Privacy Policy

At S4A, we respect the privacy of children attending our setting and the privacy of their parents/carers, as well as the privacy of our staff. Our aim is to ensure that all those using and working at S4A, can do so with confidence that their personal data is being kept secure. 

At S4A we handle personal data relating to a living individual who can be identified from that information, ie Name and DOB. We also hold Sensitive Personal Data which is any data that can be used in a discriminatory way, ie: religion, ethnicity, medical conditions, behavioural needs, (anything that can be viewed as information that can be used to bully). At S4A, data is held in electronic format.

Data Protection Law:

The Data Protection Act 1998 and Data Protection Act 2018 and GDPR compliancy describes how organisations such as S4A must collect, handle and store personal information. This Policy is to comply with both the Law and Good Practice of S4A and respect individual rights and will include: Staff, Individual Children and Families of S4A. 

These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. 

The Data Protection Act is underpinned by eight important principles. These say that personal data must: 

1. Be processed fairly and lawfully 
2. Be obtained only for specific, lawful purposes 
3. Be adequate, relevant and not excessive 
4. Be accurate and kept up to date 
5. Not be held for any longer than necessary 
6. Processed in accordance with the rights of data subjects 
7. Be protected in appropriate ways 
8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection 

This Policy applies to information held at/by S4A at their offices in Maids Moreton House, Maids Moreton and online at individual settings in schools.

This Policy supports and protects S4A from data security risks, including: 

• Breaches of Confidentiality: For instance, information being given out inappropriately. 
• Failing to offer choice: For instance, all individuals should be free to choose how Fusion uses data relating to them 
• Reputational Damage: For instance, S4A could suffer if hackers successfully gained access to sensitive data 
• Breach of Security: For instance, allowing access to data by someone unauthorised 

Responsibilities: S4A recognise that there may be issues that arise which are sensitive and should not be discussed in an open forum. Management, Staff and volunteers are expected to maintain confidentiality about all issues relating to individuals, families, children and staff contracted by S4A. 

Data Protection forms part of staff’s induction. There will be times when staff will discuss particular issues within a staff meeting or other meetings, but these are not to be discussed outside the meeting/setting. The Management will also discuss matters relating to staff and these discussions will also be kept to the confines of the meeting/setting. 

S4A recognises that personal information is given to us for specific reasons only and we take our duty of care regarding confidentiality very seriously. All records are kept confidential and secure on and off site. Everyone who works for S4A has a responsibility for ensuring data is collected, stored and handled appropriately. Each staff member that handles personal data must ensure that is handled and processed in line with this Policy, Data Protection Principles and Data Protection Registration Requirements. Data will only be shared with third parties for the safety and well-being of the children in our care. We will only share information about a child/ren with outside agencies on a need-to know basis and with consent from parents, except in cases relating to safeguarding children, criminal activity, or if required by legally authorised bodies (eg Police, HMRC, etc). If we decide to share information without parental consent, it will be accurate and up to date information and we will record this, clearly stating our reasons. Our primary commitment is to the safety and well-being of the children in our care. 

Confidentiality: At S4A we respect confidentiality in the following ways: 

• We will only ever share information with a parent/carer about their own child. 
• Information given by parents/carers to S4A about their child will not be passed on to third parties without permission unless there is a safeguarding issue (as covered in our Safeguarding Policy). 
• Concerns or evidence relating to a child’s safety, will be kept in a confidential file and will not be shared within S4A, except with the DSL and the relevant staff/volunteers 
• Staff/volunteers only discuss individual children for purposes of planning and group management. 
• Staff/ volunteers are made aware of the importance of confidentiality during their induction process. 
• Issues relating to the employment of staff, whether paid or voluntary, will remain confidential to those making personnel decisions. 
• All personal data is stored securely in a lockable and fireproof cupboard, on a password protected computer / passcode-locked phone. 
• Students or DofE students who are on work placements and volunteers are informed of our Data Protection policy and are required to adhere to it 

Right to Erasure: We will only delete photos/digital images and videos from our website, promotional material and Facebook page if it is reasonable to do so and is not going to involve disproportionate effort. We refuse to destroy any data that we must hold for statutory reasons, such as Health and Safety and Safeguarding data and there might be times when we refuse to comply with a request for erasure for certain reasons. Data that S4A collects is to protect the interests of parents/carers/children/staff and we ensure we are not using data in ways that are deemed as intrusive or which could cause harm unless we have very good reason. 

Subject Access Request: Parent’s/carers/children/staff have a right to request and see all of their data that S4A holds about them. We will provide the requested information in easy formats such as PDF/XLS/CSV or as soon as practicable or within 30 days (whichever is the sooner) If our data is found to be incorrect or out of date, we will update it promptly.

Parents/carers can ask us to delete data, but this may mean that we can no longer provide care to the child, as we have a legal obligation to keep certain data. In addition, even after a child has left our care, we have to keep some data for specific periods, so won’t be able to delete all data immediately. Similarly, Staff/ volunteers can ask us to delete their data, but this may mean that we can no longer employ them, as we have a legal obligation to keep certain data. In addition, even after a staff member has left our employment, we have to keep some data for specific periods, so won’t be able to delete all data immediately. . If any individual about whom we hold data has a complaint about how we have kept their information secure, or how we have responded to a subject access request, they may complain to the Information Commissioner’s Office (ICO). 

Data Storage and destruction: S4A’s data is stored on site securely in a locked fireproof cabinet; staff personnel records are also stored in this way and/or on S4A’s Secure Electronic Database. This electronic data is protected from unauthorised access, accidental deletion, and malicious hacking attempts. All servers and computers used by S4A are protected by a firewall and security/ encryption software. 

Once a child/parent/carer/staff/volunteer/visitor has left S4A, their data will be held for 2 months after the current academic year has ended and a further 2 years thereafter. After which, all data will be destroyed unless the data is regarding Health & Safety and Safeguarding purposes. When S4A retains data that is relating to Health & Safety /Safeguarding, it will not be shared unless required by Law. Any electronic data will be deleted after the referred to time period and removed from the recycle bin which will also be emptied at this time. Paper data will be shredded using a crosscut shredder within the referred to time period. Any personal and payroll data forms part of HMRC requirements and will be kept for legal reasons.