Privacy Policy for Littlelifesteps.


I take your privacy seriously and, in accordance with the General Data Protection Regulation, I will commit to the following:


 I may be asking you for personal data about you and your child/ren to deliver a childcare service to you. I must have a legal basis for collecting this data, and there are six lawful bases:

(a) Consent: The individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: The processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: The processing is necessary to protect someone’s life.

(e) Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

 I will be processing your data under the following bases: a and b above

Where I require consent, I will provide a way for you to positively decide about the information that you make available and how this is shared.    

This information will be collected by Sue Welby.

I will be asking for this data verbally at our initial meeting and recording it on paper forms & digitally. The information that I may require will be:

  • Child’s name

  • Child’s date of birth

  • Parents’ names, addresses, contact numbers

  • Medical history

  • Email addresses

The following are classed as “special category data” and I must therefore ensure that I meet one or more of the conditions of Article 9 of GDPR as well as the legal bases above:

  • Any allergies/medical history/ requirement

  • Information about immunisations

  • Whether the child has any special educational needs or disabilities

  • Ethnic group

  • Religion   

My condition for processing special category data is:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes,

 This data will be used to:

  • To provide an adequate service to my clients.

  • share information about Littlelifesteps promotional offers and services.

 I will not share this data with any other outside companies.

You can contact me at any time to request an opt out of any future emails or correspondence from me.

 Please see my data protection policy for further information on data sharing, safe storage and your rights to access your data.




Data Protection Policy for Littlelifesteps.



To provide a quality early years and childcare service to families and comply with legislation, I will need to request information from parents about their child and family. Some of this will be personal data and some may be classed as special category data.  

I take families’ privacy seriously, and in accordance with the General Data Protection Regulation (GDPR), I will process any personal data according to the seven principles below:

1. I must have a lawful reason for collecting personal data and must do it in a fair and transparent way. I will be clear about what data I am collecting, and why.

2. I must only use the data for the reason it is initially obtained. This means that I may not use a person’s data inappropriately or to market a product or service to them that is unconnected to the reasons for which they shared the data with me in the first place, unless required to do so by law.

3. I must not collect any more data than is necessary. I will only collect the data I need to provide appropriate childcare services and abide by relevant laws.

4. I will ensure that the data is accurate and ask parents to check annually and confirm that the data held is still accurate.

5. I will not keep data any longer than needed. I must only keep the data for as long as is needed to complete the tasks it was collected for and in compliance with relevant laws.

6. I must protect the personal data. I am responsible for ensuring that I, and anyone else charged with using the data, processes and stores it securely.

7. I will be accountable for the data. This means that I will be able to show how I (and anyone working with me) am complying with the law.

I will be asking parents for personal data about themselves and their child/ren to deliver a childcare service (see privacy policy).

Subject access

Parents/carers and those with parental responsibility have the right to inspect records about their child at any time. This will be provided without delay and no later than one month after the request. Requests can be made verbally, and I will ensure I have received the correct information. I may need to check the identity of the person making the request if, for example, the request was made via an unknown email address. I will ask parents to regularly check that the data is correct and update it where necessary.  

Individual Rights

The GDPR provides the following rights for individuals:

1. The right to be informed

2. The right of access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights in relation to automated decision making and profiling


I will keep all paper-based records about children and their families securely locked away.

I will make sure keys are also securely stored.

If I keep records relating to individual children, families including in a digital format, such as on my computer or smartphone, externally or in cloud storage such as iCloud, Google Drive or Dropbox, including digital photos or videos, I will obtain parents’ permission. I will ensure any external or cloud-based services have adequate security around the data. I will store the information securely, for example, in password-protected files, to prevent viewing of the information by others with access to the computer or device.

Backup files will be stored on a password protected removable hard disc drive. Firewall and virus protection software are in place.

I am insured with Close-A-Plan Insurance. I will notify them of any incidents which may result in an insurance claim.

Safe disposal of data

I am required by law to keep some data for some time. I will ensure that any data is disposed of appropriately and securely. Safe disposal of paper would be with the use of a cross cut shredder. Any IT hardware is securely disposed of.

Suspected breach

I will investigate any suspected breaches and take prompt action to correct any areas of concern. If I suspect that data has been accessed unlawfully, I will inform the relevant parties immediately and will keep a record of any data breach.

Date Policy written - 27/05/18