Legacy Data Protection
We want to tell you what personal information we hold about parents and children and what will happen to it when we close in December 2020.
In our accounting system we hold the following information about customers:
Name, home address, phone number and email address of primary contact
Name and email address of secondary contact, where invoices etc are copied to a second person.
Itemised invoices which may include dates of sessions a named child attended.
Payment information, including dates and methods of payments (but without card numbers).
Once our final accounts are submitted, which will be by the end of 2020-2021 school year, this information will be archived and kept for 7 years as required by HMRC. We will then destroy the records. Until being destroyed, the archives will be stored on paper in the owners' home and on encrypted storage media.
We currently store and use the information that you provided on a registration form to ensure we can deliver our services and keep your child safe when they are with us. This information includes:
Names, addresses and contact information of child’s parents.
Child’s name, date of birth, doctor’s details, medical conditions and allergies.
Names, addresses and contact information of emergency contacts.
Your marketing and communications preferences.
We scan the originals and store digital copies securely on encrypted storage media. We currently keep the original copies on site for easy access when we are open. We normally destroy scanned and originals one year after a child leaves the school. When we close, we will shred and/or burn all originals. We will retain digital copies until the end of the 2020-2021 school year. They will then be destroyed.
We record information about bookings in spreadsheets on encrypted storage media. We record actual attendance on paper registers which we scan at the end of each school year to encrypted storage media before shredding and/or burning the originals. The information includes:
Names of children attending each session.
Time and signature (or more recently just name name) of person dropping off or picking up.
Names of adults (staff and visitors) at each session.
Time of arrival and departure of adults and their signatures.
Notes of any incidents occurring during the session.
OFSTED and safeguarding authorities can legitimately request information about a child’s attendance until the child reaches the age of 21 (25 in some circumstances). We will scan registers for this year at the end of this term and shred and/or burn the originals. We will store scanned registers and booking spreadsheets on encrypted media for 17 years after our closure, when the youngest person who has attended this school year will be 21.
We record accidents and injuries on paper forms. We scan these to encrypted storage media at the end of each school year and shred and/or burn the originals. This information includes:
Date, time and location of accident or injury
Description of accident or injury
Description of action taken
name and signature of attending adult
acknowledgement by parent that they have been informed.
There is a limitation of 3 years for making personal claims for accident or injury. However for children this period begins once a child turns 18 and so becomes an adult. Our insurers expect us to retain this information until a child turns 21. For simplicity we intend to keep all accident records on encrypted media for 17 years after our closure, when the youngest person who has attended this school year will be 21.
If we have any safeguarding concerns about a child we record them individually for that child on on paper forms.
Unless we have made a referral to safeguarding authorities about a concern, we are required to retain the records for one year after the child stops using our service. If we have made a referral to safeguarding authorities about a concern, we are required to retain the records only until their investigation is complete. There are no such investigations in progress.
At the end of this term we will scan any current paper forms to encrypted media and shred and/or burn the original forms. We will store the digitised copies until the end of December 2021 before destroying them.
We use the Mailchimp service for marketing and communications purposes. Mailchimp gives you full control over the information we hold about you (which is generally just your name, newsletter interests and email address). Links you can use to change your preferences are included in every Mailchimp email sent. If you unsubscribe from Mailchimp we will no longer have access to that information.
We do not expect to use Mail chimp after we close in December. We will delete all subscribers from our Mailchimp account by the end of the 2020-2021 school year.
We never have shared, and never will share, your personal information with other companies for the purposes of marketing without your express permission.
Our website and social media accounts will remain live until the end of the 2020-2021 school year. All posts and media related to our current operations will then be removed.
Photos and Videos
We have taken photos and videos of children at Karibuni for the purposes of showing the nature and quality of the service we provide to both patents and OFSTED and for marketing purposes within the terms of our agreements with parents. Unpublished photos and videos are stored on encypted media or secure cloud accounts. All such photos and videos will be destroyed by the end of the 2020-2021 school year.
Other Personal Information
We believe above statement covers all personal information we hold about parents and children who use our services.
We have been registered with the Information Commissioners Office since we started operating in 2016 and have collected, handled, stored and disposed of personal information; according to initially their guidelines and subsequently GDPR regulations. Our registered Data Protection Officer is Paul.
Even after we close you have certain rights related to personal information we hold about you and your child. These include rights to:
Find out what information we hold about you.
Correct any incorrect information we hold about you.
Request that we stop processing / using information about you.
Request that we delete information we hold about you.
After we close, and for as long as we retain information about you, you can exercise these rights by stating your request in an email sent to email@example.com. Note however, we will not agree to delete any data we are retaining for legal or regulatory purposes unless it can be shown that we are retaining it unnecessarily.