top of page

Data Protection and Retention Policy


At Tots and Time Out and Bright Beginnings we recognise that we hold sensitive information about children and their families and the staff we employ which is why we are committed to maintaining the confidentiality and security of your personal information. We are registered under the General Data Protection Regulations to hold personal data. A copy of our certificate can be found in our reception areas.

Legal requirements

  • We follow the legal requirements as set out in the Statutory Framework for the Early Years Foundation Stage (EYFS) 2017 and accompanying regulations about the information we must hold about registered children, their families and the staff working within the nursery

  • We follow the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679 (GDPR), Data Protection Act 2018 and the Freedom of Information Act 2000 with regards to the storage of data and access to it

The information that we require and hold for each child, their family and our employees can be found in our Privacy Notice. This also explains how we use and share any information provided.

We hold and use your child’s information to support their teaching and learning, to monitor and report on their progress throughout their time with us, to provide appropriate pastoral care and to comply with the law regarding data sharing. If a child has previously been registered at another setting, we will gain consent from you to contact the setting to gain as much information about the child’s level of development to ensure that we are equipped with the information to best meet their needs. 


We place a high priority on securing your information by following the procedures below;

  • We have technical, physical and administrative safeguards to protect these records against loss, unauthorised access and improper disclosure. We store store paper information in secure locked cabinets and our computer us fully protected. This relates to information we hold about children, their families and our employees.

  • We ensure that staff, students and volunteers are provided with information regarding confidentiality and data protection upon induction and that they fully understand that it would be a breach of their employment to discuss or share any information regarding a child or their family outside of the workplace or with anyone other than relevant professionals who ned to know the information. We have a confidentiality policy in place to reflect this.

  • We ensure that parents have access to the information we hold about their child only unless relevant professionals such as the police or local authority children’s social care team decide that it is not in the child’s best interests to do so.

  • We will always request parental consent to share information unless it is not in the child’s best interests to do so.

  • We have an online and device safety policy that all employees and parent must adhere to.

  • We ensure that any issues concerning our employment of staff is kept confidential to the people directly involved in making personnel decisions.

  • Safeguarding and child protection files of evidence are kept in secure, confidential files and shared with as few people as possible and only ever on a ‘need to know’ basis. If a child is considered ‘at risk’, our safeguarding/child protection policy will override confidentiality. 

  • We ensure that our terms and conditions, privacy and consent notices are easily accessible and made available upon request in accurate and easy to understand language.

  • Individual staff may request to see their own personal file at any time.

  • We will only share or use the information we hold as stated in our privacy notice.

Retention of information

We are required by law to keep information for certain lengths of time. Below is a brief overview of the information we keep and how long for. 

Children’s records - A reasonable period of time after children have left the provision. We will follow the Local Authority procedure here and this states they should be kept for 2 years. 

Records relating to individual children e.g. care plans, speech and language referral forms – We will pass these on to the child’s next school or setting following our Local Authority’s protocols for transition and sharing of sensitive records. 

Accidents and pre-existing injuries - If relevant to child protection we will keep these until the child reaches 25 years old.

Safeguarding Records and Cause for Concern forms – We will keep until the child has reached 25 years old. 

Records of any reportable death, injury, disease or dangerous occurrence (for children) - As these incidents could result in potential negligence claims, or evolve into a more serious health condition, we keep records until the child  reaches the age of 21 years and 3 months.

Records of any reportable death, injury, disease or dangerous occurrence (for staff) – 3 years

Type of accidents include fractures, broken limbs, serious head injuries or where the child is hospitalised. 

Observation, planning and assessment records of children -  We keep our planning filed since the last inspection date so there is a paperwork trail if the inspector needs to see it. Individual learning journeys on Tapestry are deleted within 30 days of the child leaving the setting.

Information and assessments about individual children is either given to parents when the child leaves or to the next setting/school that the child moves to (with parents’ permission).

Personnel files and training records (including disciplinary records and working time records) – 7 years 

Visitors/signing in book – Up to 24 years as part of the child protection trail.


Data breach 

In the unlikely event of a data breach – information lost, stolen or missing, we will record and report to the Information Commissioner’s Office (ICO) within 72 hours. 


This policy was adopted on

Signed on behalf of the nursery

Date for review

June 2020


bottom of page