Data Protection

Looking after your data

1.     Introduction

Blooming Wild is required to collect and process data for a number of purposes concerning its staff, contractors, parents, children and any other individual who comes into contact with the company. In gathering and using this data Blooming Wild is committed to protecting all individual’s rights of freedom and privacy.


Blooming Wild is fully committed to full compliance with the requirement of the General Data Protection Regulation (GDPR). In line with this, this policy describes how personal data must be collected, handled, managed and stored in order to comply with the company’s data protection standards and the law.


Why This Policy Exists

This data protection policy sets out the rules that all personal data collected, processed, stored, shared and disposed of on behalf of Blooming Wild is compliant with the obligations of the General Data Protection Regulation (GDPR).

This policy has been put in place to ensure Blooming Wild:

  • Complies with the requirements set out by GDPR
  • Protects the rights and privacy of any individual the company holds data on, including but not limited to; staff, contractors, parents and children
  • Reduces the risk of a data breach
  • Has a clear and consistent approach to the collection, storage and management of data


Relevant Legislation

The General Data Protection Regulation (GDPR) has been in force since 25th May 2018. It applies to all organisations who offer services to monitor or process the personal data of subjects residing in the EU. Failure to comply with the GDPR can result in fines up to 4% of annual global turnover or

€20 million.


Policy Scope

This policy applies to UK operations:

  • Blooming Wild National Support Centre
  • All settings operated by Blooming Wild
  • Offices and other sites operated by Blooming Wild
  • All staff and volunteers employed by Blooming Wild
  • All contractors, suppliers and other people working on behalf of Blooming Wild

This policy applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998.


This can include (but is not limited to):

  • Names of individuals
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • Photographs
  • Wage and salary information
  • Bank account details
  • Medical records
  • Date of births
  • Copies of identification
  • Curriculum Vitaes (CVs)
  • Staff performance records
  • Disciplinary records
  • Accident and incident records

Plus any other information relating to individuals


2.     Data Protection Policy Statement


Blooming Wild is fully committed to ensuring full compliance with the requirement of the General Data Protection Regulation (GDPR).



The Blooming Wild Group of Companies will:


  • Protect the fundamental rights and freedoms of natural persons personal data
  • Be lawful, fair and transparent in relation to how personal data is collected, stored and processed
  • Collect data for relevant specified, explicit and legitimate purposes
  • Keep accurate, up to date and detailed registers of personal data held
  • Keep data for no longer than is required for the purposes it was collected
  • Process data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
  • Keep data secure with appropriate and technical and organisational measures taken to protect the information
  • Process data in line with the right of the individual


3.     Roles and Responsibilities

All Members of staff who work for Blooming Wild have a responsibility to ensure that data is collected, stored, processed and disposed of appropriately.


The following people have key responsibilities:


Board of Directors

The Board of Directors has overall responsibility for the implementation of the Data Protection Policy throughout the business.

The Board of Directors will:

  • Ensure that the requirements of GDPR are understood and effectively managed
  • Ensure that appropriate resources are provided to effectively implement the Data Protection Policy
  • Ensure that a competent Head of Compliance is appointed to manage data protection


Data Protection Officer – Head of Compliance

The Data Protection Officer (DPO) oversees and has managerial responsibility for data protection in the business.

The DPO will ensure:

  • There are adequate resources available for the business to be legally compliant with GDPR and the policies, procedures and management systems in place are robust and effective
  • The business and its legal entities are registered with the Information Commissioner Office (ICO) and we co-operate with any of their requests or investigations
  • A data protection policy is in place and reviewed on a regular basis
  • Employees are aware of their obligations to comply with the GDPR and other data protection laws
  • Monitoring of compliance with the GDPR and reviews of the policies, procedures and systems are undertaken to ensure they are effective
  • Training, advice and information is provided to employees and business contacts when necessary in relation to data protection
  • Data breaches are notified to the Information Commissioner within 72 hours of being made aware and an investigation is undertaken in response to the data breach
  • An effective system is in place for compiling information requested as part of a Subject Access Request in line with the timescales detailed in GDPR
  • Contracts with third parties are checked to ensure they are consistent with this Policy


Data Protection Assistant/ Compliance Administration Assistant

The Data Protection Assistant/ Compliance Administration  Assistant assists the Data Protection Officer with their duties (as detailed above) as well as:

  • Maintaining the registers that hold personal data or software information
  • Undertaking investigations into data breaches
  • Co-ordinating and managing Subject Access Requests
  • Monitoring and actioning correspondence relating to data protection
  • Devising and delivering data protection training
  • Monitoring the Blooming Wild website, Wikibee and shared folders to ensure they are accurate and include up to date information on Data Protection and Privacy


Head of IT

The Head of IT co-ordinates software systems and information technology in the business. The Head of IT will:

  • Ensure all systems, services and equipment used for storing personal data meet acceptable security standards
  • Perform regular checks and scans to ensure security hardware and software is functioning properly
  • Investigate and address any suspect anti-virus or spam
  • Evaluate any third-party services the company is considering using to store or process data
  • Give advice and feedback to the DPO on any concerns regarding IT or security systems that may affect Blooming Wild abilities to meet the requirements of this Policy and the GDPR


Head of Marketing

The Head of Marketing co-ordinates the collection and use of data for marketing purposes. The Head of marketing is responsible for:

  • Liaising with the DPO to ensure all marketing materials abide by data protection principles
  • Ensure that consent is collected for the distribution of all direct marketing material
  • Ensuring any changes in the way we use data for marketing purposes is communicated to parents and the DPO


Heads of Departments

The head of department is responsible for ensuring that data collected, handled and processed within their department is done so in line with the GDPR and this policy.

The Head of Department will ensure:

  • Personal data handled in the department is recorded on the Information Asset Register
  • Software used to store personal data is recorded on the Software Register
  • All third parties, contractors or suppliers that have access to Blooming Wild personal data are recorded on the Third-Party Register
  • All staff are trained and familiar with their duties under the Data Protection Policy
  • Any collection, processing, management and disposal of personal data is done so in line with the Data Protection Policy
  • Information is provided (when requested) to enable a Subject Access Request to be completed within the timescales required
  • A Data Protection Impact Assessment is completed when deemed necessary, for instance when acquiring a new software system



Managers are responsible for ensuring that data collected, handled and processed within their area of control is done so in line with the GDPR and this policy.

Managers will ensure:

  • They inform their line manager or the Head of Department of any personal data that is collected in the course of their work to ensure this is recorded on the Information Asset Register
  • Before any new software system is used, this is discussed with the Data Protection Officer and Head of IT to ensure a Data Protection Impact Assessment is completed and it is recorded on the Software Register
  • All third parties, contractors or suppliers that have access to Blooming Wild personal data are recorded on the Third-Party Register
  • All staff are trained and familiar with their duties under the Data Protection Policy


  • Any collection, processing, management and disposal of personal data is done so in line with the Data Protection Policy
  • Information is provided (when requested) to enable a Subject Access Request to be completed within the timescales required
  • Data protection breaches are reported to the Data Protection Officer as soon as possible


Regional Directors / Compliance Advisors

Regional Directors and Compliance Advisors are responsible for giving support to nursery staff and monitoring compliance with the Data Protection Policy.

Regional Directors and Compliance Advisors will ensure:

  • They provide information, advice and support to the Nursery Senior Management team on the requirements of the Data Protection Policy
  • That confidential waste is stored in an appropriate manner and is not accessible to unauthorised persons
  • Documents containing personal data are stored in a secure location that can be locked when required
  • Data breaches are reported to the Data Protection Officer as soon as possible
  • Assist nurseries in collating data for Subject Access Requests


General Staff Guidelines

All Blooming Wild employees are required to comply with the following guidelines to ensure all personal data held by the company is used, stored and managed in the most appropriate way possible:

  • Data should only be collected on approved Blooming Wild documentation, approval from the DPO must be sought where additional personal data is collected
  • Data should only be used for its original purpose and only by those who need it for their work
  • Data concerning individuals must not be communicated to other persons or organisations unless required to do so by law or under an approved contract
  • Care should be taken when sharing data that you have checked the identity of the individual and the organisation they are representing and you are confident they have a legitimate need for the information
  • Take sensible precautions to ensure all personal data is kept secure. This should include locking computers when leaving a desk and making sure no personal data is left out in view of other people.
  • Use strong and secure passwords when storing digital data and usernames and passwords should never be shared
  • Data should be regularly reviewed and updated, and if found to be out of date or no longer required for its original purpose, it should be updated or deleted and disposed of in the manner detailed in the Retention and Disposal Guidance
  • Employees should request help from the DPO if they are unsure of any aspect regarding data protection
  • Documents containing personal data should be disposed of in line with the Retention and Disposal Guidance, with confidential waste bins being used before collection with our approved waste contractor. Documents that contain personal data should not be placed in general waste bins.
  • Blooming Wild will provide training to all employees to help them understand their responsibilities when handling data
  • Employees should ensure that the data held on HR software is reviewed at least annually and updated


Staff that work from home or undertake work in locations other than those under the management of Blooming Wild should also comply with the following guidelines:

  • Where possible use a Blooming Wild laptop or tablet that has been installed with approved firewall and security software
  • Blooming Wild documents should be worked on the online portal or within Sharepoint and should not downloaded and saved to personal computers or hardware
  • Data should not be transferred onto a personal USB stick
  • Employees should avoid leaving sensitive information out on display or in vehicles
  • Computers should be password protected and locked when left unattended
  • Documents containing personal data should be taken to a nursery or office to be placed in a confidential waste bin, burned or shredded, they should not be placed in general waste bin.



4.     Personally Identifiable Data

Blooming Wild only collect, process and store personal data where we have a valid lawful basis to require it. We do the following to be transparent:

  • Provide information to data subjects in our Privacy Policy on where data is held, the lawful basis and how long we store it. This is available on our website: Privacy Policy
  • Only use data for its original purpose, where we wish to use it for a different purpose, we will notify you of this and request your consent
  • Keep data in as few places as necessary
  • Update our data regularly using annual declaration requests
  • Provide you with any information we hold on you when we receive a Subject Data Request
  • Where an individual contests the accuracy of personal data, Blooming Wild will restrict processing until the personal data has been confirmed and updated


Children’s’ Data

As a childcare company Blooming Wild collects, holds and processes a lot of children’s data. There is an increased need to protect children’s personal data because they are classed as vulnerable individuals. Where a child is under the age of 16, consent for the processing of the child’s data is required from the child’s parent or guardian.


Additional care should be taken when handling or sharing children’s data to ensure that it is shared with only those that need to know the information. Some data such as medical data will need to be shared with staff to ensure that any emergency medical care can be given when needed however this should not be shared with people outside the organisation unless there is a legal requirement to do this.


Staff Data

We collect, hold and process data on employees as part of our legal responsibilities and in order that we can support and manage them in their work. Much personal data on employees is held on our HR software and employees should ensure that they check and amend the information held is accurate on a regular basis.


Sensitive Personal Data

Blooming Wild has recognised that special categories of personal data need to be processed as part of our business activities and this data needs additional protection to manage the risk. The special category data we collect is listed below:


Special Data

Lawful Process (Article 6)

Condition (Article 9)


Childs Health Information

Vital Interest (d)

Vital Interest (c)

Information given as part of parent contract and

consent agreed

Employee Health


Legal Obligation (c) under

HSAWA 1974

Legal Claims (f)

T&C on contract

Employee Race

Consent (a)

Explicit Consent (a)

Information given and consent agreed, T&Cs on


Employee Ethnic Origin

Consent (a)

Explicit Consent (a)

Information given and consent agreed, T&Cs on


Employee Religion

Consent (a)

Explicit Consent (a)

Information given and consent agreed, T&Cs on


Sexual Orientation

Consent (a)

Explicit Consent (a)

Information given and consent agreed, T&Cs on



All sensitive personal data is only processed when explicit consent is given or when the processing is necessary for substantial public interest reasons which must include measures to protect the interests of the data subject. We do not process any other data considered ‘special’ under the GDPR than those detailed above.


Criminal Convictions and Offences

Blooming Wild, as a childcare provider is required by law to review the history of employees in relation to historic criminal convictions and offences. As required by the GDPR we have provided information on this data below:



Lawful Process (Article 6)

Authority (Article 10)


Employee DBS check

Legal obligation (c) –

Safeguarding requirement

Atlantic Data carry out the DBS check – no criminal conviction history is stored by Blooming Wild only the DBS number

Information given and consent agreed - DBS check date recorded


5.     Collecting and Processing Personal Data

Lawful Processing (Article 6)

Blooming Wild will only collect and process personal data when at least one of the following lawful processes apply:

  • Consent: A data subject has given consent to the processing on his/ her personal data
  • Contract: Processing is necessary for the performance of a contract
  • Legal obligation: Processing is necessary for compliance with a legal requirement
  • Vital interests: Processing is necessary to protect the vital interests of the data subject
  • Legitimate interests: Processing is necessary for the legitimate interests pursued by the data controller or third party unless there is a good reason to protect the individuals’ data which override those legitimate interests


Blooming Wild makes automatic decisions on the processing and use of data where it is:

  • Necessary for the entry into or performance of a contract
  • Required to comply with the law
  • Based on the individuals explicit consent


Processing Parent and Child Data

All personal data regarding a parent, guardian, carer and child processed by Blooming Wild is mandatory in order to fulfil the requirements of the contract. Failure to provide this information will result in the child being declined a place at the nursery.


Processing Employee Data

All personal data regarding an employee processed by Blooming Wild is mandatory in order to fulfil the requirements of the contract. Failure to provide this information will result in the individual being unable to be join Blooming Wild as an employee.


Consent Management

Where processing is based on consent, Blooming Wild shall demonstrate that the data subject has consented to the storage and processing of his/ her personal data. For the collection of personal data which relies on explicit consent, data subjects are given the opportunity to freely give their consent to us processing that data for the specified purpose. Some examples of where explicit consent (outside the terms and conditions of the contract) is required are detailed below:


a.       Consent for photographs

Blooming Wild recognises the taking of photographs is not compulsory for the fulfilment of a contract and is not required for legal reasons. Considering this, parents are given the opportunity to give or withdraw their consent for photographs of their child to be taken, displayed or used in various ways by Blooming Wild. This information is collected as part of the application pack.


b.      Consent for Marketing

Blooming Wild recognises individuals are required to give explicit consent to be contacted for marketing purposes. Parents given the opportunity to freely give their consent to being contacted for marketing purposes. Consent is given in a granular manner to show clearly what is being agreed to. This information is collected as part of the application pack.


c.       Other consents

For further processes where we require consent for additional functions or needs, an additional consent forms will be used. These include (but are not limited to):

  • Use of fobs in nurseries


  • Involvement in parent/ event groups
  • Use of software or equipment outside our normal work practices


6.     Data Security, Retention, Storage and Disposal

Responsibilities and Procedures

Blooming Wild is committed to ensuring we do not hold personal data for longer than necessary. Blooming Wild retains different types of data for different periods of time due to the law or business need. Each Head of Department or Nursery Manager is responsible for ensuring data is only kept for the appropriate retention period. All data should be stored only in the location(s) detailed in the Blooming Wild Information Asset Register and all staff are required to follow the retention guidelines on the Management, Retention and Disposal guidance document, to ensure compliance with the GDPR.


Hard Copy/ Paper Records

When data is stored in paper format, it should be kept in a secure place where unauthorised people cannot see or gain access to it. The following procedures should be followed when handling paper documents. These guidelines also apply to electronic data which has been printed out.

  • Paper files containing personal data should only be handled by those within the company that need it to complete an essential task and should not be shared unless it is necessary to do so
  • When not in use, paper documents should be kept in a secure environment such as locked in a drawer, filing cabinet or office
  • Paper or printouts containing personal information should not be left out
  • Printouts where the data is no longer required should be securely disposed of in the confidential waste bin or shredded
  • Procedures are in place to securely dispose of confidential waste


Soft Copy/ Electronic Records

When data is stored electronically, measures should be put in place to prevent data from

unauthorised access, deletion, virus’ and malicious hacking attempts

  • Data should be stored on the portal or Sharepoint and not on local drives or hardware
  • Staff should be trained and be given information as to where the correct and secure place to save data is
  • Data should be protected by a strong password which is regularly changed and never shared, even with those within the organisation
  • Data should be backed up frequently
  • Data should never be downloaded or saved directly onto personal laptops or mobile phones
  • All servers and computers containing personal data should be protected by security and anti-virus software and a firewall
  • Where possible removable media devices, such as a USB stick should not be used, where they are required, they should be kept in a secure locked environment and wiped once they have been used for the purpose
  • All staff should ensure computers or laptops are logged off or locked when left


Cyber Security

Blooming Wild ensures that all data is kept secure with appropriate technical and organisational measures taken to protect the information. Blooming Wild ensures all business computing devices have appropriate anti-virus, firewall and spam software to help minimise access to files and identify any areas of concern.


E-mails are checked regularly for viruses. However, no liability is accepted for any viruses which may be transmitted in or with e-mails.


Disposal of Documents

Employees must ensure that documents are only kept for the retention period set out for that particular type of data. All documents that exceed this retention period or are no longer required should be placed in a Confidential Waste bin, bag marked as ‘confidential waste’ or shredded. Any waste that is being stored before collection should be kept in a secure location such as a locked cupboard or office to prevent unauthorised access.


Blooming Wild have a contract with an approved licenced waste contractor who collect and dispose of documents that contain personal data and are considered ‘confidential waste’. Waste transfer notes and disposal certificates are provided to demonstrate compliance with waste legislation.


Disposal of IT Hardware

Computer hardware that comes to the end of its use, should be returned to the IT department to ensure it is wiped and any personal or sensitive data is removed. Once this has been completed, the equipment is collected and destroyed by our licensed waste contractor.



7.     Data Sharing and Processing

Third Party Sharing and Processing

Blooming Wild may need to share personal data with organisations outside the Blooming Wild organisation, we refer to these as ‘third parties’. This may be for a variety of reasons but where this is necessary Blooming Wild ensures all third parties who process data on behalf of Blooming Wild (the data controller) have robust systems in place to comply with the conditions set out in GDPR.


Most third parties who process data on behalf of Blooming Wild shall sign a Data Confidentiality Agreement. This outlines how we expect each organisation as a data processor, to handle the data we share with them. Failure to adhere to the obligations set out in the Data Confidentiality Agreement would result in us reviewing our partnership with them as this may lead to a data breach.


Some organisations who we share data with such as Public Bodies or very large organisations, may not be able to sign our Third Party Data Confidentiality Agreement, where this is the case we ensure that we have information on their Data Protection Policy and arrangements to ensure that we are satisfied that they are compliant with the GDPR.


In relation to the sharing of data with Third Parties Blooming Wild will ensure:

  • Reasonable steps are taken to ensure secure measures are in place to protect individuals’

personal data

  • A written contract or confidentiality agreement is set out establishing what personal data will be processed, the purpose for processing and how long the data will be held for
  • Third parties are informed about data subjects who wish to access, erase or rectify their personal data
  • Personal data is only disclosed to third parties outside a formal contract or agreements where there is a legal obligation to do so
  • The T&Cs within the contract with a third party meet the requirements of the GDPR
  • Data subjects have given their explicit consent to disclose their personal data to third parties or are agreeing to the terms of a Blooming Wild contract
  • The disclosure of data is necessary to protect the vital interests of the data subject


Internal Sharing of Data

The subsequent guidelines should be followed when sharing data internally

  • Data should never be shared via email unless the email is encrypted or password protected
  • Emails containing personal data should be deleted after being dealt with or saved within the appropriate software system and/ or hard copy file in line with the Management, Retention and Disposal guidance document
  • Personal data should only be shared with those who need to have it and care should be taken when sharing personal data via email that it is sent to the correct recipient
  • Data should not be shared over the phone or in person unless the individual is known to you or their identity has been confirmed
  • When sending password protected documents, passwords should be sent separately, and never shared



8.   Social Media

Blooming Wild use Facebook and other social media outlets as a means to communicate positive messages about the organisation. They are updated with regular posts showing a selection of the activities for children, news and special offers. This is carefully managed by the Blooming Wild Marketing team and Papillion PR.


All photographs of children used on the Blooming Wild Facebook page require parents’ consent before they are posted. Photos are not to be posted on this or any social media or internet sites without this consent. Nursery managers must ensure that parents complete a consent form and that the appropriate permissions for the use of photographs has been given. The consent form should be updated at least once a year to ensure the parents are still happy for images to be used.


Nurseries are not permitted to set up or post on social media sites not controlled and managed by Blooming Wild without prior agreement with the Marketing Team.


We are not responsible for any social media groups which are detached from the company and have been set up by parents such as forum groups. It is recommended that you inform parents that we have no control of the content or data sharing of these forums and there is a risk of their information being shared without their consent.


Below are links to the privacy policies for the social media platforms used by Blooming Wild, you should familiarise yourself with these if you are using these forums to post information about Blooming Wild.


Facebook: Twitter:

Instagram: LinkedIn:



9.   GDPR Provisions

Privacy Notices

The Blooming Wild Privacy Notices outline the following information:

  • what personal data we collect
  • how we process the data
  • the lawful basis in which we process
  • the purpose for processing


  • who we share data with and why
  • how long we hold it for
  • where it is stored and
  • the rights of the data subject

The privacy notices are available on the Blooming Wild website or upon request.


Privacy by Design and Default

Blooming Wild as the data controller shall implement appropriate technical and organisational measures to ensure that by default, only personal data necessary is used for each specific purpose of processing. Blooming Wild will also (where deemed necessary) follow data protection principles such as data minimisation to protect the rights of the data subject by implementing appropriate technical and organisational measures, such pseudonymisation.



10.  Data Subject Rights

Subject Access Requests (SAR)

The personal data collected and held by Blooming Wild remains the property of the Data Subject and therefore they retain the right to know what information we hold on them, where it is held and for what purpose. Under the GDPR we are aware of our legal obligations to provide a copy of the data, free of charge and without undue delay and at the latest within one month of a request on receiving a Subject Access Request (SAR).


Blooming Wild reserve the right to refuse or charged for information if the SAR is manifestly unfounded or excessive. We will inform the Data Subject of this within one month of the request and provide information as to why it has been refused or why a charge has been requested.


Right to be Forgotten

A Data Subject has the right to ask Blooming Wild to erase his/ her personal data and cease further dissemination of the data. The right to be forgotten will not be available where we are under contract with the Data Subject or we hold the data to meet legal requirements. If personal data has been disclosed to third parties where possible, we are required to inform them about the erasure of personal data.


Right to Rectification

A Data Subject has the right to request that we rectify inaccurate or incomplete personal data concerning him/ her. If such personal data has been disclosed to third parties where possible these third parties will be informed. We will take steps to correct inaccurate or incomplete data as soon as practicable after becoming aware of it. We would always aim to have this completed and the Data Subject be advised of the action taken within one month.


Right to Object

A Data Subject has the right to object to the processing of their data where it is used for direct marketing, research, statistical analysis, for legitimate interests or the performance of a task in the public interest. Where a Data Subject objects to Blooming Wild having their data for these purposes, we will no longer process the personal data and inform the Data Subject when this has been actioned. We will assume the Data Subject is removing consent for the data to be used in that way and remove this from our systems.


11.  Reporting Breaches

All Blooming Wild employees who are aware that a data breach has occurred should report the breach to their manager and the Data Protection Officer. The Data Protection Officer will then ensure that the breach is recorded on the Data Breach Register. Further information on how to report a breach is available in the Data Protection Breach Guidance document.


High Risk Breaches

Blooming Wild are required under the GDPR to notify the Information Commissioners Office of a high risk data breach, where the breach is likely to result in a risk for the right and freedoms of the individual. Blooming Wild will report the breach within 72 hours of first becoming aware of the breach. Blooming Wild will also notify the individual concerned directly and advise them of what is being done to manage the risk.



12.  Monitoring

Information Asset Register

The Information Asset register is a centralised log for all information that is held and processed by Blooming Wild. The register outlines what information is held, what lawful process the data fits into, where the data is held, how long the data is held for, who has access, and whether the data is shared with any third parties.


Each Head of department is responsible for the data they hold in their department or in software systems managed by them and ensuring all the information in the asset register is correct.


Third Party Processor Register

The Third-Party Processor Register is a centralised log which holds the names and contact details of all the third-party organisations Blooming Wild has shared data with.


Management, Disposal and Retention Guidance

The Disposal and Retention Schedule is included in this guidance document and sets out the timeframes for how long documents will be stored within the company for and give information on when and how they should be disposed of.


Data Breach Register

The Data Breach Register is a centralised log for all data breaches to be recorded. All staff members are required to record their breach in this register along with the action taken and whether the ICO have been notified.

All nurseries are required to log data breaches on the RIVO software.

National Support Centre breaches are logged by the GDPR Co-ordinator on the RIVO software.


Subject Access Request Register

The Subject Access Request Register is a centralised log for all subject access requests to be recorded. This should include the name of the requester, the date of request and the date of completion.


13.  Complaints

Blooming Wild is fully committed to protecting the privacy of individuals and complying with the General Data Protection Regulation (GDPR). We will do our best to investigate any complaints from Data Subjects and have put together a Complaints Protocol to show how we will do this.


If you are unhappy with our handling of a SAR or have concerns with how we handle data, please let us know and we will try and resolve the issue. If you are still unsatisfied, you have the right to contact the Information Commissioners Office and raise a concern with them.

They can be contacted on: or 0303 123 1113.



14.  Training and Awareness

Blooming Wild recognises that most staff in the course of their work will come into contact with personal data and endeavours to provide information, training and support to all employees to assist them in collecting, storing, processing and disposing of personal data.


Data Protection Training

  • All staff members are required to undertake data protection awareness training on the Visual Learning Academy (VLA).
  • All Heads of Department, Regional Directors (RDs) and Regional Compliance Advisors (RCA) are required to undergo basic GDPR training to assist them in undertaking their roles and disseminating information to nursery staff and people within their
  • All new employees will undertake data protection training as part of the induction to ensure they are familiar with our Data Protection Policy and accompanying guidance

All staff members are encouraged to read this policy along with the assisting protocols and guidance documents to ensure compliance.


Data Protection Support

Data protection support is provided by the Data Protection Officer (DPO) and the GDPR co-ordinator. They will provide guidance and information to anyone who needs advice or support in complying with the GDPR or our data protection policy and procedures. They can be contacted on:


Telephone: 07772028116


Employees should familiarise themselves with this policy and other relevant data protection protocols and guidance. Employees who fail to comply and as a result cause a significant data breach may face disciplinary action. Each incident will be assessed on a case-by-case basis.


Relevant Documents and Guidance

  • NSC Management, Retention and Disposal of Records Guidance
  • Site Management, Retention and Disposal of Records Guidance
  • Subject Access Request Guidance
  • Subject Access Request Protocol
  • Data Protection Breach Guidance
  • Data Protection Breach Protocol
  • Privacy Notice for Parents
  • Privacy Notice for Employees
  • Complaints Protocol
  • Data Confidentiality Agreement


  • Data Protection Impact Assessment Form
  • Data Protection Impact Guidance
  • Data Protection Impact Protocol
  • Breach Register
  • Subject Access Request Register
  • Information Asset Register (IAR)
  • Third Party Processor Register
  • Software Register
  • Internet & Social Networking Policy


15.  Definitions

Personal Data: Information related to an identifiable natural person that can be used to directly or indirectly identify the person.

Sensitive Data: Special categories of personal data listed in Article 9 of the GDPR.

Controller: A controller is the entity that determines the purposes, conditions     and means of the processing of personal data.

Data Subject: A natural person whose personal data is processed by a controller or processor.

Processor: An entity that processes personal data on behalf of a controller.

Consent: A freely given, specific and informed indication of the subjects’ wishes to allow the processing of personal data relating to him or her.

Data Protection Officer: A person responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR.

Data Breach: A breach of security leading to an accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data.

Breach Notification: A notification to the Information Controller where a breach is likely to ‘result in a risk of the rights and freedoms of individuals’. This must be done within 72 hours of first becoming aware of the breach.

Profiling: Any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person. Including to analyse or predict performance, economic situation, health, personal preferences, behaviour, location or movements.

Third Party: A natural or legal person, authority or body other than the data subject, controller or processor, who under the direct authority of the controller or processor are authorised to process personal data.

Data Processing: Any operation or set of operations which is performed on personal data or on sets of personal data.

Supervisory Authority: An Independent public authority which is established by a Member State pursuant to Article 51.

Recipient: A natural or legal person, public authority, agency or other body, to which the personal data are disclosed, whether a third party or not.

Confidential Waste: Any document containing personal information that can be used to identify individuals.

Subject Access Request: A request sent from a Data Subject to a Data Controller requesting information about themselves.

Consent: Freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Recipient: An entity to which the personal data is disclosed.

Data Portability: The requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller.

Privacy Impact Assessment: A tool used to identify and reduce the privacy risk of entities by analysing the personal data that are processed and the policies in place to protect that data.

ICO: The information Commissioners Officer is the UK's Independent body set up to uphold information rights