Information Governance

Title
Title
Title
Title
Version
Author
Next Review Date
Notes
V1 (February 2025)
Emma Kitcher, Data Protection Officer
February 2026
New Draft
V2 (October 2025)
Emma Kitcher, Data Protection Officer
October 2026
Inserted the section “Use of AI and Data Driven Technologies” and added reference to the Data Use and Access Act 2025
V3 (March 2026)
Caroline Oliver
October 2026
Included Holiday Club with the policy

Contents

    Introduction
    Quick Reference Points
    Key Definitions
    Scope
    Key Legislation / Framework
    Accountable Parties
    Transparency
    Privacy and Information Rights
    Information Security
    Information Quality & Records Management
    Use of AI and Data-Driven Technologies
    Application and Audit

INTRODUCTION

Information Governance (IG) is a set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an organisational level. Information Governance supports our immediate and future regulatory, legal, risk, environmental and operational requirements. Information is a vital asset, both in terms of the organisational development and the efficient management of services and resources. It plays a key part in governance, service planning and performance management.
It is therefore of critical importance to ensure that information is appropriately managed, and that policies, procedures and management accountability and structures provide a robust governance framework for information management.
Hopscotch Nurseries and Holiday Clubs recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. We fully support the principles of corporate governance and recognise the power of public accountability. Equally, we place importance on the confidentiality of and the security of information about families, the public and staff as well as commercially sensitive information. Hopscotch Nurseries and Holiday Clubs also recognises the need to share information with authorities, partners and other third parties in a controlled manner, consistent with the established lawful basis. This overarching Information Governance Policy and the associated protocols sets out our approach with respect to the governance of;
  • Data Protection and Privacy
  • Information and Cyber Security
  • Data Quality and Records Management

QUICK REFERENCE POINTS

  • Information Governance (IG) is our organisational approach to managing information Information is very important to us.
  • This doesn’t just mean family / service user data, but also information about how we run the business.
  • We have to strike a good balance between being open and transparent – because this is part of delivering a public service
  • But also maintaining confidentiality so that we are trusted by those who use our services or who work with us
  • The policy and the protocols beneath it help staff with Data Protection and Privacy, Information and Cyber Security, Data Quality and Records Management
  • There are key roles that support this work – the members of the IGSG, and the Data Protection Officer

KEY DEFINITIONS

Personal Confidential Information: This term is intended to cover information captured by the Data Protection Act 2018 / GDPR (identifiable information about the living), information covered by the Common Law Duty of Confidence / Tort of Misuse of Private Information and finally, information covered by Article 8 European Convention for Human Rights.

SCOPE

This policy applies to all staff whether temporary or permanent. This overarching Information Governance Policy and the associated protocols sets out our approach with respect to the governance of;
  • Data Protection and Privacy
  • Information and Cyber Security
  • Data Quality and Records Management

KEY LEGISLATION / FRAMEWORK

This policy serves to support staff to navigate and comply with the complex framework within which Information Governance operates. This framework includes but is not limited to;
  • Data Protection Act 2018 / UK GDPR (amended by Data Use and Access Act 2025)
  • Human Rights Act 1998
  • Common Law Duty of Confidence
  • Computer Misuse Act 1990

ACCOUNTABLE PARTIES

The Board / Senior Leadership
The Board / Senior leadership have overall responsibility for Information Governance at Hopscotch Nurseries. As the senior accountable officers, they are responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to provide the necessary assurance to internal and external stakeholders. They have particular responsibility for ensuring that Hopscotch Nurseries and Holiday Clubs meets its corporate legal responsibilities, and for the adoption of internal and external governance requirements.
Data Protection Officer
The DPO Will;
  • Inform and advise the organisation and its employees about their obligations to comply with the data protection legislation.
  • Monitor compliance with the data protection legislation, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • Be the first point of contact for supervisory authorities and for individuals whose data is processed (families, staff etc).

All Staff

All staff, whether leadership or administrative, who create, receive and use data have information governance responsibilities. Employees have a contractual and legal obligation to read and comply with all company policies and to attend mandatory training to support the appropriate management of information.

TRANSPARENCY

The organisation will;
  • Endeavour to make non confidential information about its operations and services available to the public, in line with our overall commitment to transparency.
  • Adopt and maintain clear procedures and arrangements for liaison with the press and broadcasting media.
  • Adopt and maintain an Information Rights and Access Protocol to provide guidance for handling queries from data subjects and the public.

PRIVACY AND INFORMATION RIGHTS

Hopscotch Nurseries and Holiday Clubs are committed to the privacy of its candidates, staff and the public.
Hopscotch Nurseries and Holiday Clubs will;
  • undertake or commission annual assessments and audits of its compliance with privacy and data protection legislation
  • adopt and maintain protocol for completion of Data Protection Impact Assessments.
  • adopt and maintain protocols to ensure compliance with the Data Protection Act, General Data Protection Regulations, Human Rights Act and the Common Law Duty of Confidentiality.
  • establish and maintain protocols for the controlled and appropriate sharing of personal information with other agencies
  • ensure that contractual or best practice documents are in place for routine sharing of information between sharing partners.

INFORMATION SECURITY

Hopscotch Nurseries and Holiday Clubs will;
  • adopt and maintain protocols for the effective and secure management of its information assets and resources.
  • scrutinise new systems or services with regards to protecting its information assets and network.
  • promote effective information and cyber security practice to its staff through policies, procedures and training.
  • establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of information and cyber security.

INFORMATION QUALITY AND RECORDS MANAGEMENT

Hopscotch Nurseries and Holiday Clubs will;
  • Establish and maintain protocols and procedures for information quality assurance and the effective management of records.
  • Periodically audit / review information quality and records management arrangements.
  • Ensure that managers take ownership of, and seek to improve, the quality of information within their services.
  • Aim to ensure information quality at the point of collection.
  • Set data standards through clear and consistent definition of data items, in accordance with national standards.

USE OF AI AND DATA-DRIVEN TECHNOLOGIES

  • Hopscotch Nurseries and Holiday Clubs recognise the increasing use of artificial intelligence (AI) and other data-driven technologies within childcare settings. Where such tools are deployed, whether for administrative efficiencies or childcare support, the organisation will ensure that their use is lawful, transparent, and subject to robust governance.
  • All AI systems or automated decision-making tools will be assessed through appropriate Data Protection Impact Assessments (DPIAs) and subjected to clinical safety, equality, and ethical reviews where applicable. Individuals will be informed where automated tools are used in ways that significantly affect them, and safeguards will be in place to ensure accuracy, fairness, and accountability. The organisation will also maintain oversight of data minimisation, training data quality, and potential risks to privacy or bias.

APPLICATION AND AUDIT

Compliance with this protocol will be audited and the results fed into the Plan, Do, Check, Act Cycle described in the Information Risk and Audit Protocol. 
  • Compliance with this protocol will be audited and the results fed into the Plan, Do, Check, Act Cycle described in the Information Risk and Audit Protocol. 
  • Staff must ensure that they have read and understood this protocol 
  • This protocol will be reviewed annually or sooner in the event of significant learning or change
  • This protocol should be read in conjunction with the protocols in the Data Protection and Security policy suite