At St Michael's Nursery, we take the privacy and security of your family's personal data extremely seriously. This policy explains how we collect, protect, and manage your information in compliance with the UK General Data Protection Regulation (UK GDPR).
1. Data Residency
All data collected through our digital registration forms is stored on secure servers located within the United Kingdom. We do not transfer your personal data to countries outside of the UK or the European Economic Area (EEA) unless specific legal safeguards are in place.
2. Advanced Security & Encryption
To meet the "Integrity and Confidentiality" requirements of the UK GDPR, we employ industry-leading technical security measures:
Encryption at Rest: Sensitive personal information—including names, contact details, and signatures—is encrypted before being stored in our database using AES-256-GCM (Advanced Encryption Standard).
Authenticated Data: Our encryption method ensures that data cannot be tampered with or altered by unauthorized parties.
Annual Key Rotation: We utilize an automated system that refreshes our encryption keys every year. This limits the long-term risk of data exposure.
What this means for you: Even in the highly unlikely event of a database breach, your personal information remains unreadable and secure without our private encryption keys, which are stored separately from the website.
3. Accountability and Access Control
We maintain a strict "Audit Trail" for all sensitive data:
Every time a staff member accesses your encrypted information, the system records their User ID, the time of access, and their IP address.
This ensures total accountability and allows us to monitor exactly who has viewed your data and why.
4. Data Retention and "Crypto-Shredding"
We do not keep your data longer than is legally necessary for school administration and UK educational requirements:
Our security system utilizes a rolling "Key Ring" that retains only the most recent four years of encryption keys.
Data that has not been accessed or updated within this four-year window is subject to "Crypto-shredding." Once an old key is retired, the associated data becomes permanently unrecoverable, ensuring it is effectively erased from our systems.
5. Your Legal Rights
Under the UK GDPR, you have the following rights regarding your data:
Right of Access: You may request a copy of the personal data we hold about you.
Right to Rectification: You may ask us to correct any inaccurate or incomplete information.
Right to Erasure: You may request that we delete your data, provided we are not legally required to keep it for educational or tax auditing purposes.
6. Incomplete Applications
To minimize the data we hold, the following policy applies to incomplete registrations:
Abandoned Forms: If a registration form is submitted but the required payment is not completed, the data will be held for a maximum of 30 days.
Notice of Deletion: We will issue an automated reminder email 14 days (2 weeks) before the data is permanently purged from our systems.
Permanent Removal: Once the 30-day period expires, all associated personal data is deleted from our database and is not recoverable.
7. Contact Us
If you have any questions about this policy or how your data is handled, please contact our Admissions Office: