separate room, for parents, carers, and staff to hold confidential discussions. 

 

Confidential Waste 

We destroy confidential waste through an accredited shredding service.   

 

Digital Safety and Cyber Security  

Wise Owls Childcare follows robust cyber‑security processes as outlined in the Digital Device and Usage Policy to ensure:  

  • Safe digital storage of all records  
  • Strict rules about password length plus the use of Multi-Factor Authentication where possible across the company 
  • Controlled access to sensitive data 
  • Where some of our digital service providers may store or process data outside the UK, we ensure appropriate safeguards are in place in line with UK GDPR. 

To ensure full transparency and compliance with the UK GDPR and the ICO’s latest guidance, our Data Retention Policy outlines the lawful basis under which Wise Owls Childcare processes different categories of personal data.   

 

GDPR is designed to protect personal data 

GDPR is designed to protect individual rights in the following way: 

The right to be informed 

Wise Owls Childcare is registered with Ofsted and the Local Authority and consequently, is required to collect and manage certain data to ensure the safety and wellbeing of children and employees. 

For parents claiming the free nursery entitlement we are requested to provide this data to the Local Authority; this information is sent to the Local Authority via a secure electronic file transfer system. 

Upon registration, we are required to witness a copy of the child’s photo identification such as a passport if available. This information is recorded as ‘seen’ and any physical copipes are not kept as a record. 

We are required to collect certain details of visitors to our nursery. We need to know visitor’s names, car registration and company name. This is in respect of our Health and Safety and Safeguarding Policies. 

As an employer we are required to hold data on our employees; names, addresses, email addresses, telephone numbers, date of birth, National Insurance numbers, photographic ID such as passport and driver’s license, bank details. 

Information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK. This information is sent via a secure file transfer system to our provider for the processing of DBS checks. 

 

The right of access – Subject Access Request 

At any point an individual can make a request relating to their data and this will need to be requested in writing via email to info@wiseowlschildcare.co.uk. 

Before responding to a request for data, the organisation must take reasonable steps to verify identity. 

 

Acceptable verification: 

  • Photo ID (passport, driving licence) 
  • Proof of address (utility bill, bank statement) 
  • For parents/guardians requesting data about a child: proof of parental responsibility is required 

If identity cannot be verified, the one‑month deadline does not begin until verification is complete. 

SARs must be completed within one month of receiving the request. Wise Owls Childcare may extend the deadline by up to two additional months if the request is complex or numerous, but the individual must be informed within the first month and told why.  

Staff must not delete, alter or conceal data after a SAR is received. 

We may refuse a request, if we have a lawful obligation to retain data i.e. from Ofsted in relation to the EYFS, but we will inform the individual of the reasons for the rejection. Some information must not or may not be disclosed. This includes: 

  • Personal data about another identifiable person (unless consent is given or it is reasonable to disclose) 
  • Information that would harm the safeguarding of a child or vulnerable person 
  • Legally privileged information 
  • Management information that may prejudice negotiations 
  • Data relating to criminal investigations (in specific circumstances) 

The individual will have the right to complain to the ICO if they are not happy with the decision. 

 

The Right of Amendment, Erasure or Deletion 

Parents can view their data and their child’s data in our secure digital systems. Parents can amend theirs and their child’s personal data.  

You have the right to request the deletion of your data where there is no compelling reason for its continued use. However, Wise Owls Childcare has a legal duty to keep certain staff, child and parent data in accordance with our Data Retention Policy. This data is archived securely and shredded after the legal retention period. Data must also be retained during continued use of our services, therefore rights apply subject to legal obligations and safeguarding duties 

 

The Right to Restrict Processing 

Parents, visitors and staff can object to Wise Owls Childcare processing their data. This means that records can be stored but must not be used in any way. If the restriction does not enable us to perform our childcare service, we will consult with the parent/carer to find an acceptable solution. If none can be found then the childcare service may need to be discontinued. 

 

The Right to Object 

Parents, visitors and staff can object to their data being used for certain activities like marketing or research. Email info@wiseowlschildcare.co.uk to opt out of marketing emails. 

 

The Right to Data Portability 

Wise Owls Childcare requires data to be transferred from one IT system to another, such as from Wise Owls Childcare to the Local Authority and to our digital systems. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR. 

 

The Right Not to be Subject to Profiling or Automated Decisions 

Automated decisions and profiling are used in marketing based organisations. Wise Owls Childcare does not use or share personal data for such purposes. 

 

Data Collection 

For the majority of data we collect, the lawful basis for doing so falls under the category of ‘legal obligation’ as we have a legal requirement to obtain this data as part of the Statutory Framework for the Early Years Foundation Stage. 

Some data we collect, for example, photographs, requires parents to give consent for us to do so. Where this is the case, parents will be required to provide consent to ‘opt in’ and are made aware that they have the right to withdraw their consent at any time. 

We may also be required to collect data as part of a parent’s contract with the setting or local authority, for example, for us to claim government funding. 

The information that our digital registration forms request during the registration process is necessary for us to comply with legislation and to promote a secure environment for the children and employees in our care. Our databases obtain and store personal data and we use personal data to enable us to care for children and employees safely. We use the data to communicate with Parents and Carers. We use data to advertise and market our business to registered clients. 

CCTV cameras may be used at our settings where appropriate for safety, safeguarding and security purposes. Where CCTV is in operation, it will be clearly signposted. Please refer to our CCTV Policy for full details of how CCTV footage is captured, used, stored, retained and accessed. 

We make sure that this data is kept secure when we receive it. Data is stored on our secure database and any data that is sent to our settings in hard copy is stored within a locked box in a locked cupboard in a locked setting. This data needs to be on site to enable staff to care for the children and contact parents if needed. 

Data Security 

We keep data about all individuals secure and aim to protect data against unauthorised change, damage, loss or theft. All data collected is only accessed by authorised individuals. All paper forms are kept locked away and all computers and tablets are password protected. 

Access to all Wise Owls Childcare computers and other software accounts including email is password protected. Multi Factor Authentication is in place for laptops and tablets where possible. 

When a member of staff leaves the company, MFA and passwords are changed. 

Data Retention 

Data retention periods as outlined in our Data Retention Policy follow legal recommendations for childcare and safeguarding records, consistent with best practice guidance.   

A comprehensive list of data retained by Wise Owls Childcare can be found in our Data Retention Policy.  

Cookies 

Cookies are small text files that are placed on a user’s device when they visit a website. Cookies help websites function effectively, improve user experience, and provide information about how the site is used. 

Wise Owls Childcare uses cookies on its website for the following purposes: 

Strictly Necessary Cookies
These cookies are essential for the website to function correctly and cannot be switched off. They are usually set in response to actions made by users, such as setting privacy preferences or submitting forms. 

Analytics and Performance Cookies
With your consent, we use analytics tools such as Google Analytics to understand how visitors use our website. These cookies collect information such as pages visited, time spent on the site, and device information. This information may include pseudonymised personal data such as IP addresses or device identifiers and is used solely to help us improve our website and services. 

Marketing and Communication Cookies
Where used, marketing platforms such as Mailchimp may place cookies or similar technologies to help us understand engagement with emailed communications. These cookies are only used where you have provided consent. 

ThirdParty Cookies
Our website may include links to thirdparty platforms such as social media sites. We do not control the cookies placed by these third parties, and users are encouraged to review the privacy and cookie notices of those providers directly. 

Consent and Cookie Control
When you first visit our website, you are asked to set your cookie preferences via our cookie consent banner. Analytics and marketing cookies are only placed where you have actively opted in. You can change or withdraw your cookie preferences at any time by adjusting your browser settings or revisiting the cookie preferences tool on our website. 

International Data Transfers
Some thirdparty cookie providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place in line with UK GDPR, such as adequacy regulations or approved contractual protections. 

Staff Access, training and accountability 

All employees and contractors are screened prior to employment. All references are checked. Enhanced DBS checks are performed on all staff/contractors who have access to personal data and the digital database management system. 

At Wise Owls Childcare, all staff play a vital role in maintaining high standards of data protection, and we ensure this through robust, ongoing training and clear accountability. Every employee read this policy, the Digital Device Usage Policy and our Safeguarding Policy during induction and all staff must complete refresher training annually to keep their knowledge up to date with current legislation and best practice. Staff are required to follow all internal data protection procedures, including secure handling of digital devices, password protection, confidentiality expectations, and safe storage of personal information. Access to systems is granted on a role‑specific, need‑to‑know basis, and staff must immediately report any potential data breaches or concerns to management.  

Failure to follow these procedures, or any instance of negligent handling of personal data, may result in disciplinary action in line with our HR policies. This ensures that all employees understand both their responsibilities and the importance of safeguarding the personal data entrusted to us. 

 

Photographs / Videos 

As part of our nursery activities and as part of a child’s learning profile, we will take photographs and record images of individuals and / or children and staff. We will obtain written consent from parents and carers for photographs and videos to be taken of their child for communication, marketing and promotional materials. We will clearly explain how the photograph and/or video will be used to the parent and carer. We will obtain consent from employees for photos and videos. Authorised uses may include: 

  • Within the setting on notice boards, pegs, newsletters etc. 
  • On our nursery website or social media pages. 
  • Outside the setting by external agencies, such as digital and print media. 

Consent can be refused or withdrawn at any time. If consent is withdrawn, we will delete the photograph or video and not distribute it further. When using photographs and videos in this way we will not accompany them with any other personal information about the child, to ensure they cannot be identified. 

Data breach 

Should there be a breach in data security, the breach must be reported immediately in line with Wise Owls Data Breach Process will be followed.  

Last reviewed June 2026