Emma Kitcher, Data Protection Officer
Emma Kitcher, Data Protection Officer
Added Section “Internal Communications”
Emma Kitcher, Data Protection Officer
Added reference to Data Use and Access Act 2025 and updated the Complaints section in response to Part 5 Section 103.
Added “Broad Consent for Research”
Policy also refers to Holiday Club
INTRODUCTION
QUICK REFERENCE POINTS
KEY DEFINITIONS
SCOPE
KEY LEGISLATION / FRAMEWORK
RIGHTS MANAGEMENT PROCESS
RIGHT TO BE INFORMED / NO SURPRISES
BROAD CONSENT FOR RESEARCH
RIGHT TO RECTIFICATION
RIGHT TO RESTRICTION
RIGHT TO PORTABILITY
RIGHT TO OBJECT
AUTOMATED DECISION MAKING AND PROFILING
COMPLAINTS
INTERNAL COMMUNICATIONS
APPLICATION AND AUDIT
Data protection law provides data subjects (the individual that information is about) with a wide array of rights that must be observed by organisations that process personal data. Additionally, the human rights of families, visitors and employees is underpinned by the notion of being informed, aware and being involved in decisions that affect them.
- Families, customers, suppliers, visitors and employees have;
- a right to be informed about how their personal data is used
- a right to access a copy of the personal data you hold about them
- a right to correct personal data when it is incorrect
- a right to have personal data erased
- a right to restrict you from accessing, sharing, transferring or altering their personal data
- a right to have their personal data sent (ported) to their new provider
- a right to object to you processing their personal data
- a right to know the details of automated decision making and profiling
- a right to autonomy and self determination
- When managing Personal Confidential Information, there should be ‘no surprises’ about how it is used
- These rights are not ‘absolute’ and there are times when they do not apply
This term is intended to cover information captured by the Data Protection Act 2018 / GDPR (identifiable information about the living), information covered by the Common Law Duty of Confidence / Tort of Misuse of Private Information and finally, information covered by Article 8 European Convention for Human Rights.
Mandatory details provided in privacy notices to comply with transparency obligations under the right to be informed.
See Information Governance Policy for key roles.
All staff, whether management or administrative, who create, receive and use data have responsibilities to observe the information rights of data subjects. Employees have a contractual and legal obligation to read and comply with all company policies and to attend mandatory training to support the appropriate management of information.
The rights described in this protocol apply to customers, service users, visitors and employees.
- UK GDPR / Data Protection Act 2018 (amended by the Data Use and Access Act 2025)
- Human Rights Act 1998
Where a parent, employee, visitor or any other stakeholder makes a request under data protection, staff should escalate to managers who will review in accordance with the policy and engage the support of the Data Protection Officer. A log will be kept by the Data Protection Officer (DPO) to ensure records of timely and lawful responses.
In the event of staff absence, the manager will ensure that requests are handed over so that the DPO can continue to manage the request in their absence.
- Any activity that involves processing Personal Confidential Information should involve consideration of how individuals might be made aware and have an opportunity to object
- The information to be supplied must be;
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language and
- free of charge
- These ‘Privacy Notices’ should be multi-layered (i.e. website, leaflets, videos etc) and their placement should consider the target audience including variance in levels of age and comprehension.
- Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection Lead
- Purpose of the processing and the lawful basis for the processing
- The legitimate interests of the controller or third party, where applicable
- Categories of personal data
- Any recipient or categories of recipients of the personal data
- Details of transfers to third country and safeguards
- Retention period or criteria used to determine the retention period
- The existence of each of data subject’s rights
- The right to withdraw consent at any time, where relevant
- The right to lodge a complaint with a supervisory authority
- The source the personal data originates from and whether it came from publicly accessible sources
- Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
- The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
When considering activities that involve Personal Confidential Information consider;
- Is this something we already list in our privacy materials?
- Is this something that the average individual would expect me to do?
- Would a reasonable person be happy for you to proceed, without being ‘highly offended’?
If the answer to any of the above questions is ‘no’, refer the activity to your Data Protection Lead who can assist with raising awareness.
The concept of no surprises doesn’t mean that we ask for consent every time we undertake activity with Personal Confidential Information.
:
We are required to disclosure information about a person who poses a threat to the public. We believe that making them aware of the disclosure could trigger the threat we are trying to manage. We do not tell the individual or obtain consent. However, we already note in our privacy materials that we will make these kinds of disclosures. The average, reasonable person expects these types of disclosures and would not be ‘highly offended’ at the concept of protecting the public. Therefore, there are “no surprises”.
- Informing individuals about how their information is used supports their human rights.
- We all have a right to feel a sense of control over our lives. Involving individuals through transparency and engagement supports this control and autonomy.
- In line with the Data (Use and Access) Act 2025, individuals may now provide valid “broad consent” for participation in areas of scientific research, including where the exact methodology or scope is not yet fully defined.
- Additionally, if issuing individual privacy notices would involve disproportionate effort, Hopscotch Nurseries and Holiday Clubs may use alternative transparency methods, such as public notices or website publication, as long as data subjects’ rights are otherwise protected.
- Individuals are entitled to have personal data rectified if it is inaccurate or incomplete
- If the information has been disclosed to third parties, they must be informed of the rectification where possible.
- For example, if we work in a Multi-Disciplinary Team, we can share that the data was found to be inaccurate and advise the other team members to ensure their own records are altered.
- Individuals must also be informed about the third parties to whom the data has been disclosed where appropriate.
- Requests must be responded to within one month. This can be extended by two months where the request for rectification is complex.
- There may be occasions, where there is a legal requirement to maintain the original data or where the accuracy of the data is contested – this should be raised with the Data Protection Lead to ensure appropriate management.
Example:
An employee claims that the minutes of a disciplinary meeting are incorrect and that they did not make the statements that are recorded about personal situations affecting their work. They insist that the record is amended. The parties present all attest to the accuracy of the record and so the individual is informed that the amendment will not be made since employment law requires them to maintain accurate notes of the formal disciplinary process. However, a note can be made on the record so that all recipients are aware that the employee contests the information in the minutes.
- Where not taking action in response to a request for rectification, the individual must be provided with an explanation and the contact details of the Data Protection Officer, informing them of their right to complain to the Information Commissioner’s Office (ICO) and to a judicial remedy.
- Where an individual contests the accuracy of the personal data, the processing should be restricted until the accuracy has been verified (see Right to Restriction).
- Individuals have a right to request that their personal data is restricted.
- When processing is restricted, you can still store the personal data, but cannot access, transmit or use it in any other way.
- Just enough information may be retained about the individual to ensure that the restriction is respected in future.
- Circumstances where the processing must be restricted are;
- Where an individual contests the accuracy of the personal data, the processing should be restricted until the accuracy has been verified
- Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and there is a need to consider whether your organisation’s legitimate grounds override those of the individual
- When processing is unlawful and the individual opposes erasure and requests restriction instead
- If the information is no longer needed but the individual requires the data to establish, exercise or defend a legal claim
- If the personal data in question has been disclosed to third parties, they must be informed about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
- When you decide to lift a restriction on processing, the individual must be informed.
- The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
- It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- The data must be provided in a structured, commonly used and machine-readable form.
- Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
- The information must be provided free of charge, without delay and within one month.
- If the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible.
- However, it is not necessary for organisations to adopt or maintain processing systems that are technically compatible with other organisations just to satisfy this right.
- Where the personal data concerns more than one individual, there must be consideration of whether providing the information would prejudice the rights of any other individual.
- The right to data portability only applies:
- to personal data an individual has been provided to a controller by the individual;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics
- Individuals must have an objection on “grounds relating to his or her particular situation”.
- Processing of the personal data must be stopped unless
- Compelling legitimate grounds can be demonstrated for the processing, which override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defence of legal claims.
- Individuals must be explicitly informed of their right to object “at the point of first communication” and in the privacy notice and must be clear and separate from other information.
- Processing personal data for direct marketing purposes must be stopped as soon as an objection is received. There are no exemptions or grounds to refuse
- Objections to processing for direct marketing must be dealt with at any time and free of charge.
- Individuals must be explicitly informed of their right to object “at the point of first communication” and in the privacy notice and must be clear and separate from other information.
- Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes.
- If you are conducting research where the processing of personal data is necessary for the performance of a public interest task, you are not required to comply with an objection to the processing.
- Where any of the above processing activities are carried out online, the individual must be offered a way to object online.
- The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
- Individuals have the right not to be subject to a decision when:
- it is based on automated processing; and
- it produces a legal effect or a similarly significant effect on the individual.
- Individuals must be able to:
- obtain human intervention;
- express their point of view; and
- obtain an explanation of the decision and challenge it
- The right does not apply if the decision:
- is necessary for entering into or performance of a contract between Hopscotch and the individual;
- is authorised by law (e.g. for the purposes of fraud or tax evasion prevention); or
- based on explicit consent. (Article 9(2)).
- Furthermore, the right does not apply when a decision does not have a legal or similarly significant effect on someone
- The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular (where relevant to Hopscotch Nurseries to analyse or predict their:
- performance at work;
- health
- When processing personal data for profiling purposes, appropriate safeguards must be in place;
- Ensure processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences.
- Use appropriate mathematical or statistical procedures for the profiling.
- Implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors.
- Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.
- Automated decisions taken for the purposes listed above must not:
- concern a child; or
- be based on the processing of special categories of data
- you have the explicit consent of the individual; or
- the processing is necessary for reasons of substantial public interest on the basis of UK law
- This must be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard fundamental rights and the interests of the individual.
Example:
The organisation intends to use a new HR system that collates information about employees (unplanned leave, appraisal scores etc) and gives them a performance score. Employees that are not performing well are provided with additional training and support to improve performance and they will not be considered for promotion until their performance score improves.
Before engaging the software, the organisation should speak with their DPO who will ensure that the profiling is fair, lawful and accurate before it can go ahead.
The organisation has a complaints procedure in place that mentions information rights and the person or people managing complaints know when to trigger he involvement of the Data Protection Officer.
If staff receive any complaints related to data protection, they should be forwarded to the Data Protection Officer.
In accordance with the Data (Use and Access) Act 2025, Hopscotch Nurseries is committed to ensuring that individuals are able to raise concerns about how their personal data is used, and to receiving a timely, fair, and transparent response.
Individuals can submit a data protection complaint if they believe we have:
- Processed their personal data unlawfully or unfairly;
- Failed to respect their rights under data protection legislation;
- Breached the terms of this organisation’s published privacy notice.
We will ensure that individuals can lodge complaints through accessible means, notably, email or postal contact details for written complaints published as part of our privacy notice.
We will:
- Acknowledge all data protection complaints within 30 calendar days of receipt;
- Respond without undue delay, and aim to resolve matters promptly and transparently;
- Keep the complainant informed if an extension is needed due to complexity or investigation.
- All written internal communications, including emails, instant messages (e.g. Microsoft Teams, and in some cases WhatsApp), and collaborative notes may be disclosable in the event of a Subject Access Request (SAR). This applies even where the content is informal or written in a private or personal tone.
- The organisation recognises that not all communications form part of our corporate memory and need to be retained. Routine deletion of non-essential messages is both permissible and encouraged, provided this occurs in accordance with our retention schedule and not in response to a specific request for information.
- Once a SAR has been received, it is a criminal offence under section 173 of the Data Protection Act 2018 to delete, conceal, or alter personal data with the intent of preventing disclosure. All relevant records, including those stored in email or chat platforms, must be preserved from that point forward.
- Staff should avoid using communication channels to share views or commentary about colleagues, performance issues, or sensitive matters. Even private messages may be within scope of a SAR and could lead to reputational, legal, or interpersonal difficulties if disclosed.
- The organisation reserves the right to audit compliance with retention and deletion practices. Where necessary, staff may be asked to review and reduce non-essential digital communications in accordance with data minimisation principles.
Compliance with this protocol will be audited and the results fed into the Plan, Do, Check, Act Cycle described in the Information Risk and Audit Protocol.
- The organisation will list the information rights on our privacy policy
- All staff should be able to recognise and refer information rights requests to the right person
- All staff, visitors and service users should have access to the Data Protection Officer’s contact details to support with rights
- New projects, suppliers or systems must be raised with the Data Protection Officer for review
- The organisation will keep a log of all information rights requests to ensure that we are responding in a consistent and timely way
- Staff must ensure that they have read and understood this protocol
- This protocol will be reviewed annually or sooner in the event of significant learning or change
- This protocol should be read in conjunction with the other protocols in the Data Protection and Security policy suite
- Subject Access Requests are covered in the Disclosures and Access Protocol