Confidentiality and Data Protection Policy

Confidentiality and Data Protection – Policy and Agreed Practice

It is our intention to respect the privacy of children and their parents and carers, while ensuring that they access high quality early years care and education in our setting. We aim to ensure that all parents and carers can share their information in the confidence that it will only be used to enhance the welfare of their children. We have record keeping systems in place that meet legal requirements and the means that we use to store and share that information takes place within the framework of the General Data Protection Regulations (2018) and the Human Rights Act (1998).

To ensure that those using and working in the playgroup can do so with confidence, we will respect confidentiality in the following ways:

Confidentiality and Data Handling agreed practice:

The need for confidentiality and data protection will form part of staff induction and the ongoing staff supervision process. The agreed practice will be reviewed annually by all the staff and they will each have a copy of the agreed practice for their records.

The Playgroup Manager will oversee data protection matters.

Confidentiality –

Staff will not discuss individual children, other than for the purposes of curriculum planning/group management or, with parents’ permission, for obtaining advice from outside agencies (e.g. representatives of Surrey Supporting Children Team), with people other than the parents/carers of that child unless the parent/carer has given written permission for us to do so.

Staff may use the front room to talk to parents and/or carers confidentially. Staff will be sensitive to the feelings of parents and will not raise concerns when other parents/carers/children are within earshot.

Staff will not mention or discuss people (including the children and their families) or matters relating to playgroup on social networking sites such as Facebook and Twitter.

Any anxieties/evidence relating to a child's personal safety will be kept in a confidential file, separate from other records and will not be shared within the group except with the Designated Safeguarding Leads and the playgroup manager(if different).

Volunteers and students on recognised courses working/observing in the group will be advised of our agreed confidentiality practice and required to abide by it.

Parents will have ready access to the “Learning Journey” documents of their own children but will not have access to information about any other child.

Parents are permitted to photograph their child taking part in playgroup activities to which parents are invited eg concerts, fundraising events, Easter Egg Hunt etc on the explicit understanding that the images must not be shared on social media sites. A declaration to this effect is part of the registration form which all parents sign. Parents will be reminded of this commitment by the manager prior to such events.

Information given by parents/carers to the playgroup leader or a member of staff in confidence will not be passed on to other adults without permission.

Issues to do with the employment of staff, whether paid or unpaid, will remain confidential to the people directly involved with making personnel decisions.

Data Protection/Handling-

A copy of “Privacy Notices” will be given to each family as part of their “New Parents Information Pack” prior to their child starting at playgroup. This lists the type of information that we may hold about a child and their parent(s), our legal basis for handling the data, how we will use this data, who it might be shared with, how long we will retain it and how we will keep it secure. The Privacy Notice will also inform parents of their rights under General Data Protection Regulations 2018.

The playgroup’s Data Audit (of categories of data held on- children; parents; staff (including volunteers) and other adults) and Privacy Notice will be reviewed at least annually.

All staff will be provided with lockable document cases which must be used to transport and store files (eg Learning Journeys, SEND records) in whilst they are being updated at home.

Personal/confidential records are stored in locked cupboards on the playgroup premises which are only accessible to the playgroup staff who need access to them. Any records kept on the playgroup; playgroup manager’s, SENCO’s and treasurer’s computers will be password protected.

Information with other agencies will be shared following Surrey’s Multi-Agency Information Sharing Protocol (MAISP).

Personal/confidential information shared by email will be done so using an encrypted service eg Egress.

Only children’s first names (and surname initial if necessary) will be displayed in the setting e.g. on coat pegs, birthday board, art work.

Parents may request access to any confidential records held on their child and family following our “Parent Access to Records” procedure.

Staff will be provided with a letter listing the data we hold on them, why we hold it, who we may share it with and how long we will keep it before it will be destroyed.

Data will only be used for the purposes for which it was collected and when it is no longer required it will be destroyed/deleted. Please see our Retention Periods for Records document for details.

The undertakings above are subject to the over riding commitment of the playgroup which is to the safety and wellbeing of the child. Please see our policy on Safeguarding Children (child protection). We undertake to follow the guidance in HM Government document “Information Sharing: Advice for practitioners providing safeguarding services to children, young people, parents and carers” July 2018 a summary of which is attached to this policy.


This policy and practice was agreed by Laleham Church Playgroup at a meeting on....12th October 2018

Signed on behalf of Laleham Church Playgroup...........................................

Related policies and documents-

- Privacy Notice 

- Parent Access to Records procedure

- Retention Periods for Records

- Staff Code of Conduct

- Staffing Policy

- Data Audits

- Surrey’s Multi-Agency Information Sharing Protocol (MAISP)

HM Government: Information Sharing: Guidance for practitioners providing safeguarding services to children, young people, parents and carers. July 2018

Seven golden rules for information sharing

1. Remember that the Remember that the General Data Protection Regulation (GDPR),

Data Protection Act 2018 and human rights law are not barriers to justified information

sharing, but provide a framework to ensure that personal information about living

individuals is shared appropriately.

2. Be open and honest with the person (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.

3. Seek advice from other practitioners, or your information governance lead, if you are in any doubt, without disclosing the identity of the person where possible.

4. Where possible, share information with consent, and where possible, respect the wishes of those who do not consent to having their information shared. Under the GDPR and Data Protection Act 2018 you may share information without consent if, in your judgement, there is a lawful basis to do so, such as where safety may be at risk. You will need to base your judgement on the facts of the case. When you are sharing or requesting personal information from someone, be clear of the basis upon which you are doing so. Where you do not have consent, be mindful that an individual might not expect information to be shared.

5. Consider safety and well-being: Base your information sharing decisions on considerations of the safety and well-being of the individual and others who may be affected by their actions.

6. Necessary, proportionate, relevant, adequate, accurate, timely and secure:

Ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely.

7. Keep a record of your decision and the reasons for it – whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.


From General Data Protection Regulations (GDPR) 2018

Personal data - The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

Sensitive personal data - The GDPR refers to sensitive personal data as “special categories of personal data”. The special categories specifically include race, ethnicity, religion, politics, health information, sexual orientation, genetic data, and biometric data where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.  

This is a complex area and you should seek advice if you are unsure.