Data protection, confidentiality and GDPR


At Being Free Being Me  we hold confidential information about families, children and members of staff. 


We follow the legal requirements set out in the EYFS Statutory Framework regarding data protection and confidentiality. We also follow the requirements of the GDPR and the Freedom of Information Act 2000 with regard to the storage of data and access to it. Our limited company  is registered with the Information Commissioner’s Office as an organisation that processes personal data. 


To ensure that all information about children, families and staff remain confidential,  we do the following:


  • We store all personal details in files in a lockable cabinet in our office. 

  • When details are stored online (Google docs or similar) we use passwords. 

  • Information shared with staff is done on a ‘need to know basis’ and treated with confidentiality. We understand the need to ensure all our staff is aware of current issues regarding  data protection and GDPR at induction stage and throughout. 

  • Staff is made aware that parents can request to see any information regarding their children but not others. 

  • Staff must not discuss personal information given by parents with other members of staff unless is necessary for planning, supporting or safeguarding learner. 

  • In our code of conduct for staff there are specific guidelines regarding social networking in relation to confidentiality. 

  • Information regarding employees should only be accessed by the management of those individuals with personnel responsibilities. 

  • Any sensitive information related to concerns about a child is kept confidential and only shared on a ‘need to know’ basis. 

  • When  collecting any data from families we explain to parents why we are collecting certain personal  information and how we are going to use it such as consent forms of photo evidence for learning journeys. We have opt in boxes in our forms when there is a choice for parents to be informed or included of certain activities. We are aware of the need of seeking parents consent to share children’s details with other organisations or agencies including safeguarding whenever possible.We also know that we do not need consent from parents if we believe that children are suffering or are at risk of suffering significant harm. 

  • Everyone at Being Free Being Me  understands that people have the right to access their records or have their records amended or deleted (subject to other laws and regulations).


We understand we  are obligated to notify the Information Commissioner’s Office (ICO) of a data breach within 72 hours of becoming aware of the breach.

Register of Systems

  1. Facebook Being Free Being Me: group and page and messenger

  2. Email and google drive: 


  4. Croydon Local Authority

  5. Tapestry online journal to assess, observe and track children’s progress 

  6. Natwest Bank Account

  7. Paper records. 


Privacy Principles


  1. We  have a lawful reason for collecting personal data and we do it in a fair and transparent way.

  2. We only use the data for the reason it is initially obtained which is to offer childcare for your child.  (Register of systems review annually) 

  3. We do not  collect any more data than is necessary.

  4. We are committed to keeping personal  data up to date and review any inaccuracies.  

  5. We  understand we cannot keep data any longer than needed.

  6. We  protect the personal data by storing personal documents safely and with restricted access. 


These privacy principles are supported by accountability.