Activeplay Nursery & Preschool is a data controller for the purposes of the Data Protection Act and holds a significant amount of personally identifiable information that needs to be managed under the GDPR guidelines. Examples of this information are names, dates of birth, addresses, medical information, etc. All data processing we carry out must be appropriate.

We are only permitted to record and process the data we need to manage and maintain the nursery. We hold this personal data to:

  • Support your child’s learning;
  • Monitor and report to you on their progress;
  • Provide appropriate care;
  • Keep you informed;
  • Administer your free entitlement to Early Years Funding;
  • Record and manage the fees you pay to us;
  • Always be able to contact parents quickly when necessary;
  • Assess how well we are doing as a nursery.

Information and awareness

All staff have been made aware of the changes in law to the GDPR.

We keep a record of what personal data we are storing, where we are storing it, and who has access to it.

We have introduced new security measures to limit the number of staff who have access to this data and to avoid any potential breaches by unauthorised persons.

We have updated internal forms to only display the necessary information for the tasks they are used for; for example a staff member must always be able to access your telephone number to contact you in an emergency, but they do not need to be able to see other information on your registration form in order to do this.

Lawful Processing

GDPR means that personal data should be processed fairly and lawfully, and collected for specific, explicit and legitimate purposes.

We have lawful obligations that require us to collect, process and store personal data in relation, for example, to attendance and observations on your child/learning and development. We are obliged to record your fee payments, and keep records about accidents and incidents, and to keep this information for a certain period of time. This may include after your child has left the nursery. For example, we need to keep financial records for 7 years. Nurseries are obliged to keep accident and medicine forms for 25 years, in case in future a child or their parents were to make a claim against the setting. If these are legal requirements, we do not have any choice about keeping such records.

Individual Rights

GDPR increases your rights. These include the right to be informed, to have access to information held on you, to rectification of any errors, to erasure of information, and to restrict the processing of your information. You have the right not to be subject to automated decision making, and profiling using your information.

You can make a request relating to your data, and we must respond to you within one month. If you require a copy of the information we hold on you, or you have any queries, please contact the nursery manager or owner. We can refuse a request to destroy records if we have a lawful obligation to retain data, but we must inform you clearly why we are rejecting your request. An example might be if you asked us to remove data relating to an accident your child had at nursery. We have a legal obligation to keep this information and so we would be unable to delete it even if requested.

Parents (and staff) can object to the processing of their data. In this instance your data cannot be used in communications or reports, but it can still be retained in storage – indeed, it must be, as we cannot take responsibility for a child in our nursery without holding contact, medical, etc information.

Storage and destruction of information

We have increased security of information kept on the premises. These measures include:

  • Lockable cupboards and filing cabinets
  • Restriction of staff having access to the office
  • Increased security of access to the office
  • Tablets used to create children’s online learning journals are passworded. They are locked away when not in use.
  • Contact information for parents to which quick access would be needed in the event of an emergency is stored in a locked wall safe within the nursery.
  • Laptops used in the office are passworded and encrypted. Anti virus and anti hacking programmes are installed. Backups take place to a secure server which is not located on the premises but provided through a specialist computer partner, J and J Systems
  • Our internet connection has been upgraded to provide additional security features
  • Emails containing sensitive information are sent securely and with separate passwords
  • Your child’s Tapestry online journal is stored securely in accordance with the separate information sheet you have been given on this. The journal is protected by a password which is set by you.
  • We carry out secure ‘cross cut’ shredding of unnecessary or out of date personal information, unused photographs, etc
  • Passwords and entry codes are changed periodically and whenever a member of staff leaves our employment


If there is a security breach regarding data, we are obliged to report this both to the person or persons affected, and to the ICO (Information Commissioner’s Office).


Parents are advised that our absolute commitment to the protection of children from abuse of any kind takes precedence in law over our data protection obligations.

Sharing information

We will not give information about you to anyone without your consent unless the law and our policies allow us, or legally oblige us to. Clearly, we are not a company that advertises products or services and so your information will not be used in any marketing connection, nor would we ever share it with a third party for marketing purposes. An example of how some information may be legitimately shared might be if your child attends two settings and you give permission for us to share information on progress with the other setting, or when your child is preparing to move to school and you give us permission to forward their learning journal.

We are required by law to pass some information to our Local Authority and the Department of Education, for example numbers of children at the nursery and attendance patterns. If you are claiming your free entitlement of 15 or 30 hours from the local authority, we are obliged to request your NI Number and date of birth and this forms part of the validation of your claim. If you need more information about how the

LA may store and use your information, then please go to the following website:​ and search under ‘access to information’ or ‘data protection’.

If you are unable to access these websites you can contact:

Information Resilience and Transparency Team Kent County Council, Sessions House County Road Maidstone ME14 1XQ Tel: 0370 000 2288

Under the recent GDPR legislation, we ask you below to confirm your willingness for us to hold and process this information about you. We ask you to sign the attached form to confirm that you give us your permission. If two parents have completed the registration form, we need both of you to sign this consent, please. If you have any questions, concerns or wish to make a request regarding the information that we hold on you, please contact me, or the nursery manager.

Revised May 2022
By: Michelle Sharp
Adopted as the policy of the nursery
By: Jacquelin Curtis Director,
Activeplay Nurseries Ltd