Privacy Notice

Data ControllersHampshire County Council 
 St. James Church 
Data ProcesserLittle Fishes Nursery SchoolChurch Lane, Rowledge,
Farnham, GU10 4EN
Data Protection LeadRevd Russell​ 01252 792402
Data Protection AdministratorEmily
01252 794617

Personal data is protected in accordance with data protection laws and used in line with your expectations. This privacy notice explains what personal data we collect, why we collect it, how we use it, the control you have over your personal data and the procedures we have in place to protect it.

When we refer to “we”, “us” or “our”, we mean Little Fishes Nursery School.

What personal data we collect
We collect personal data about you and your child to provide care and learning tailored to meet your child’s individual needs. Personal details that we obtain from you includes your child’s: name, date of birth, address, and health, development and any special educational needs information. We will also ask for information about who has parental responsibility for your child and any court orders pertaining to your child.

Personal data that we collect about you includes: your name, home and work address, phone numbers, email address, emergency contact details, and family details.

We will only (with your consent) collect your national Insurance number or unique taxpayer reference (UTR) where necessary, if you are self-employed and where you apply for up to 30 hours free childcare. We also collect information regarding benefits and family credits. Please note that if this information is not provided, then we cannot claim funding for your child.

We also process financial information when you pay your childcare fees by direct debit. We may collect other data from you when you voluntarily contact us.

Where applicable we will obtain details of your child’s social worker, child protection plans from social care, and health care plans from health professionals and other health agencies.

We may collect this information in a variety of ways. For example, data will be collected from you directly in the application and registration form; from identity documents; from correspondence with you; or from health and other professionals.

Why we collect personal data and the legal basis for handling your data
We use personal data about you and your child in order to provide childcare services and to fulfil the contractual arrangement you have entered into. This includes using your data in the following ways:

  • to support your child’s wellbeing and development
  • to effectively manage any special education, health or medical needs of your child whilst at the setting
  • to carry out regular assessment of your child’s progress and to identify any areas of concern
  • to maintain relevant contact about your child’s wellbeing and development
  • to contact you in the case of an emergency
  • to process your claim for free childcare, if applicable
  • to enable us to respond to any questions you ask
  • to keep you updated about information which forms part of your contract with us
  • to notify you of service changes or issues
  • to receive our monthly parent newsletter containing vital information and communication

With your consent, we would also like to:

  • collect your child’s ethnicity and religion data for monitoring purposes
  • record your child’s activities for their individual learning journal (this will often include photographs and videos of children during play)
  • transfer your child’s records to the receiving school when s/he transfers

We will not use any images of your child for training, publicity or marketing purposes (e.g. local papers, posters, Little Fishes website and Facebook page) without your written consent. Permission is sought on the registration form and you are able to withdraw your consent at any time, for images being taken of your child and/or for the transfer of records to the receiving school, by confirming so in writing to the setting.

We have a legal obligation to process safeguarding related data about your child should we have concerns about her/his welfare.

Who we share your data with
As a registered childcare provider in order to deliver childcare services it is necessary for us to share data about you and/or your child with the following categories of recipients:

  • Ofsted, when there has been a complaint about the childcare service or during an inspection
  • banking services in order to process chip and pin and/or direct debit payments
  • the local authority, if you claim up to 30 hours free childcare
  • the governments eligibility checker as above, if applicable
  • our insurance underwriter, where applicable

We will also share your data:

  • if we are legally required to do so, for example, by a law enforcement agency, court
  • to enforce or apply the terms and conditions of your contract with us
  • to protect your child and other children; for example, by sharing information with medical services, social services or the police
  • if it is necessary to protect our rights, property or safety or to protect the rights, property or safety of others
  • with the school that your child will be attending, when s/he transfers, if applicable
  • if we transfer the management of the setting out or take over any other organisation or part of it, in which case we may disclose your personal data to the prospective seller or buyer so that they may continue using it in the same way
  • authorised third parties, to provide our services (see section below)

Our nursery management and communication software provider may be able to access your personal data when carrying out maintenance task and software updates on our behalf. However, we have a written agreement in place which place this company under a duty of confidentiality.

We will never share your data with any organisation to use for their own purposes.

Third Parties
We use a small number of authorised third parties to provide our services. They are not permitted to use information we share with them for any other purpose. We use third parties to assist us in processing your personal information, and we require these third parties to comply with our Privacy Policy and any other appropriate confidentiality and security measures.

We use an online system called Tapestry Online Learning Journal to record and store observations and assessments relating to each child. This is in line with the Early Years Foundation Stage (EYFS). Tapestry is hosted on secure dedicated servers based in the UK. We delete all data on a child from Tapestry the term after they leave our nursery school setting. For further information please see our Tapestry Policy.

To comply with Ofsted requirements, visitors to our nursery school must sign in to confirm they are on site. Little Fishes use Envoy as their visitor management system which offers high security for your data. Their data is stored on secure data centres in the United States. We retain all visitor data for 6 years in case of claims by parents or pupils about actions in the nursery school relating to that period., although you may request to have your personal information removed at any time before this time elapses. Please email us at with your name and the date of the visit to make this request.

How do we protect your data?
We take the security of your personal data seriously. We have internal policies and strict controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed and to prevent unauthorised access.

Where we engage third parties to process personal data on our behalf, they are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Where do we store your data?
All data you provide to us is stored on secure computers or servers located within the UK or European Economic Area. We may also store paper records in locked filing cabinets.

Our third party data processors will also store your data on secure servers which may be situated inside or outside the European Economic Area.

How long do we retain your data?
We retain your data in line with government guidance:

  • You and your child’s data, including registers are retained 3 years after your child no longer uses the setting, or until our next Ofsted inspection after your child leaves our setting.
  • Medication records and accident records are kept for 40 years as specified by legal requirements.
  • Learning journeys are maintained by the setting and will be given to you on a memory stick when your child leaves. If your child is leaving to attend school, a copy will be given your child’s new school. Your child’s learning journey will be permanently deleted from our Tapestry account within 6 months of your child leaving the setting.
  • In some cases (child protection or other support service referrals), we may need to keep your data longer, only if it is necessary in order to comply with legal requirements. We will only keep your data for as long as is necessary to fulfil the purposes it was collected for and in line with data protection laws.

Your rights with respect to your data
As a data subject, you have a number of rights. You can:

  • request to access, amend or correct the personal data we hold about you and/or your child
  • request that we delete or stop processing your and/or your child’s personal data, for example where the data is no longer necessary for the purposes of processing or where you wish to withdraw consent
  • request that we transfer your and your child’s personal data to another person

If you wish to exercise any of these rights at any time please contact the manager at the setting by email, telephone or when you attend the setting.

Notice of Breach of Security
We will notify you if there is a breach of your personal information. If a security breach causes an unauthorised intrusion into our system that materially affects you or your information, then we will notify you as soon as possible and later report the action we took in response.

Data breach procedures
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach could include:

  • loss or theft of devices or data, including information stored on USB drives or on paper
  • hacking or other forms of unauthorised access to a device, email account or the network
  • disclosing personal data to the wrong person, through wrongly addressed emails, or bulk emails that inappropriately reveal all recipients’ email addresses
  • alteration or destruction of personal data without permission and not in line with policy.

An identified data breach will be reported to the Information Commission’s Office (ICO) within 72 hours by the data protection lead. In the event that full details of the nature and consequences of the data breach are not immediately accessible (e.g. because Data protection leads do not work on every normal weekday), the Data protection lead will bring that to the attention of the Information Commissioner’s Office and undertake to forward the relevant information as soon as it becomes available. The Trustees will report the breach as a serious incident to the Charity Commission.

Where there is likely high risk to individuals’ rights and freedoms, Little Fishes will inform those individuals affected by the personal data breach without undue delay. The Data protection lead will keep a record of all personal data breaches reported, and follow up with appropriate measures and improvements to reduce the risk of reoccurrence.

How to ask questions about this notice
If you have any questions, comments or concerns about any aspect of this notice or how we handle your data please contact Amber Delves, manager of Little Fishes Nursery School, on 01252 794617 or

If the manager is not able to address your concern, please contact the Data Protection lead and Chair of Little Fishes Nursery School, Reverend Russell Gant. He can be contacted on 01252 792402​ or at​

How to contact the Information Commissioner Office (ICO)
If you are concerned about the way your data is handled and remain dissatisfied after raising your concern, you have the right to complain to the Information Commissioner Office (ICO). The ICO can be contacted at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or

Changes to this notice
We keep this notice under regular review. Any changes to this notice will be shared with you so that you may be aware of how we use your data at all times.