Privacy notice for the School-based Nurseries Capital Grant

Last updated: 16/09/2025

The School-Based Nurseries (SBN) Capital Grant is a grant available for eligible schools in England to bid for capital funding. The funding is used exclusively for capital expenditure to create new or expand nursery provision.

Who we are

SBN is delivered by the Department for Education ('we', 'our', 'us').

For the purposes of the UK data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller for the personal data collected and processed as part of the capital grant.

For more information about how we handle personal data please see: Personal information charter - Department for Education (opens in a new tab).

Purpose and lawful basis for processing

The lawful basis we rely on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department.

This is done under Section 50 of the UK Internal Market Act 2020 which enables a Minister of the Crown to provide financial assistance to support international education and training activities and exchanges.

With regards to the sharing information to prevent fraud, this is done under section 56 of the Digital Economy Act 2017 which permits the disclosure of information to combat fraud against the public sector.

When we collect your personal information

We receive your personal information when:

  • you submit an application for funding on behalf of your school
  • you submit a registration of interest for funding on behalf of your school
  • you contact us for support about using our service
  • you leave feedback about our service

The information we will collect if you work for a school

If you work for a school which is applying for funding, is in receipt of funding, or registering an interest in funding and you are:

  • signing into the service
  • the bid coordinator for your school
  • submitting an application for funding on behalf of your school
  • registering your interest in the grant or future funding opportunities

We will collect and process the following personal information:

  • first name
  • last name
  • email address
  • job role (if you are the bid coordinator)
  • phone number (if you are the bid coordinator)

How we use your information

We will use your information to process your application, your requests for funding and other documentation shared during the funding cycle.

We may also use this information to contact you about your project or to ask if you would like to take part in user research.

Examples of this activity includes:

  • registering your interest in the grant or future funding opportunities
  • processing your application for funding
  • notifying you about the outcome of your application or funding request
  • distributing funding to your organisation
  • reviewing how funding is used
  • recovering funding where necessary
  • preparing anonymous data on organisations
  • reviewing our administration of the grant
  • reviewing whether the grant is meeting its stated objectives
  • inviting you to participate in anonymous research about the grant
  • sharing anonymised information about the grant

Who we share your personal information with

Registrations of interest will be shared with local authorities.

Additionally, we may need to share your information with other organisations so that we can:

  • assess your application for funding
  • evaluate the short, medium and long term benefits and impacts of the grant
  • detect fraudulent activity on our service

In these instances, we may need to share your information with our appointed assessors, other government departments and agencies, research partners or law enforcement agencies.

Information may be subject to publication or disclosure under the Freedom of Information Act 2000, the Data Protection Act 2018 or the Environmental Information Regulations 2004.

Where your data is stored and processed

We use Microsoft products to design, build and run our systems. All personal data is stored in the EU Data Boundary.

The EU Data Boundary is a geographically defined boundary within which Microsoft has committed to store and process customer data for their major commercial enterprise online services, subject to limited circumstances where customer data will continue to be transferred outside the EU Data Boundary.

The EU Data Boundary consists of the countries in the European Union (EU) and the European Free Trade Association (EFTA). The EU Countries are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden; and the EFTA countries are Liechtenstein, Iceland, Norway, and Switzerland.

The EU Data Boundary uses Microsoft datacentres announced or currently operating in Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Netherlands, Norway, Poland, Spain, Sweden, and Switzerland. In the future, Microsoft may establish datacentres in additional countries located in the EU or EFTA to provide EU Data Boundary services.

How long we will keep your personal data

We only keep your personal information for as long as we need it. We decide how long to keep your information based on what we need and what the law says. All data is securely and permanently deleted at the end of the retention period. We call this our retention and disposal schedule.

We keep your personal information:

  • for five years for correspondence purposes
  • for five years for application purposes
  • for seven years for funding purposes

Data protection rights

There are legitimate reasons why we may refuse your information rights request, which depend on why we are processing it.

We are relying on public task for this processing. This means you have:

  • the right to be informed about the collection and use of your personal data - this is called the 'right to be informed'
  • the right to ask us for copies of personal information we have about you - this is called the 'right of access' and is also known as a subject access request (SAR), data subject access request (DSAR) or right of access request (RAR)
  • the right to ask us to change any information you think is not accurate or complete - this is called the 'right to rectification'
  • the right to ask us to stop using your information - this is called the 'right to restriction of processing'
  • the 'right to object to processing' of your information, in certain circumstances
  • the right to complain to the Information Commissioner (ICO) (opens in a new tab) if you feel we have not used your information in the right way

For more information, see the ICO's guide to individual rights (opens in a new tab).

If you need to contact us regarding any of the above, or have any other questions about how your personal information will be used, please contact us using the Customer Help Portal (opens in a new tab).

More information about how we handle personal information is published here: https://www.gov.uk/government/organisations/department-for-education/about/personal-information-charter.

The ICO makes further information about your data protection rights available in their: Guide to the General Data Protection Regulation (GDPR) (opens in a new tab).

Right to lodge a complaint

You have the right to raise any concerns with the ICO (opens in a new tab).