privacy policy — Raised In

At Raised In we take your confidentiality and privacy rights very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

Our Privacy Policy explains the reasons we collect personal data and what we do with it. This privacy notice applies to all the different groups of people we process personal information about. We want you to be confident that we are treating your personal data responsibly, and that we are doing everything we can to make sure that the only people who can access that data have a genuine need to do so.

1. Data Control and Key Contact Information

Raised in Bristol is the ‘controller’ of personal data for the purposes of the Data Protection Act 2018 and the General Data Protection Regulation. Raised in Bristol may also act as a processor of personal data on behalf of partner organisations.

If you feel that we are mishandling your personal data in some way, you have the right to complain.

Queries and complaints can be sent to our Data Protection Officer (DPO): Thea Welsford, thea@raisedin.org.uk

Raised in Bristol can also be contacted at:

Third Floor,
16 Orchard Street,
Bristol,
BS1 5DX

If you are not satisfied with our response you can raise the matter with the Information Commissioner’s Office www.ico.org.uk

Raised in Bristol’s ICO registration number is: A8278994

2. What Kind of Data We Collect and Why

Raised in Bristol processes personal information about:

Children - Parents and carers
Extended family/emergency contacts
Employees and job applicants
Suppliers Raised in Bristol
Professional associates, advisers and consultants

We may process the following types of personal data:

Identity data may include first name, maiden name, last name, username, marital status, title, date of birth, bank details, child registers, photos, videos
Contact data may include postal address, email address and telephone numbers
Education data – learning journeys, supervision notes
Health and care data - notes and reports about the physical, emotional or mental health of children in our care and any treatment, care or support needed from us, child protection files, accident and incident records
Profile data may include feedback and survey responses
Marketing and communications data may include your preferences in receiving marketing communications from us
Financial data may include your bank account and payment card details
Technical data may include your login data, internet protocol addresses, browser details, browser plug-in details, time zone setting and location, operating system and platform and other technology on the devices you use to access our website
Usage data may include information about how you use our website

We use your data for the primary goal of delivering our nursery services. Like many organisations, processing data is critical for the day-to-day operations of our business.

We may also process sensitive personal data, for example, health records or criminal records of staff for safeguarding reasons.

We require your explicit consent for processing sensitive data, so when you submit your details, we will ask for your explicit agreement in providing this information to us.

3. How We Store and Protect Your Data

Raised in Bristol will never share your data with anyone who does not need access without your written consent.

Storing Data

Your data may be stored as follows:

All: on paper, in locked filing cabinets (our offices are always locked out of working hours)
Children: important medical information may be stored on a nursery noticeboard
Children, parents / carers: electronically using a specialist online early years management service (eyMan) and financial management system (Xero)
Employees, associates and contractors: electronically on our cloud-based administrative and financial management systems (Dropbox, Google Drive, Xero and BrightPay)

Accessing Data

Only the following people/agencies will have routine access to data:
Our nursery staff team in order to fully understand the needs of children in their care and to be able to meet our safeguarding and child protection requirements
Our finance and administration team in order to manage nursery occupancy as well as invoices and payments
Our HR team to manage employment records

From time to time, we may have to employ temporary staff or consultants to perform tasks which might give them access to personal data. We will ensure that they are fully aware that they must treat that information as confidential, and we will ensure that they sign a non-disclosure agreement.

Access to online data is password protected, and the passwords are changed regularly on our office computers, which are also password protected.

We educate all staff on data protection at induction, and in staff meetings and workshops. We also have online training modules which all staff with access to data are required to undertake.

4. Legal Grounds for Using Your Data

Under data protection law, there are six ‘lawful’ bases on which we can use or store your data:

BasisNotes
ContractRequests for registration and enrolment in our nursery constitutes a ‘contract’. We need to collect personal information about children and their parents / carers to provide the best possible nursery service. Parents / carers can refuse to provide the information, but we can’t provide a service without it.
Legitimate InterestWe have a ‘legitimate ‘interest’ in collecting personal information so we can do our job effectively and safely. We also need to contact parents and carers to confirm visits and registration / enrolment with us or to update them on matters related to the care of their child.
ConsentAs long as we have your consent, we may occasionally send out organisation updates, general information in the form of articles, advice or newsletters. Individuals may withdraw this consent at any time, usually by ‘unsubscribing’ from our emails.
Legal ObligationWe collect personal data about employees, contractors, associates and suppliers to formally engage their professional services. If you enter into a financial agreement with us certain personal information will need to be kept.
Vital InterestWhere data needs to be processed to ensure the vital interests of the individual e.g. to protect someone’s life.
Public InterestWhere the data needs to be processed so that the nursery, as a public authority, can perform a task in the public interest, and carry out its official functions.

Basis	Notes
Contract	Requests for registration and enrolment in our nursery constitutes a ‘contract’. We need to collect personal information about children and their parents / carers to provide the best possible nursery service. Parents / carers can refuse to provide the information, but we can’t provide a service without it.
Legitimate Interest	We have a ‘legitimate ‘interest’ in collecting personal information so we can do our job effectively and safely. We also need to contact parents and carers to confirm visits and registration / enrolment with us or to update them on matters related to the care of their child.
Consent	As long as we have your consent, we may occasionally send out organisation updates, general information in the form of articles, advice or newsletters. Individuals may withdraw this consent at any time, usually by ‘unsubscribing’ from our emails.
Legal Obligation	We collect personal data about employees, contractors, associates and suppliers to formally engage their professional services. If you enter into a financial agreement with us certain personal information will need to be kept.
Vital Interest	Where data needs to be processed to ensure the vital interests of the individual e.g. to protect someone’s life.
Public Interest	Where the data needs to be processed so that the nursery, as a public authority, can perform a task in the public interest, and carry out its official functions.

5. How Long We Hold onto Data

We have varied retention periods for each type of data we process but will always try to limit the length of time we hold your data. Raised in Bristol will not keep personal data for longer than needed.

Here are some examples of data retention requirements:

Parent / Carer information

Email enquiries about registration requirements - no longer than necessary for the purposes we obtained it for
General records – 3 years or until the child is 25

Children in our care

General records – 3 years is deemed a ‘reasonable amount of time’, according to EYFS & Childcare Act 2006
Accident reports – until the child is 21
Safeguarding records – until the child is 25
RIDDOR reports – three years after incident (NB if they are relating to child protection they will be kept for 24 years)

Staff Records

Personal data, performance appraisals, employment contracts, payroll – 6 years after an employee leaves
Name and employment dates - 50 years (in the event of future abuse claims)
Working time records - 2 years from the date the records refer to
Maternity, Paternity or Shared Parental Pay records: 3 years after the end of the tax year that the payment stopped
First Aid, Fire Warden, Health and Safety training – 6 years after an employee leaves

NB: Under GDPR any member of staff can request ‘the right to be forgotten’ but Raised in Bristol has an obligation to keep this data, and will not erase it until the 6 year retention period has expired.

Job Applicants

6 months even if the applicant was unsuccessful

Subject Access Request

1 year following completion of the request

6. Sharing your data

Raised in Bristol may disclose information about children, parents / carers to statutory and regulatory bodies for safeguarding, care and funding purposes. We may also disclose information about individuals to our employees, suppliers or subcontractors insofar as reasonably necessary for the purposes as set out in this privacy policy.

We do not share any other information about you without your consent, unless required to do so by law. We will not without your express consent provide your personal information to any third parties for the purpose of direct marketing.

7. Marketing and Website 'Cookies'

We want to promote our services, resources and news with you. We do this in the following ways:

Emailing website visitors who consent to our email marketing
Promoting our services to our 'followers' across social media platforms

You can unsubscribe from our updates at any time or choose what information you want to receive.

We use cookies to track the use of our website. We do this in order to monitor and improve the user experience through Google Analytics.

A cookie consists of information sent by a web server to a web browser and stored by the browser. In most browsers, you can block all cookies (go to internet options/privacy). Blocking all cookies will, however, have a negative impact upon the usability of many websites.

8. Your Rights as a Data Subject

If we hold your personal data you have rights outlined by General Data Protection Regulation and the Data Protection Act 1998/2018:

You have the right to be informed about the collection and use of your personal data when it is obtained
You have the right to be forgotten i.e. for us to no longer store your information. However, there are instances such as statutory/contractual agreements which mean we may have to keep hold of some details
You have the right to ask for a subject access request. This means you can ask us for all the information we hold on you and we are obliged to provide this to you in a portable format by one month (30 days). Please note that requests deemed as ‘excessive’ can be denied or charged for. To make a subject access request please contact our DPO Thea Welsford, thea@raisedin.org.uk
You have the right to complain to Raised in Bristol and/or the ICO if you believe your personal data is compromised in any way www.ico.org.uk/make-a-complaint

Signed: Thea Welsford
Last review: 4 March 2024
Next Review: March 2025

Link to The Data Protection Act 2018 page on GOV.UK website.