This policy is relevant to all employees, volunteers, students on placement or work experience and members of the Cylch Meithrin committee. Breaching this policy could lead to disciplinary procedures and serious incidents could lead to dismissal in line with the Cylch Meithrin’s disciplinary procedure.

Everyone has rights regarding how their personal information in treated. The Cylch Meithrin recognises the need to treat this information in an appropriate and lawful manner.
The aim of the Cylch Meithrin is to ensure that all information regarding employees, volunteers, students on work experience and members of the Cylch Meithrin committee, parents/carers/guardians and children is kept securely and confidentially as required by the General Data Protection Regulation (GDPR). The Cylch Meithrin is the data controller for any personal data processed.

No information will be shared or revealed to persons/agencies who are not authorised to receive the information.

The Rights of the Child
This policy aims to ensure that the Cylch Meithrin respects children’s rights as stated in the United Nations Convention on The Rights of the Child, specifically:
Article 3: All organisations concerned with children should work towards what is best for each child.
Article 14: Children have the right to think and believe what they want and to practice their religion, as long as they are not stopping other people from enjoying their rights.
Article 16: Children have a right to privacy. The law should protect them from attacks against their way of life, their good name, their families and their homes.

General Data Protection Regulation (GDPR) (2018).
The purpose of the Act is not to prevent the collection and processing of personal data[1], but to ensure that it is done fairly and without effecting the rights of the individual. In order for personal data to be lawfully processed, certain conditions must be met.

The Cylch Meithrin is committed to ensuring that personal data will be kept, processed and transferred according to the General Data Protection Regulation (2018) by ensuring that personal data and special categories of personal data[2] are:

  • is processed in a fair, transparent and lawful manner.
  • is collected for specific, clear and valid purposes.
  • is correct, and where necessary, up-to-date.
  • is only kept in a recognisable format only for the necessary period of time.
  • is processed only for specific purposes and in an appropriate way.
  • is sufficient, is relevant, is necessary and not excessive to the purpose.
  • is processed in line with the rights of the individual.
  • is kept securely.
  • is transferred only to others who have sufficient security processes.

Rights regarding Data which is held on an Individual
Any information which relates to a ‘living, identifiable individual’ is considered to be personal data. It refers to an identifiable person who can be directly or indirectly identified. Statistics do not count as personal data.
An individual has the right to access the information which is kept about them from time to time and within reason. Applications should be made in writing to the Cylch Meithrin, who will respond to the application. The Cylch Meithrin will follow the Information Commissioner’s Office’s guidelines when dealing with any applications of this nature, further information can be found on the form ‘GDPRMM3: Subject Access Request Process’[3]

The Cylch Meithrin will record of any such requests, and keep them on an appropriate form[4].

The Cylch Meithrin will inform individuals of their rights when the Cylch collects personal data. Everyone has the right to:

  • to be informed (of their rights and of the fact that their data is being processed).
  • to access the personal data that you collect. (Subject Access Request).
  • to verify the personal data that you hold about them.
  • to delete the personal data that you hold about them.
  • to restrict the processing of the personal data that you hol about them.
  • to the portability of data (e.g. moving data from one organisation to another).
  • to object to your request to collect or process their personal data.
  • in relation to using the personal data for automated decision making and profiling.

Code of Practice
The Cylch Meithrin expects all employees, volunteers, work experience students, and members of the Cylch Meithrin committee to be aware of, to understand, and to follow this policy.

The Cylch Meithrin is committed to:

  • taking every step that is reasonably practicable to ensure the security of any personal data which is collected and/or kept by the Cylch Meithrin.
    ensuring that the this policy is presented to new staff members as part of their induction programme.
    clearly stating who (e.g. staff / volunteers / managers / committee member) is permitted to access specific documents and files (e.g. in an official meeting such as a committee or management meeting) where minutes are kept and the decision recorded).
  • ensuring that only individuals who are permitted to access the data, and require access to the data are able to access the data.
  • securing any documents and forms which state any personal information about a member of staff, work experience student, volunteer, committee member/management team, parents/carers/guardians or child e.g. personnel file, child’s personal information, employee records, health details.
  • ensuring that a password is needed to gain access to digital equipment where sensitive information is stored.
  • not leaving personal data in a public place.
  • asking for appropriate permission from parents in situations where external bodies wish to gain access to part of a child’s data (e.g. Estyn want to see a progress record / Mudiad Meithrin want to see a progress record as part of the quality accreditation scheme).
  • sharing information with parents/carers/ guardians regarding their child in a private area / room.
  • follow the E-Safety Policy guidelines with regards to storing any digital information securely.

The Setting’s Duty as a Holder of Personal Information
Personal information about staff, work experience students, volunteers, committee/management team members, parents/carers/guardians or children should not be shared with anyone inside or outside of the Cylch Meithrin, if there is no obvious need for the setting to do this to fulfil its role.
The Cylch Meithrin will:

  • share a privacy notice with individuals, which explains which data is collected by the organisation, where the data comes from, the purpose and legal reason for collecting the data, the rights of the individual (including the right to rescind consent and to make a complaint), the possible receivers of the data, and any consequences of failing to provide the data.
  • appoint a person within the organisation to be responsible for Data Security, and minute this decision.
  • conduct an audit of the data which is collected and processed by the Cylch. The audit will note what data is collected, why it is collected, how it is collected, where it is kept and for how long[5].
  • make sure that any data that is not required is safely disposed of.
  • protect any personal data that is kept.
  • comply with any requests for personal data from individuals, keeping a record of these requests on an appropriate form.

Sharing Information and Requests for Information
Only the Registered Person / Leader or his/her deputy has the right to share confidential information with other agencies (e.g. CIW, Estyn, Social Services, Mudiad Meithrin).
There must be lawful grounds for any requests to process personal data. There are 6 possible legal grounds:
1. consent / permission of the ‘data subject’ to do so.
2. Agreement – in relation to contracts/orders/service delivery.
3. For the benefit of the Public (e.g. CCTV cameras in public spaces).
4. In the intrinsic interest of the ‘data subject’ / individual.
5. It is our legal interest to collect (legal benefits).
6. A legal duty to collect.

Where appropriate, information may be collected from and shared, following the receipt of a valid application, with the following organisations or individuals:
The Cylch Meithrin will follow the Information Commissioner’s Office guidelines about sharing information when dealing with applications of this nature, and ensure that any requests for personal data from individuals, keeping a record of these requests on an appropriate form[6].

  • the individual themselves or a parent/carer/guardian on behalf of a child.
  • employers: former employers, current employers and prospective employers.
  • Inland Revenue
  • Home Office
  • Department for Work and Pensions
  • Police
  • Social Services
  • CIW
  • The cylch/nursery’s Registered Person / Management Committee Chairperson / Manager.
  • Local Education Authority
  • Estyn
  • Mudiad Meithrin
  • Welsh Government.

Refer to the Child Protection Policy for process to follow if a serious incident arises and the child's record file needs to be locked down (in co-operation with the Police/Social Services).

When information needs to be shared with Mudiad Meithrin, the Cylch Meithrin will:
* follow the Information Commissioner’s Office guidelines on sharing information when sharing quantitative data (e.g. education progression data).
* follow the Cylch Meithrin Privacy Statement.

Storage of information
The Cylch Meithrin will:

  • follow the this Policy’s guidelines regarding keeping information securely.
  • follow the E-Safety Policy guidelines to ensure that digital information is kept securely.
  • ensure that all confidential forms and are locked away in a secure place.
  • ensure that the information is not transferred from one place to another or left in a public place.
  • clearly state who (e.g. staff/ volunteers/ managers/committee members) has access to specific files and documents (e.g. in a formal committee such as a committee meeting or management meeting) which is recorded with the decision noted.
  • adhere to the guidelines laid out in this Policy regarding sharing information with other agencies.
  • ensure that only authorised staff who have the right to access the data, and who require access to the data, are able to access the data.

Information Retention Period
The Cylch Meithrin will follow statutory rules regarding the period of time to keep specific types of information. See details in Appendix 1 of this document.
The Cylch Meithrin will ensure that it keeps personal data in a recognisable format for no longer than is necessary.

Disposal of Information
The Cylch Meithrin will use appropriate secure measures to ensure disposal of any confidential and personal information.
The Cylch Meithrin will:

  • destroy paper records by using a shredder.
  • destroy floppy discs, Memory sticks and CD-Roms by hand when they aren o longer needed (e.g. by cutting them into small pieces with scissors).
  • ensure digital files are deleted from the back-up drive as well as deleting them from the system itself.
  • ensure personal information is destroyed and / or deleted when it is no longer needed.

E-Safety and Social Networks
The Cylch Meithrin will follow the E-Safety Policy regarding ensuring data is stored securely in line with the guidelines issued by the Information Commissioner’s Office[7].
The Cylch Meithrin will follow the E-Safety Policy guidelines to ensure that there is no breach of confidentiality and to ensure digital data protection at all times.
The Cylch Meithrin will clearly state who is responsible for updating the details which are shared on any social network pages that are part of the setting’s work, following the E-Safety Policy guidelines on the use of Social Networks.

The Cylch Meithrin expects all employees, volunteers, students on placement or work experience and members of the cylch committee to follow the E-Safety Policy when using social networks in their personal lives.

Data Breach
A Data Breach is a Security breach which leads to one of five possible outcomes:

  • loss of personal data,
  • damage to or destruction of personal data,
  • altering / changing data without authorisation,
  • disclosing personal data without authorisation,
  • unauthorised access to / of personal data.

Relevant data breaches must be reported to the ICO within 72 hours of becoming aware of the breach, and inform individuals if there is a high risk of adverse affects. More Information, and a form to record and inform about data breaches can be found on the form ‘GDPRMM2’[8].

Breach of Confidentiality
The Cylch Meithrin will consider any case of breaching confidentially as a severe mater and will investigate the matter fully by referring to the Staffing Policy.
Breaching this policy can lead to a disciplinary and serious incidents can lead to dismissal in line with the Cylch Meithrin’s disciplinary procedure.

Associated Policies
Child Protection Policy
E-Safety Policy
Staffing Policy

Contacts and Useful Information
The following publications and websites provide additional useful information:
Information Commissioner’s Office: ‘Guide to the General Data Protection Regulation (GDPR)’
Information Commissioner’s Office: ‘Special category data’
Information Commissioner’s Office:’Right of access’
Information Commissioner’s Office: ‘Register (notify) under the Data Protection Act’
Information Commissioner’s Office: ‘Guide to Data Protection’
Information Commissioner’s Office: ‘Data Sharing’
Information Commissioner’s Office: ‘Security’
Information Commissioner’s Office: ‘Personal Data Breaches’
Information Commissioner’s Office: ‘Data protection self assessment toolkit’

Full Confidentiality and Data Protection Policy and Appendix can be viewed here