Honey Pots are registered under the Data Protection Act governed by the Information Commissioners Office (ICO). Our Company certificate registration reference; Z1494285.

General Statement of Duties

Honey Pots is required to process relevant personal data regarding practitioners, volunteers, applicants, parents, pupils and their siblings and customers as part of its operation and shall take all reasonable steps to do so in accordance with this Policy.

Data Protection Controller

Sharon Redfern is the lead appointed Data Protection Controller (DPC) who will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of the Data Protection Act 1998. The Freedom of Information Act 2000 and the Protection of Freedoms Act 2012 are also relevant to parts of this policy.

Honey Pots recognises The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) adopted 25 May 2018 and is actively working towards compliance with that directive.

As part of employment within Honey Pots accredited GDPR training is given to all practitioners.

The Principles

Honey Pots shall so far as is reasonably practicable comply with the Data Protection Principles (the Principles) contained in the Data Protection Act to ensure all data is:-

• Fairly and lawfully processed

• Processed for a lawful purpose

• Adequate, relevant and not excessive

• Accurate and up to date

• Not kept for longer than necessary

• Processed in accordance with the data subject’s rights • Secure

• Not transferred to other countries without adequate protection.

• Parental consent, includes the consent of a guardian.

• Data Subject, an individual who is the subject of the personal data.

Personal Data

Personal data covers both facts and opinions about an individual where that data identifies an individual. For example, it includes information necessary for employment such as the practitioners name and address and details for payment of salary or a child’s attendance record and fee payments. Personal data may also include sensitive personal data as defined in the Act.

Processing of Personal Data

Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent. In some cases specific organisations may publish a detailed privacy policy relating to their services. Use of those services indicates acceptance and may grant additional consent as to how Honey Pots may process personal data.

Sensitive Personal Data

Honey Pots may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation and criminal records and proceedings.

Rights of Access to Information

Data subjects have the right of access to information held by Honey Pots, subject to the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000. Any data subject wishing to access their personal data should put their request in writing to the DPO. Honey Pots will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 1 calendar month for access to records and 21 days to provide a reply to an access to information request. The information will be imparted to the data subject as soon as is reasonably possible after it has come to Honey Pots attention and in compliance with the relevant Acts.


Certain data is exempt from the provisions of the Data Protection Act which includes the following:

• National security and the prevention or detection of crime

• The assessment of any tax or duty

• Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon Honey Pots, including Safeguarding and prevention of terrorism and radicalisation

The above are examples only of some of the exemptions under the Act. Any further information on exemptions should be sought from the DPO.

Breach Notification

Should Honey Pots suspect a data breach, these must be reported to the DPO and subsequently reported to the ICO immediately. These must be recorded on a breach register.

Personal data breaches can include:

• access by an unauthorised third party;

• deliberate or accidental action (or inaction) by a controller or processor;

• sending personal data to an incorrect recipient;

• computing devices containing personal data being lost or stolen;

• alteration of personal data without permission; and

• of availability of personal data.

unavailable and this unavailability has a significant negative effect on individuals.


Honey Pots will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply.


If an individual believes that Honey Pots has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, the Practitioner should utilise the grievance procedure and should also notify the DPO.

Data Security

Honey Pots will take appropriate technical and organisational steps to ensure the security of personal data. All practitioners will be made aware of this policy and their duties under the Act. Honey Pots and therefore all practitioners, children and parents/carers are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.

What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

A personal data breach can be broadly defined as a security incident that has affected the

confidentiality, integrity or availability of personal data. In short, there will be a personal data

breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone

accesses the data or passes it on without proper authorisation; or if the data is made


An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems and be encrypted when transported offsite. Other personal data may be for publication or limited publication within Honey Pots, therefore having a lower requirement for data security.

External Processors

Honey Pots must ensure that data processed by external processors, for example, service providers, Famly, Cloud services including storage, web sites etc. are compliant with this policy and the relevant legislation.

Secure Destruction

When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.

Retention of Data

Honey Pots may retain data for differing periods of time for different purposes as required by statute or best practices, individual departments incorporate these retention times into the processes and manuals. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data. Honey Pots may store some data such as registers, photographs, promotional material, achievements, art work etc. indefinitely in its archive.


Honey Pots owns and operates a CCTV network for the purposes of crime prevention and detection, and Safeguarding. Where a data subject can be identified, images must be processed as personal data.