To download our Data Privacy Notice for parents/carers, please click here

At Acorn Early Years Foundation, we take privacy very seriously and we have updated our policies and procedures to ensure they fully meet the requirements set out in the General Data Protection Regulation (GDPR) and Data Protection Act (DPA, 2018)

Acorn is registered with the Information Commissioner’s Office (ICO).

The Data We Hold

 The categories of children’s information that we collect, hold and share include:

  • Personal information (such as name, address, date of birth)
  • Characteristics (such as ethnicity, language, nationality, country of birth, early years pupil premium eligibility)
  • Attendance information (such as sessions attended, number of absences and absence reasons)
  • Observations and assessment information and tracking of progress
  • Medical information
  • Information on special educational needs and disabilities (including if accessing Disability Living Allowance and entitled the Disability Access Fund)
  • Pictures and videos (if consent has been obtained)
  • Referrals to other relevant services
  • Safeguarding information.

We also collect, hold and share some information on the children’s parents/guardians:

  • Personal information (names, DoBs, place of work, address, contact details, etc.)
  • Bank details
  • National Insurance numbers


Why We Collect and Use this Information

We use the children’s and parent’s data to:

  • Support their learning and development, to enable staff to plan suitable activities to extend their knowledge and skills
  • Ensure that all children are safe within our childcare provision
  • Monitor and report on their progress
  • Provide appropriate behavioural and emotional support as required
  • Assess the quality of our services as a childcare provider
  • Comply with the law and statutory guidance regarding safeguarding and information/data sharing
  • Meet the requirements of the early years foundation stage (EYFS)
  • Make claims for funding


The Lawful Basis on which we use this Information

We collect and use the personal information outlined above under the following lawful bases:

  • Contract – the processing is necessary for a contract we have with you, the parent/carer of the child, to provide childcare and the contract that we have with the local authority to provide funded childcare to eligible families
  • Legal obligations – the processing is necessary for us to comply with the law
  • Consent – We have obtained consent from you, the parent/carer of the child, to process the data (this mainly relates to multi-media)
  • Vital interests of the child – Processing the information is essential to meet the vital interests of the child

Collecting Children’s Information

While most personal information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the GDPR, we will inform you whether you are required to provide certain children’s information to us or if you have a choice in this.

Storing Children’s Data

We are required to hold children’s data for a reasonable period of time, but not for longer than is necessary. Some personal information we only keep while the child is registered at Acorn, other personal information we are required to keep until the child reaches the age of 25 (as recommended under the Limitation Act 1980).

Why we Share Children’s Information

We do not share information about our children with anyone without your consent unless the law and our policies allow us to do so.

We share children’s data with the Department for Education on a statutory basis. We are required to submit data to our local authority for them to submit as part of the annual early years census in January and to access childcare funding. We will also share information with external agencies if it is in the vital interests of the child to do so.

During the COVID-19 pandemic, we may need to share relevant information (including name, date of birth, symptoms, and test date) with Public Health England (PHE) as part of their track and trace programme. For the PHE privacy information, please click here.

Data Collection Requirements

To be granted access to children’s information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.


Requesting Access to your Personal Data

Under data protection legislation, parents and children have the right to request access to information about them that we hold. Our parents are able to access most of the personal information we hold on them and their child through our Famly App. Other information is held securely in the setting in the child’s file; for more information please speak to the child’s key person or setting manager.

To make a form Subject Access Request for your personal information, please contact our Data Protection Officer on [email protected]. All information will be collated and provided to you within one calendar month.

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing, damage or distress
  • prevent processing for the purpose of direct marketing
  • object to decisions being taken by automated means
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed
  • claim compensation for damages caused by a breach of the Data Protection Regulations.

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance, usually through our Data Protection Officer. Alternatively, you can contact the ICO.