Data Protection & GDPR Policy

The PDF of this policy is the definitive April 2026 version — available here.

In accordance with the UK GDPR and Data Protection Act 2018

1. Introduction

The Bread Kitchen C.I.C. is committed to protecting the privacy and personal data of all individuals we work with, including children, young people, parents/carers, staff, volunteers, and partners.

We process personal data in accordance with:

UK General Data Protection Regulation
Data Protection Act 2018

We aim to ensure that all personal data is handled lawfully, fairly, transparently, and securely.

2. Data Protection Principles

We adhere to the core principles of data protection. Personal data will be:

Processed lawfully, fairly and transparently
Collected for specified, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary
Accurate and kept up to date
Retained only as long as necessary
Processed securely to prevent unauthorised access, loss or damage

3. Data Controller

The Bread Kitchen C.I.C. is the Data Controller.

Data Protection Lead:
Catherine Cordiner-Achenbach

Responsibilities include:

Ensuring compliance with data protection law
Managing data protection procedures
Responding to Subject Access Requests
Liaising with the Information Commissioner's Office (ICO) where required

4. Lawful Bases for Processing

We process personal data under the following lawful bases:

Contract – to provide services to children, learners and families
Legal obligation – to comply with HMRC, safeguarding, and other statutory duties
Vital interests – to protect someone’s life or safety
Legitimate interests – for the effective running of the organisation
Consent – where required (e.g. photos, marketing, some third-party sharing)

For special category data (e.g. health information), we rely on:

Provision of care and safeguarding
Employment law obligations
Explicit consent where appropriate

5. Confidentiality

We respect confidentiality in the following ways:

Information about a child is only shared with their parent/carer unless safeguarding concerns apply
Information is not shared with third parties without consent unless legally required
Safeguarding concerns are recorded and shared only with designated safeguarding leads and relevant authorities
Staff discuss personal data only where necessary for service delivery
Staff receive confidentiality training as part of induction
Personnel matters are kept strictly confidential

6. Information We Hold

Children and Families

We collect only necessary information, including:

Registration and contact details
Medical and dietary information
Attendance records
Accident and incident records
Safeguarding information where applicable

Lawful basis: Contract and legal obligation
Special category data condition: Provision of care and safeguarding

Staff and Volunteers

We hold data including:

Contact details
Employment records
Payroll and HMRC information
Health information (where relevant)

Lawful basis: Legal obligation and contract
Special category data condition: Employment law obligations

7. Storage and Security

We implement appropriate technical and organisational measures to protect personal data:

Paper records stored in locked cabinets
Electronic data stored on password-protected systems
Access restricted to authorised personnel only
Secure disposal (shredding/deletion) of data when no longer required
Use of secure systems for payroll, bookings and communication

8. Data Retention

We retain personal data only as long as necessary, in line with:

Legal requirements
Insurance requirements
Safeguarding guidance
Best practice retention schedules

When no longer required:

Electronic data is securely deleted
Paper records are securely destroyed

9. Sharing Information

We only share personal data where necessary and lawful:

With consent from parents/carers where appropriate
Without consent where required for:
- Safeguarding
- Prevention/detection of crime
- Legal obligations

We may share data with:

Local authorities
Safeguarding agencies
HMRC
Ofsted/commissioners
Approved third-party service providers (e.g. payroll, booking systems)

All third parties are required to comply with UK GDPR.

Where information is shared without consent, this is recorded with reasons.

10. Safeguarding and Information Sharing

Where there are safeguarding concerns, information will be shared in line with:

Government guidance on safeguarding
The organisation’s Safeguarding Policy

Our primary responsibility is the safety and wellbeing of children and vulnerable individuals.

11. Data Subject Rights

Individuals have the following rights under the UK General Data Protection Regulation:

Right to be informed
Right of access
Right to rectification
Right to erasure (where applicable)
Right to restrict processing
Right to data portability
Right to object

12. Subject Access Requests (SARs)

Requests must be responded to within one month
Requests can be made by:
- Parents/carers (for their child)
- Staff or volunteers (for their own data)

We will:

Provide copies of requested data
Correct inaccurate data
Explain any lawful reasons for refusing deletion

13. Data Breaches

Any data breach will be:

Reported immediately to the Data Protection Lead
Assessed and recorded
Reported to the Information Commissioner's Office within 72 hours if required
Communicated to affected individuals where there is a high risk

14. Complaints

If an individual is unhappy with how their data has been handled, they may:

Raise concerns with The Bread Kitchen C.I.C.
Complain to the Information Commissioner's Office

15. Training and Awareness

All staff and volunteers receive data protection training
Data protection is included in induction
Regular updates are provided as required

16. Monitoring and Review

This policy will be:

Reviewed annually
Updated in line with changes in legislation or organisational practice

Next review date: 30 June 2027

17. Contact Information