Cuan Bhríde Childcare Centre
Data Retention Policy
Cuan Bhríde Childcare Centre strives to comply with applicable laws and regulations related to the retention of personal data in Ireland.
This policy outlines the basic rules by which Cuan Bhríde Childcare Centre manages the retention of the personal data of parents, children, suppliers, employees and other individuals that is processed by Cuan Bhríde Childcare Centre. The policy sets out the required retention periods for different categories of data and sets out the minimum standards to be applied when destroying certain information.
All employees either permanent or temporary, all contractors, all volunteers and students, regardless of their length of employment/placement in the service, are required to read and understand this document, so they are fully aligned with the policy of Cuan Bhríde Childcare Centre. This document will be made available to parents or guardians on request.
This policy applies to all data used at Cuan Bhríde Childcare Centre. Examples of data include:
-
Emails
-
Hard copy documents (child record forms, attendance records etc.)
-
Soft copy documents (scanned enrolment form etc.)
-
Video, audio and photographs
-
Data generated by physical access control systems (Keypads, Fob systems etc.)
Retention Schedule
The Voluntary Management Committee defines the time period for which documents and electronic records should be retained through the Data Retention Schedule. These retention periods are predominantly determined by statutory obligations.
As an exemption, retention periods within the Data Retention Schedule will be prolonged in cases such as:
-
Ongoing investigations from Irish authorities, if there is a chance records of personal data are needed by Cuan Bhríde Childcare Centre to prove compliance with any legal requirements; or
-
When exercising legal rights during legal cases or similar court proceedings recognised under Irish law.
Safeguarding of Data during Retention Period
If personal data is physically retained in hard copy format this personal data may become out of date quickly and this will be considered by the Manager. If personal data is retained on electronic storage media (hard drive, server) or in the cloud, the Manager will ensure that backup copies of the information also is available. The 3-2-1 backup strategy will be used: 3 copies total, 2 local copies, 1 offsite. Responsibility for the storage of data falls to the Manager.
Destruction of Data
Cuan Bhríde Childcare Centre and its employees will regularly review all data, whether held electronically or in hard copy format, to decide whether to destroy or delete any data once the purpose for which those documents were created is fulfilled. See Appendix 1 which outlines the Data Retention Schedule. Overall responsibility for the destruction of data falls to the Manager.
Once the decision is made to dispose of personal data according to the Data Retention Schedule, the data will be deleted, shredded or otherwise destroyed appropriately.
The method of destruction varies and will be dependent upon the nature of the document. For example, any documents that contain sensitive or confidential information (and particularly sensitive personal data) will be disposed of as confidential waste and be subject to secure electronic deletion. The Document Disposal Schedule section below defines the method of disposal.
The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the Manager subcontracts for this purpose. Destruction of data is always approved by the Manager and the details recorded. Any applicable general provisions under relevant data protection laws and Cuan Bhríde Childcare Centre’s Personal Data Protection Policy shall be complied with.
Appropriate controls are in place to prevent the permanent loss of essential information of Cuan Bhríde Childcare Centre as a result of malicious or unintentional destruction of information. These controls include restricting access to the filing cabinet to only those who are permitted to access the data. These controls include password protected access to the IT equipment that stores the data.
The Manager shall fully document and approve the destruction process.
Breach, Enforcement and Compliance
The person appointed with responsibility for Data Protection, the Manager, ensures that each employee complies with this policy. It is also the responsibility of the Manager to assist any local office with enquiries from any local data protection or governmental authority.
Any suspicion of a breach of this Policy must be reported immediately to the Manager. All instances of suspected breaches of the Policy shall be investigated, documented and action taken as appropriate.
Failure to comply with this Policy may result in adverse consequences, including, but not limited to, loss of customer confidence and possibly litigation, financial loss and damage to Cuan Bhríde Childcare Centre reputation, personal injury, harm or loss. Non-compliance with this Policy by employees, or any third parties, who have been granted access to Cuan Bhríde Childcare Centre premises or data, may therefore result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.
Routine Disposal Schedule
Records (only those containing personal data) which may be routinely destroyed unless subject to an on-going legal or regulatory inquiry are as follows:
-
Announcements and notices of day-to-day activities;
-
Message slips;
-
Outing reminder slips;
-
Newsletters.
The Manager will determine what documents can be routinely destroyed.
If there is a current court case or legal proceedings, all documents will be retained. Advise will be sought before disposing of documentation that may be subject to legal proceedings.
Destruction Method
Documents that include any personal data shall be disposed of confidentially (cross-cut shredded) and shall be subject to secure electronic deletion if stored electronically. The Data Disposal Schedule will be completed in all cases of disposing of documents containing personal data. Confirmation of destruction will be sought as needed.
Appendix – Data Retention Schedule
|
Child Records |
|
|
Personal Data Record Type |
Retention Period & Notes |
|
Child Record/Registration Forms including the consent forms. |
2 years from the time the child ceases to attend service – required by the 2016 Early Years Services Regulations. Information on the child record form may be required to be held until the child is 21 years in certain circumstances (for example, if there has been an accident or incident). |
|
Child Accident & Incident Records |
2 years from the time the child ceases to attend service – required by the 2016 Early Years Services Regulations. Until the child referred to in the record is 21 years of age – recommended for insurance purposes. |
|
Attendance records |
2 years from the time the children referred to in the record cease to attend service – required by the 2016 Early Years Services Regulations. Until the child referred to in the record is 21 years of age – recommended for insurance purposes. |
|
PPS details of child/parent and social welfare details of parent/guardian. |
Retain for period of time it takes to submit registration on PIP |
|
Medication administered with signed parental consent |
2 years from the time the child ceases to attend service – required by the 2016 Early Years Services Regulations. |
|
Child Observations |
Issued to the parents/guardians of the child when they leave the service. |
|
Child Development Records |
Issued to the parents/guardians of the child when they leave the service. |
|
Photographs/videos and associated consent forms. |
It is recommended that all photographs will be deleted/destroyed two years after the child has left the childcare service. Consent form for photographs/videos must specify how long the photographs/videos are retained for. |
|
Employee Records |
|
|
Personal Data Record Type |
Retention Period & Notes |
|
Employee files, all files relating to a staff member. |
8 years after employee ceases employment |
|
Employee Registration Form |
8 years |
|
Garda Vetting Forms & Responses |
8 years from the date employee commences employment or length of time employee works in the service – retain data for whichever time period is longer. |
|
Employee References |
8 years from the date employee commences employment or the length of time the employee works in the service – retain data for whichever time period is longer. |
|
Revenue Payslips P45 etc |
8 years |
|
Working Time Records |
8 years |
|
Minimum Wage Records |
8 years |
|
Staff Accident or Incident records |
10 years |
|
Annual Leave Records |
8 years after employee ceases employment |
|
Sick Leave Records |
8 years |
|
Sick Leave Payments |
8 years |
|
Maternity Leave |
8 year |
|
Adoptive Leave |
8 year |
|
Parental Leave |
8 years |
|
HR documents (disciplinary, grievance documents etc.) |
8 years after employee ceases employment or longer based on legal advice |
|
Paternity Leave |
8 years |
|
Force Majeure Leave |
8 years |
|
Careers Leave |
8 years |
|
Hazard Analysis & Critical Control Point (Food Safety) |
2 years |
|
Operational Records |
|
|
Personal Data Record Type |
Retention Period & Notes |
|
Fire Safety Records (including Fire Drills) |
5 years – required by the 2016 Early Years Services Regulations. |
|
CCTV Footage (If applicable) |
28 days or for the duration of an investigation. |
|
Visitors Book |
1 year from the date that it relates to – required by the 2016 Early Years Services Regulations. |
|
Staff Training Files |
6 years after employee leaves the company. |
|
Complaints and associated documents |
2 years from the date the complaint was dealt with – required by the 2016 Early Years Services Regulations. |
|
Job Applications / Applicants C. V’s |
1 year |
|
Interview notes |
1 year for shortlisted – 8 years after the employee leaves the company. |
|
Job Vacancy Notifications / Advertisements / Job descriptions |
1 year |
|
Financial Records |
|
|
Personal Data Record Type |
Retention Period & Notes |
|
Accounts |
7 years |
Appendix – Data Disposal Schedule
|
Name of Records |
Description |
Inclusive Dates |
Date of Destruction |
Method of Destruction |
Disposed of by |
|
Example: child record forms |
Child record forms which include the following details {medical info, address info, DOB, parental info etc} |
Children attending the service from September 2012-June 2013 |
01/05/2018 |
Shredded |
Owner / Manager Name |