Data Controlling / Data Management Policy

Zenith Childcare – Data Controlling / Data Management Policy

Effective date: 3rd November 2025

 

  1. Policy purpose

This policy sets out how Zenith Childcare manages the personal data we control (as data controller) in order to ensure compliance with GDPR, the Data Protection Act 2018 and good practice in data management. It addresses roles, responsibilities, data lifecycle (collection, storage, use, disposal), security, data breach management and records of processing.

  1. Scope

This policy applies to all staff, volunteers, contractors and third-party service providers who access or process personal data on our behalf. It covers all personal data held by Zenith Childcare, whether electronic or paper.

  1. Definitions
  • Personal data: any information relating to an identifiable person.
  • Special category data: personal data revealing health, racial or ethnic origin, political opinions, religious beliefs, genetic/biometric data, etc.
  • Data controller: the entity which determines the purposes and means of processing.
  • Data processor: the entity which processes data on behalf of the controller.

  1. Roles & responsibilities
  • Data Protection Officer (DPO): responsible for advising the organisation about compliance, monitoring and reporting to the management, acting as point of contact for data subjects and the DPC.
  • Senior management/owner: ensures adequate resources for data protection, approves policy and ensures staff accountability.
  • All staff: must follow this policy, attend training, report data breaches, handle personal data responsibly.

 

  1. Data collection & lawful processing
  • We only collect data that is necessary, relevant and adequate for the purpose (data minimisation).  
  • We document the lawful basis for each processing activity (contract, legal obligation, legitimate interest, consent).
  • We ensure that where children’s data is processed special care is taken; for example any photograph or video use of children requires parental/guardian consent; children under 16 in Ireland cannot provide valid consent themselves for many online services.  
  1. Data accuracy & updating
  • We review data on a periodic basis and update or delete records if inaccurate or obsolete.
  • Data subjects should notify us of any changes to their personal data.

 

  1. Data access and subject rights
  • Data subjects (parents/guardians, staff, suppliers) have rights (access, rectification, erasure, restriction, portability, objection). We provide mechanisms for requests and respond within one month (or up to two months if complex).  
  • We maintain a record of access requests and how we dealt with them.

 

  1. Data storage & security
  • We store personal data securely (e.g., locked cabinets for paper records; encrypted or password-protected systems for electronic records).
  • Access to personal data is restricted to authorised personnel.
  • Systems are protected via firewalls, anti-virus, secure servers, backups.
  • We have procedures for secure disposal of personal data when no longer needed (secure shredding of paper records; deletion or anonymisation of electronic data).

 

  1. Data retention & deletion
  • We establish retention schedules for different categories of data (children’s records, staff records, financial records, marketing data).
  • When retention period expires, data is securely deleted or anonymised.
  • For enquiries which do not result in enrolment we may keep contact data for a short period (e.g., 12 months) before deletion.  

 

  1. Data sharing & third-party processors
  • We vet and contract with any third-party processors (e.g., payroll, IT cloud platforms, marketing agencies) to ensure they comply with GDPR and provide sufficient safeguards.
  • Data sharing with external entities is only done when lawful, necessary and proportionate.
  • Where data is transferred outside the EEA, we apply appropriate safeguards.

 

  1. Data breach management
  • We have procedures to detect, report, investigate and remedy personal data breaches.
  • In the event of a notifiable breach, we will notify the DPC without undue delay (typically within 72 hours) unless the breach is unlikely to result in risk to rights and freedoms of individuals.  
  • We will keep a register of breaches, including details of incident, impact, mitigation and future prevention.

 

  1. Data protection by design & default
  • When implementing new systems or processing activities we assess data protection implications (Data Protection Impact Assessment where required).
  • We ensure by default only the minimum personal data necessary is processed for each purpose.

 

  1. Training & awareness
  • All staff and relevant contractors receive training on GDPR, confidentiality, security, breach reporting, and our policies.
  • We regularly review and update training materials and remind staff of responsibilities.

 

  1. Monitoring & audit
  • Senior management and the DPO monitor compliance with this policy, conduct periodic audits of data processing activities, retention schedules and security measures.
  • Findings from audits lead to remedial action if required.

 

  1. Policy review and modifications
  • This policy will be reviewed at least annually or sooner if required (e.g., change in legislation, processing activities, business model).
  • The policy is approved by the management of Zenith Childcare and published internally and externally (e.g., website).

 

 

Contact details

Data Protection Officer: Oonagh Hoey

Zenith Childcare

Suite 301, 56 Fitzwilliam Square North, Dublin

Email: info@zenithcaregroup.com




Join The Waiting List

Fill in the form below to let us know your interest. A member of our team will contact you shortly with further information.