Storal Nurseries is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you before, during and after your relationship with us, in accordance with the General Data Protection Regulation (GDPR). It applies to all parents, pupils and other interested parties.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
For further information on how Storal Learning Ltd and its subsidiaries handle data protection, please see the Data Protection Policy, available on our website or at nursery in the nursery’s policy folder.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
Who processes your information?
Storal Nurseries is a private limited company registered in England and Wales with registered number 02434041 and is a wholly owned subsidiary of Storal Learning Ltd (Storal Learning) which is also a private limited company registered in England and Wales with registered number 10421490. Storal Learning’s registered office is at 111 Baker Street, London W1U 6RR.
Storal Nurseries and Storal Learning are joint data controllers of the personal information you provide to us. This means the nursery determines the purposes for which, and the manner in which, any personal data relating to pupils and their families is to be processed.
In some cases, your data will be outsourced to a third-party processor, such as eyMan, our nursery management software. Where the nursery outsources data to a third-party processor, the same data protection standards that Storal Learning upholds are imposed on the processor.
Why do we collect and use your information?
Storal Learning collects and uses personal data relating to staff, children and their families, and we may receive information regarding them from their previous setting or employer. We only use your personal information where the law allows us to.
We collect and use personal data in order to perform any contract we have entered into with you, to meet legal requirements and where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. These legitimate interests include us operating our business of providing nursery services and ensuring we meet the statutory requirements of the Early Years Foundation Stage.
We may also use your personal data on rare occasions where we need to protect your interests (or someone else’s interests) or where it is needed in the public interest.
The personal data of staff, children and their families (or nominated individuals authorised by parents to act in loco parentis) is collected and used for the following reasons:
- To safeguard children and staff
- To support children’s learning
- To monitor and report on children’s progress
- To provide appropriate pastoral care
- To assess the quality of our service
- To comply with the law regarding data sharing
- Images of staff, children and parents may be used to promote and market our school via our website and social media, provided we have received explicit consent
- To obtain funding from the Local Authority
- To monitor the continued professional development of our staff
- To manage payment of fees and other charges
What data is collected?
The categories of children, parent and staff information that the nursery collects, holds and shares include the following:
- Personal information – e.g. names, addresses, telephone numbers, email addresses, National Insurance number, Birth Certificate
- Characteristics – e.g. language, nationality, ethnicity, occupation.
- Attendance information
- Assessment information
- Relevant medical information – e.g. immunizations, medical conditions, accident forms
- Information relating to Special Education Needs
- Child Protection information – e.g. social worker details, child protection plan
- Behavioural information
- Financial details – e.g. bank account details, outstanding balances
- Photographs and images – e.g. CCTV footage on site, pictures within the nursery
- (For contractors/employees only)–Recruitment information including references, professional qualifications and DBS
Whilst the majority of the personal data you provide to the nursery is mandatory, some is provided on a voluntary basis.
If you fail to provide certain information when requested, we may not be able to provide services to you or we may be prevented from complying with our legal obligations. When collecting data, the nursery will inform you whether you are required to provide this data or if your consent is needed.
Where consent is required, the nursery will provide you with specific and explicit information with regards to the reasons the data is being collected and how the data will be used. You may withdraw your consent at any time by emailing the nursery.
How we use sensitive personal information
“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
- In limited circumstances, with your explicit written consent.
- Where we need to carry out legal obligations and in line with our data protection policy.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving consent, or where you have already made the information public.
In regards to children who attend nursery, we process relevant medical information and information relating to Special Education Needs.
In regards to contractors, we may process criminal data through a DBS check. This is not officially a special category of personal information, but will be treated as confidential and requiring higher levels of protection.
We have separate Data Protection Impact Assessments available for these special categories, which can be requested by emailing email@example.com.
How long is your data stored for?
Personal data relating to children, their families and staff are stored in accordance with the guidelines in the Record of Processing Activities. This is available on request to firstname.lastname@example.org. In accordance with GDPR, the company does not store personal data indefinitely; data is generally only stored for up to seven years after you leave the nursery or longer only where we are legally required to do so.
With whom will my information be shared?
The company may share information with:
- Children’s destination upon leaving the nursery
- The Local Authority
- The NHS / Emergency Services
- Appropriate external agencies like LADO / DOFA, the police or social services
- External software providers for invoicing, accounting and nursery management purposes
- External cloud storage providers
The company may also request to use personal information for promotional material, such as photographs or reviews on websites. This will only be done with additional consent from you. If you consent, this information could be publicly available.
Storal Learning will not share your personal information with any third parties without your consent, unless the law allows us to do so. The law permits us to share information with third parties where it is a legal requirement to do so, where it is necessary to administer any contract with you or where we have another legitimate interest in doing so.
Our third party service providers change from time to time and we can let you have details of parties who are processing your data at any given time upon request. All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Where we transfer your personal information outside the European Economic Area (EEA), we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the information.
How does the organisation protect data?
The organisation takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. As far as possible, we reduce physical paperwork and keep scans on our secure cloud-based storage system. Passwords for specific services are only shared with appropriate employees via our online password vault box. Physical files are securely locked away in cabinets at the settings.
Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
What are your rights?
Everyone has the following rights in relation to the processing of their personal data. You have the right to:
- Be informed about how we use your personal data
- Request access to the personal data that we hold
- Request that your personal data is amended if it is inaccurate or incomplete
- Request that your personal data is erased where there is no compelling reason for its continued processing
- Request that the processing of your data is restricted
- Object to your personal data being processed
If the person whose personal data is being processed is under 18, their legal parent or guardian may exercise their rights on their behalf.
If you would like to exercise any of these rights, please speak to a member of the Storal Learning team. Wherever possible, speaking to a manager will help ensure your response is handled the quickest. If you are unsure who is best to speak to, you can always contact the Named Contact at email@example.com.
Some of our data is processed and stored in order to comply with our legal obligations. In this case, individuals do not have the right to request us to stop processing or erase it. If you are unsure whether your data meets this category, please speak to the Nursery Manager or the Data Protection Lead to confirm.
We do not envisage that any decisions will be taken about you using automated decision making, however we will notify you and advise you of your rights in writing if this position changes.
Where the processing of your data is based on your consent, you have the right to withdraw this consent at any time.
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates.
If you have any questions about this privacy notice, please contact the Nursery Manager or Storal Learning’s Data Protection Lead at firstname.lastname@example.org.
If you have a concern about the way Storal Learning manages your data, you can raise a concern with the Information Commissioner’s Office (ICO). The ICO can be contacted on 0303 123 1113, Monday to Friday between 9am and 5pm.