Data Protection Policy

1. Introduction

Happy Hearts Learning Centre is committed to protecting the personal data of children, parents, guardians and staff in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Ofsted Registration Number: 2860344

This policy outlines how we collect, use, store, and protect personal data in compliance with data protection legislation.

2. Data Controller

Happy Hearts Learning Centre is the data controller responsible for personal data processed in connection with our childcare services.

3. Data Protection Principles

We process personal data in accordance with the following principles:

• Lawfulness, fairness and transparency: We process data lawfully, fairly and in a transparent manner
• Purpose limitation: We collect data for specified, explicit, and legitimate purposes only
• Data minimization: We collect only the data necessary for our purposes
• Accuracy: We keep personal data accurate and up to date
• Storage limitation: We retain data only as long as necessary
• Integrity and confidentiality: We process data securely and protect against unauthorised access
• Accountability: We demonstrate compliance with data protection principles

4. Types of Personal Data We Process

4.1 Children's Data

• Name, date of birth, and address
• Medical information, allergies and dietary requirements
• Special educational needs or disabilities (SEND)
• Attendance and booking records
• Photographs and videos for learning and development
• Behaviour and incident records
• Learning and development observations

4.2 Parent/Guardian Data

• Name, address, phone number and email
• Emergency contact details
• Payment and billing information
• Communication records
• Consent forms and permissions

4.3 Staff Data

• Name, address, and contact details
• Employment records and contracts
• DBS check information
• Qualifications and training records
• Payroll and tax information
• Performance and disciplinary records

5. Legal Basis for Processing

We process personal data under the following legal bases:

• Contract: To fulfil our childcare service agreement
• Legal Obligation: To comply with Ofsted regulations, safeguarding duties and employment law
• Vital Interests: To protect the health and safety of children
• Legitimate Interests: To operate our childcare business effectively and ensure child welfare
• Consent: For photographs, videos and marketing communications (where applicable)

6. How We Collect Personal Data

We collect personal data through:

• Registration and enrolment forms
• Direct communication with parents and guardians
• Observations and assessments of children
• CCTV footage (for security purposes)
• Website contact forms and email
• Third parties (e.g., schools, healthcare professionals) with consent

7. How We Use Personal Data

We use personal data for the following purposes:

• Providing childcare and after-school club services
• Ensuring the health, safety, and wellbeing of children
• Supporting children's learning and development
• Communicating with parents and guardians
• Processing payments and maintaining financial records
• Complying with legal and regulatory requirements (Ofsted, safeguarding)
• Managing staff employment and training
• Improving our services

8. Sharing Personal Data

We may share personal data with:

• Ofsted: For regulatory inspections and compliance
• Local Authority: For safeguarding, child protection, and funding purposes
• Healthcare Professionals: In medical emergencies or with parental consent
• Schools: To support transition and continuity of care (with consent)
• Payment Processors: To process fees and payments securely
• Insurance Providers: For claims and risk management
• Legal Advisors: For legal advice and compliance
• Police/Social Services: Where required by law or safeguarding concerns

We will never sell or share personal data for marketing purposes without explicit consent.

9. Data Security

We implement appropriate technical and organisational measures to protect personal data:

9.1 Physical Security

• Secure storage of paper records in locked cabinets
• Restricted access to areas where personal data is stored
• CCTV monitoring of premises

9.2 Digital Security

• Password-protected computers and systems
• Encrypted data storage and transmission
• Regular software updates and security patches
• Secure backup systems
• Firewall and antivirus protection

9.3 Staff Training

• All staff receive data protection training
• Confidentiality agreements are in place
• Clear policies on data handling and security

10. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy and to comply with legal requirements:

Data Type	Retention Period
Child records	3 years after leaving or until age 21 (whichever is longer)
Safeguarding records	In accordance with local safeguarding procedures
Accident/incident records	3 years after the incident or until age 21 (whichever is longer)
Financial records	6 years for tax and accounting purposes
CCTV footage	30 days (unless required for investigation)
Staff records	6 years after employment ends

11. Individual Rights

Under UK GDPR, individuals have the following rights:

11.1 Right to Access

You can request a copy of the personal data we hold about you or your child (Subject Access Request).

11.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

11.3 Right to Erasure

You can request deletion of personal data (subject to legal obligations and legitimate interests).

11.4 Right to Restrict Processing

You can request limitation on how we use your personal data.

11.5 Right to Object

You can object to processing based on legitimate interests.

11.6 Right to Data Portability

You can request your data in a structured, machine-readable format.

11.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time.

11.8 How to Exercise Your Rights

To exercise any of these rights, please contact us using the details at the end of this policy. We will respond within one month.

12. Data Breaches

In the event of a data breach that poses a risk to individuals' rights and freedoms, we will:

• Report the breach to the Information Commissioner's Office (ICO) within 72 hours
• Notify affected individuals without undue delay
• Take steps to mitigate the breach and prevent future occurrences
• Document the breach and our response

13. CCTV and Surveillance

We use CCTV for security purposes. CCTV signage is displayed, and footage is:

• Stored securely and accessed only by authorised personnel
• Retained for 30 days unless required for an investigation
• Used only for security, safeguarding, and incident investigation
• Subject to access requests under data protection law

14. Children's Rights

We recognize that children have rights regarding their personal data. For children under 13, parental consent is required for data processing. We ensure that:

• Information is provided in an age-appropriate manner
• Children's best interests are considered in all data processing decisions
• Special category data (e.g., health, SEND) is handled with extra care

15. Changes to This Policy

We may update this Data Protection Policy from time to time. Changes will be posted on our website and, where appropriate, notified to parents and staff.

16. Contact and Complaints

If you have any questions about this policy or how we handle personal data, please contact us:

Complaints to the ICO

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

17. Related Policies

This policy should be read in conjunction with our:

• Privacy Policy
• Terms & Conditions
• Cookie Policy
• Safeguarding Policy (available on request)
• Information Security Policy (available on request)