top of page

Data Protection Policy

Purpose


In order to provide a high-quality sleep support service and comply with data protection legislation, Nighttime Navigator collects and processes personal information about clients and their children. This policy explains how data is collected, used, stored and disposed of, in accordance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

1. Lawful Basis for Processing
​

Personal data is collected and processed because it is necessary for the performance of a contract between Nighttime Navigator and the client. In some circumstances, data may also be processed to comply with legal obligations (for example, safeguarding duties) or with the individual’s explicit consent.

​

 

2. GDPR Principles
​

Nighttime Navigator processes all personal data according to the following principles:

​

  1. Data is collected and processed lawfully, fairly and transparently.

  2. Data is collected only for specified, explicit and legitimate purposes.

  3. Data collected is adequate, relevant and limited to what is necessary.

  4. Data is accurate and kept up to date.

  5. Data is kept only for as long as necessary for the stated purpose.

  6. Data is processed and stored securely.

  7. Compliance with these principles is demonstrable and accountable.
     

 

3. Information Collected
​

Information collected may include, but is not limited to:

  • Parent or carer’s name and contact details

  • Child’s name, date of birth and relevant medical or sleep information

  • Sleep logs, consultation notes and communication records

  • Payment and booking information

  • Any correspondence by email, message or video call
     

This data is required in order to deliver the contracted service and maintain accurate records of the support provided.

​

 

4. Data Storage and Security
​

  • Paper records are stored in a locked and secure location.

  • Digital records are stored in password-protected folders or encrypted cloud storage such as Google Drive or Dropbox.

  • Backup files are held on encrypted devices and locked away when not in use.

  • Firewall and antivirus protection are maintained on all relevant devices.

  • Email, messaging and call records are deleted once the support period has ended and no further contact is required.

  • Any digital storage providers used are reviewed to ensure GDPR compliance.
     

 

5. Retention and Disposal of Data
​

  • Client records are retained securely for up to twelve (12) months after the support period has ended, unless a longer retention period is required for legal reasons.

  • Where a safeguarding concern has been identified, relevant records will be retained for a minimum of six (6) years after the concern is closed, or until the child reaches twenty-five (25) years of age, whichever is later.

  • Once the retention period has expired, all data will be securely destroyed or permanently deleted.

  • A quarterly data audit is conducted to ensure lawful retention and appropriate disposal.
     

 

6. Subject Access Requests
​

Parents and clients have the right to request access to the information held about themselves or their child. Requests must be made in writing.
Information will be provided without undue delay and within one (1) month of receiving the request.
Clients also have the right to request corrections or deletion of their data, subject to any legal obligations to retain it.

​

 

7. Information Sharing
​

Information will not be shared with any third party without the client’s consent, unless:

​

  • There is a safeguarding or child protection concern,

  • Disclosure is required to prevent serious harm, or

  • Disclosure is required by law (for example, a court order).
     

In a medical emergency, relevant information may be shared with healthcare professionals in the child’s best interests.

​

 

8. Data Breach Procedure
​

If a data breach is suspected or confirmed:

​

  • Affected individuals will be informed immediately.

  • The Information Commissioner’s Office (ICO) will be notified within seventy-two (72) hours, where required.

  • A record of the breach, the cause and the actions taken will be maintained.
     

 

9. Registration and Oversight
​

Nighttime Navigator is registered with the Information Commissioner’s Office (ICO) as a data controller.
The business ensures that all data processing activities comply with current UK data protection legislation and ICO guidance.

​

 

10. Review of Policy
​

This policy is reviewed regularly and updated as required to reflect changes in legislation or practice.
The most recent version is available on request and published on the Nighttime Navigator website.

bottom of page