Engineering Minds is committed to protecting the privacy and security of all personal data collected during the delivery of our LEGO Robotics Clubs. This policy outlines how we collect, store, use, and protect personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Engineering Minds is a provider of STEM-based afterschool and holiday clubs for children aged 5–12. In the course of delivering these services, we collect and process personal data from parents, children, staff, and third-party providers.

Data Controller:

 Engineering Minds

 Email: info@engineeringminds.org.uk

2. What Data We Collect

We may collect the following types of personal data:

From Parents/Guardians:

Child’s full name, date of birth, school, and year group

Parent/carer names and contact information (email, phone number)

Emergency contact details

Medical conditions or allergies

Special educational needs (where disclosed)

Consent for photography or media use

Booking and payment history

From Staff/Tutors:

Full name and contact information

Employment history, qualifications

ID and right-to-work documentation

DBS certificate number and issue date

Safeguarding declarations or training records

3. Why We Collect This Data

We process personal data to:

Ensure the safety and wellbeing of all children in our care

Comply with safeguarding regulations

Maintain emergency contact information

Deliver our services effectively and communicate with families

Fulfil legal and financial obligations (e.g. childcare vouchers, bursaries)

Record and respond to safeguarding, accident, or incident reports

Share updates and club communications (where consent is given)

4. Lawful Basis for Processing

We process data under the following lawful bases, as defined by the UK GDPR:

Lawful Basis                Examples

Contract                      Managing club bookings and payments

Legal obligation         Safeguarding, health & safety, DBS checks

Consent                       Media permissions, marketing emails

Legitimate interest    Improving club delivery, training staff

Vital interests             Emergency medical information

5. How We Store and Protect Data

All personal data is:

Stored securely on password-protected systems or encrypted platforms

Accessed only by authorised Engineering Minds staff and contractors

Never shared with third parties without consent (unless required by law)

Retained only as long as necessary (see retention section below)

Paper records (e.g. attendance or accident forms) are stored securely and destroyed by shredding after the appropriate period.

6. Data Retention Periods

Data Type                                     Retention Period

Child records                               2 years after final session attended

Medical/accident records          3 years minimum (or longer if safeguarding related)

Staff recruitment & DBS data   2 years after leaving role (25 years for safeguarding cases)

Financial records                        6 years (for HMRC compliance)

7. Photography and Media

Photos and videos of children may be taken only with written consent from parents/carers. Images are used solely for:

Sharing progress with parents

8. Data Sharing

We will never sell or distribute personal data.

We may share data only with:

School safeguarding leads (if a concern arises)

9. Your Rights

Under UK GDPR, parents and staff have the right to:

Request access to their data (“Subject Access Request”)

10. Data Breach Procedure

In the event of a data breach:

We will investigate immediately

Inform affected individuals (where risk is high)

Notify the Information Commissioner’s Office (ICO) within 72 hours, if required

11. Policy Review

This policy is reviewed annually or when changes in data protection legislation occur.

 Last reviewed: July 2025

 Next review due: July 2026