Purpose & Scope

This policy sets out how First Kick Football collects, stores, processes, and shares personal data about children, parents/carers, staff, and volunteers. It ensures compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EYFS 2023 (paras 3.68–3.71), and Keeping Children Safe in Education 2025.

GDPR Principles

We process all personal data in line with the following principles:
– Lawfulness, fairness, and transparency
– Purpose limitation – used only for the purpose collected
– Data minimisation – limited to what is necessary
– Accuracy – kept accurate and up to date
– Storage limitation – kept only as long as necessary
– Integrity and confidentiality – kept secure
– Accountability – we can demonstrate compliance

Roles & Responsibilities

– The Manager has day-to-day responsibility for data protection.
– The Operations Director (Suleman Desai) holds overall accountability.
– The Director of Office Operations / Senior Manager (Claire Ashton) is the named Data Protection Lead.
– All staff are trained in confidentiality and safe data handling.

Confidentiality

– All personal information is treated as confidential.
– Data is only shared with staff on a need-to-know basis.
– Safeguarding exception: if a child is at risk of harm, information will be shared with the DSL, LADO, or police in line with statutory guidance.

Data We Keep

Children & Parents/Carers
– Registration forms, medical details, care plans
– Emergency contacts, authorised collectors
– Attendance registers, accident/incident logs
– Progress notes (EYFS children)
– Photos/videos (only with parental consent)

Staff & Volunteers

– Application forms, references, DBS details
– Contracts, payroll, tax/NI details
– Supervision, appraisal, training records
– Disciplinary or grievance records

Lawful Bases for Processing

We process data under the following lawful bases:
– Legal obligation – e.g., safeguarding, health & safety, HMRC requirements
– Contract – e.g., delivering booked childcare services, employment contracts
– Consent – e.g., photos/videos, optional marketing
– Vital interests – e.g., sharing medical info with paramedics in an emergency

Data Security

– Paper records stored in locked cabinets.
– Electronic data protected with passwords and encryption.
– Access to data restricted to authorised staff.
– Regular checks on security procedures.

Sharing Data with Third Parties

We may share data with:
– Schools, health professionals, and external agencies (where required for a child’s care).
– HMRC and pension providers (for staff).
– Regulators such as Ofsted.
– We will not share personal data with third parties for marketing purposes.

Subject Access Requests

– Parents/carers, staff, and volunteers can request access to the data we hold about them.
– Requests should be made in writing to the Data Protection Lead.
– We will respond within one calendar month.

Retention & Disposal

– Children’s records – retained for three years after they leave, or until the child is 21 + 3 years if linked to a safeguarding/accident matter.
– Staff employment records – retained for six years after employment ends.
– Financial/tax records – retained for seven years.
– All data will be securely shredded or permanently deleted when no longer required.

Rights of Individuals

Individuals have the right to:
– Access their data
– Request correction of inaccurate data
– Request deletion (where legally possible)
– Restrict processing in certain circumstances
– Object to processing (e.g., marketing)
– Request data portability (where applicable)

Complaints to ICO

If you are unhappy with how we handle your data, you can contact:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: www.ico.org.uk

Review

This policy will be reviewed annually, or sooner if required by changes in legislation or practice.