Data Protection Policy including:
1) Data Protection
2) Record Keeping
1) Data Protection
Play Together Creche will conform to the provisions of the Data Protection Act 1998 and the Data Protection (Amendment) Act 2003.
Under the provisions of the Act’s Play Together Creche has appointed The manager Malgorzata Banka-Bielecka “Data Controllers” to manage the storage of personal information about staff, children and families in its computerised and manual records. In sessional Play Together 82 Monalee Manor , the owner Iwona Sawicka is responsible for Data Protection.
Policy and Procedure
Play Together Creche will follow the following principles in relation to keeping data on:
• Obtain and process information fairly.
• Ensure that the data subjects know what information is being held about them and for what purpose.
• Keep information for lawful purposes.
• Process information in ways compatible with the purpose for which it was given originally.
• Ensure that the information is adequate, relevant and not excessive.
• Retain the information no longer than is necessary.
• Give a copy of personal information to the individual concerned on request.
• Amend information held on employees if the employee indicates that the information is incorrect.
• Adhere to the ‘need to know principle’ - only personal data necessary for the purpose should be collected and staff should only be able to access the personal data that they need to carry out their functions.
• Have adequate access Controls, firewalls and virus protection and do not forget manual files.
• Have retention policies for the various categories of data.
• Ensure that data maintained is securely and confidentially stored.
Informing Staff on Data Protection Acts
Play Together Creche’s management will ensure that:
• The basic principles of data protection are explained to staff and parents. This will be done during staff induction, staff meetings and through our parent handbook.
• There are regular updates to data protection awareness, so that data protection is a “living” process aligned to the way the Play Together Creche conducts its business.
• The Data Controller will periodically check data held with regard to accuracy and have complete regular security reviews.
• Non compliance of the data protection and other policies Play Together Creche may invoke the disciplinary procedure.
• Confidential and personal information about our children/parents will only be shared by the data Controllers and Designated Liaison Person in relation to child safety, in line with this our Child Protection Policy. Any breach of confidentiality by any member of staff will lead to disciplinary action.
Play Together Creche will provide for:
• Periodic checks and reviews.
• A procedure for complaints handling. See our complaints policy and procedure.
• Plans for remedial steps if things go wrong.
Employee Responsibilities
As an employee you are responsible for:
• Checking that any information that you provide in connection with your employment is accurate and up to date
• Notifying Play Together Creche of any changes to information you have provided, for example changes of address
• Ensuring that you are familiar with and follow the data protection policy.
Any breach of the data protection policy, either deliberate or through negligence, may lead to disciplinary action being taken and could in some cases result in a criminal prosecution.
Employees are responsible for ensuring that:
• Any personal data that you hold, whether in electronic or paper format, is kept securely.
• Personal information relating to children or their families is not disclosed either verbally or in writing, accidentally or otherwise, to any unauthorized third party
The security of personal information relating to children and families is a very important consideration under the Data Protection Acts. Appropriate security measures will be taken by Play Together Creche against unauthorised access to this data and to the data it is collecting and storing on behalf of the DCYA.
A minimum standard of security will include the following measures:
• Access to the information should be restricted to authorised staff on a “need-to- know” basis.
• Manual files will be stored on the high shelves located away from public areas.
• Computerised data will be held under password protected files with a limited number of users.
• Any information which needs to be disposed of, will be done so carefully and thoroughly.
• Premises will be secured when unoccupied.
Data collected on behalf of DCYA for ECCE
The personal information which parents will be required to provide on application forms for the above scheme including their Personal Public Service Number (PPSN) are protected by the Data Protection legislation.
The following principles should be observed to ensure that the information supplied by parents meets the required levels of data protection.
Obtain and process information fairly
To fairly obtain the data, the data subject must, at the time the personal data is being collected, be made aware of the identity of the data controller/the purpose in collecting the data, and the persons or categories of persons to whom the data may be disclosed. To fairly process the data it must have been fairly obtained and in this case, the data subject must have consented to the processing.
Parents who return completed forms to a service provider for the purpose of the ECCE scheme should be aware of and consent to the transmission of the information to the DCYA.
PPSN information may be transmitted electronically through the PIP online system operated by Pobal. The system can electronically check and validate the PPSN number against the name, DOB and PPSN details
Where a parent’s declaration is not verified by the DCYA’s checks, a letter will be issued to inform them that the subvention (ECCE funding) applied for does not apply. We will correct our register of the subventions due to parents, and supply the parent with the letter, stating that as a result we will not receive grant aid to reduce the fee charged. We will not retain this letter, or a copy of it, for more than 1 month.
If in the verification of information a parent disputes the outcome, they should contact the DCYA directly.
Under data protection legislation, Play Together Creche will only keep data for specific, lawful and clearly stated purposes and the data will only be processed in a manner compatible with the purpose(s).
In this case, only information required on the ECCE official form is to be requested from parents for the purposes of the scheme.
The information on PIP Parental Declaration Forms completed by parents is input onto the PIP system and then the form is destroyed confidentially. A form is then generated on the PIP system with a unique reference number and a copy will be given to the parent and copy kept on site for the purposes of compliance visits to show that the child has been registered in accordance with the parent’s childcare requirements.
Information is held confidentially and securely.
The information contained in these forms should not be used for further purposes or disclosed to third parties, other than the DCYA/Pobal, by Play Together Creche Requests for information from third parties should be referred to the DCYA for reply. The PPSN in particular is also protected under Social Welfare legislation.
Retain the information for no longer than is necessary for the purpose
In order to comply with this requirement, Play Together Creche will comply with the retention period set out for these schemes by the DCYA/Pobal.
Data collected through Garda Vetting
Play Together Creche process their Garda Vetting requests Early Childhood Ireland for employees. Play Together Creche understands that sensitive information may be identified through Garda Vetting. In the event that an employee’s Garda vetting raises concerns the information will be dealt with on a confidential basis. All information pertaining to such a situation must be stored in the same way as other data.
Play Together Creche will not pass on a copy of an employee’s Garda Vetting Form to any other party. We will hold original Garda Vetting forms and will not accept copies from any other agency.
Dealing with Access Requests
Play Together Creche will ensure that that they follow the guidelines set down by the Data Protection Office. Every individual about whom a data controller keeps personal information has a right to request a copy of the data which is kept about them. The service provider should only hold limited personal information on an individual. A copy of this information should be included along with other personal information held about the individual making the access request.
On making an access request any individual about whom you keep personal data is entitled to:
• A copy of the data you are keeping about him or her.
• Know the categories of their data and your purpose/s for processing it.
• Know the identity of those to whom you disclose the data.
• Know the source of the data, unless it is contrary to public interest.
• Know the logic involved in automated decisions.
• Data held in the form of opinions, except where such opinions were given in confidence and even in such cases where the person’s fundamental rights suggest that they should access the data in question it should be given.
To make an access request the data subject must:
• Apply to in writing (which can include email);
• Give any details which might be needed to help you identify him/her and locate all the information you may keep about him/her e.g. previous addresses, date of birth, etc.
• Pay an access fee
Every individual about whom a data controller keeps personal information has a number of other rights under the Act, in addition to the Right of Access. These include the right to have any inaccurate information rectified or erased, to have personal data taken off a direct marketing or direct mailing list and the right to complain to the
Data Protection Commissioner.
In response to an access request the data controller must:
• Supply the information to the individual promptly and within 40 days of receiving the request;
• Provide the information in a form which will be clear to the ordinary person.
Please note that information may need to be disclosed to authorised third parties. Play Together Creche will always ensure the validity of information requests. This list is an example but not exhaustive
• Gardai
• Early Years Inspection Team
• Pobal Compliance Officers
• Insurance Company
• Health and Safety Authority
• National Employment Rights Authority
• Revenue Commissioners
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Acts1998-2003.
|
Iwona Sawicka |
|
|
Name of Person(s) with access to children’s files |
Play Together Staff
|
|
Name of person with access to employee/student files |
Iwona Sawicka |
|
Location of employee files |
Locable cabinet in the office 82 Monalee Manor, only the file with Staff qualification for TUSLA inspection is available in Rosan Glas on the high sheleve in the office corner
|
|
Location of children’s files |
High shelves in the office corner/office |
|
Name of person(s) with access to PIP files |
Iwona Sawicka |
Data Protection Roles and Responsibilities
Play Together Creche Responsibilities
To ensure the implementation of this policy Play Together Creche has designated Iwona Sawicka as the data controller. All enquiries relating to the holding of personal data should be referred to the data Controllers in the first instance
Employees are entitled to know:
• What personal information Play Together Creche holds about an employee and the purpose for which it is used?
• How to gain access to it?
• How it is kept up to date?
• What Play Together is doing to comply with its obligations under the 1998-2003 Acts?
As an employee you are responsible for:
• Checking that any information that you provide in connection with your employment is accurate and up to date
• Notifying Play Together Creche of any changes to information you have provided, for example changes of address
• Ensuring that you are familiar with and follow the data protection policy.
Any breach of the data protection policy, either deliberate or through negligence, may lead to disciplinary action being taken and could in some cases result in a criminal prosecution.
Employees are responsible for ensuring that:
• Any personal data that you hold, whether in electronic or paper format, is kept securely.
• Personal information relating to children or their families is not disclosed either verbally or in writing, accidentally or otherwise, to any unauthorized third party
Updates and Information on Data Protection
Play Together Creche will provide regular updates on Data Protection requirements for staff:
• At staff meetings.
• Circulated information
• On the staff notice board
Parents will be provided with data protection information:
• Upon enrollment
• Through our Parent Handbook
• On the parents notice board
The Data Controllers should be informed immediately if any data has been incorrectly disclosed.The Data Controllers will:
• Inform the person or persons involved a breach of confidentiality has occurred and their personal data may have been compromised. A record of this will be kept on the employee’s file or child’s file as relevant.
• Investigate where the breach of security has occurred and invoke the disciplinary policy if necessary.
• Check that additional measures are in place to ensure confidentiality.
• Review and update the Data Protection Policy if required.
• Check that any information kept is necessary for Play Together Creche purpose.
• Check to see if clerical and computer procedures are adequate to ensure accuracy.
• Reassure parents that the Data Protection policy has been reviewed and additional measures to ensure security.
Advise and inform employees of the need to ensure confidentiality through additional staff training and re implementation of the Data Protection Policy. Employees will be required to sign off to confirm they have read and understand the Data Protection Policy and Procedures.
2) Record Keeping
RECORD KEEPING
At Play Together Creche it is our aim to maintain all records according to the Child Care Regulations 2016 to ensure the health and safety of staff and children, and to promote the development of all children attending the service
• We aim to ensure that all records are factual and written impartially.
• Under the Freedom of Information Act 1997, parents will have access to all records pertaining to their child only.
• Staff members will only have access to records of children in their care and will be used to inform staff on how best to meet the needs of each child and plan for further learning.
• Play Together Creche will only share information with other professionals or agencies, with consent from parents or without their consent in terms of legal responsibility in relation to a Child Protection issues.
• Staff use the guided approach of Aistear: The National Quality Frameworks for Early Childhood Education in relation to various aspects of record keeping within the service.
Register of Pre-School Children
• A register is kept of every child attending the service.
• The information on the register will be up dated on an ongoing basis.
• Records will be kept in relation to medical administration and accident report forms which will be co signed by parents / guardians and staff.
• Written parental consent is kept to allow the service to seek medical assistance for a child in case of an emergency.
• Information on children’s allergies will be displayed in the kitchen so that all staff are aware of allergies.
• The daily arrival and departure time of each child and staff is recorded.
Observation, Assessment and Programme Planning
• Staff use regular observation and assessment as a means of planning for children’s learning. Observations and assessments are recorded in the form of written observations and discussion, photos and use of children’s work. These will in turn be shared regularly with staff and parents to ensure a cohesive approach to ensuring the needs of each child are met.
• A record of the planned programme / activities is clearly documented through short, medium and long term plans. Observations and assessment records are used to inform the plans and ensure that activities are suitable for the age, stage and interests of children in the service.
• An Individual Educational Plan (IEP) may be used to support the individual needs of children with additional needs. These will be regularly shared with parents and relevant professionals working with a child.
• Daily information will be recorded and shared with parents / guardians outlining settling in periods, 1:1 experiences with key worker, activities carried out, food and drink, nappy changes, sleep etc.
Records of each child are available on the premises for inspection by
(a) A child’s parent or guardian but only in respect of information concerning their
child.
(b) Staff members with whom the information is relevant
(c) An authorised person
• A recruitment policy and procedure is in place and written evidence will be kept in relation to recruitment procedures for all staff positions.
• Records outlining the name, position, qualification and experience of each staff member, volunteer and student are maintained.
• Records are kept in relation to all documents and records relating to Garda vetting and references from previous employers for all staff members.
• Staff monitoring notes are kept relating to staff appraisals and supervision.
• The daily arrival, departure and meal break times of each staff member is recorded.
• All staff records are strictly confidential (see confidentiality policy).
Programme of Care for Babies / Toddlers
• Staff will record, sleep times, eating patterns and nappy changing.
• Parents and the primary caregiver establish and record a personal care plan that is continually updated to ensure that care routines are personalised "prime times" that fit the child and family.
Records Related to the Running of the Service Include:
• Details of the maximum number of children catered for at any one time.
• Details of the type of service and age range of children using the service.
• Staff/Child ratio’s within the service.
• An outline of the type of programme under which the service operates.
• Opening hours and fees.
• Policies and procedures currently in place.
• Daily attendance of all children present in the facility.
• Staff roster.
• Details of any accident, injury or incident involving any of the children attending the service.
A written record will be kept of:
(a) All fire drills which take place on the premises
(b) The number, type and maintenance record of fire fighting equipment and smoke alarms in the premises.
Hygiene:
• A cleaning programme and schedule for furniture, work and play equipment is in place.
• Food hygiene practices are guided and recorded under the principles of Hazard Analysis Critical Control Point (HACCP) and the Food Hygiene Regulations 1950 - 89 and the European Communities (Hygiene of Foodstuffs) Regulations 2000.
• Record of pest control measures.
• A record of portable electrical equipment
• A record of equipment checks Outings
• A record of risk assessments carried out.
• Outing Authorisation.