Merry Go Round Toy Libraries
Data Protection and Privacy Policy


  • Charity: means Merry Go Round Toy Libraries, a registered charity 
  • GDPR: means the General Data Protection Regulation
  • Responsible Person: means the Toy Library Manager
  1. Data protection principles
    Merry Go Round Toy Libraries recognises that the previous Data Protection principles remain largely unchanged and are of utmost importance. GDPR requires the Toy Libraries to ensure our data processing is:
    1. Lawful, fair and transparent
    2. That personal data is collected for specified, explicit and legitimate purposes and not further processed in an incompatible way
    3. That personal data is adequate, relevant and limited to what is necessary to achieve the purposes for which it was collected
    4. That personal data is accurate and kept up to date, and that we take reasonable steps to rectify or erase inaccurate data
    5. That personal data is not kept in identifiable form for longer than necessary
    6. That personal data is processed in a way that ensures security of the data and protects it from unauthorised use
    7. That we can demonstrate compliance with the Principles
  2. General provisions
    1. This policy applies to all personal data processed by the Charity
    2. The Responsible Person shall take responsibility for the Charity’s ongoing compliance with this policy
    3. This policy shall be reviewed at least annually
  3. Registration with the Information Commissioner’s Office
    Merry Go Round, like most charities and not-for-profit organisations, qualifies for exemption from registering with the Information Commissioners because it was established for not-for-profit making purposes and does not make a profit. We must:
    1. Only process information necessary to establish or maintain membership or support
    2. Only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it
    3. Only share the information with people and organisations necessary to carry out the organisation’s activities. Important - if individuals give us permission to share their information, this is alright
    4. Only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration
  4. Lawful, fair and transparent processing
    1. This Policy shall be reviewed at least annually.
    2. Individuals have the right to access their personal data and any such requests made to the charity shall be dealt with in a timely manner.
  5. Lawful purposes
    1. Each new member is asked to fill in an online form on our Lend-Engine site with contact details and whether joining as a group member or a family member. This information is needed for toy bookings and membership, and to receive reminders about overdue toys and information about our services. Members are also asked to fill in optional monitoring information about number and age of children using the library, ethnicity, disability or developmental needs. This information is used by us when we buy more toys, and for statistics for grant applications. It does not identify individual children or adults in any way.
    2. All details given are confidential, kept securely and not passed on to third parties. They are only used in connection with the toy library
    3. Email addresses are also added to a mailing list for information about our services, closure dates, fundraisers etc.
    4. Copies of information are destroyed within two years of membership lapsing.
    5. Every email sent from our mailing list includes information on how to unsubscribe from this list.
    6. Consent is relied upon for the lawful basis for processing data. Members are asked to tick a box during the registration process to show they agree to our terms and conditions which are included as a page link on our Lend-Engine site. Terms and conditions include a link to our Data Protection and Privacy policy.
  6. Data minimisation
    1. The Charity shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  7. Accuracy
    1. The Charity shall take reasonable steps to ensure personal data is accurate.
    2. Members are asked to update their information when membership is renewed.
  8. Archiving / removal
    1. 24 months after a membership lapses or is cancelled, their loan and payment history will be retained, but personal contact information will be removed. Any monitoring information retained will be anonymous. We collate monitoring information from the previous year and use it to create reports for our Annual Report which is sent to funders and members and for informing grant applications.
    2. Email addresses on the mailing list are kept until members ask to be unsubscribed.
  9. Security
    1. Personal data is stored securely on the Lend-Engine site.
    2. Email addresses are securely stored in an online database with password access control. The software is automatically updated.
    3. Access to personal data is limited to toy library staff and IT support and is not shared externally.
  10. Breach
    1. In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Charity shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).
  11. Online payments
    1. Payments made to the toy libraries through Loan-Engine use an integrated payment system called Stripe. The link to information about their use and protection of information is at

Policy last updated December 2021

Adopted by MGR trustees as documented in committee meeting minutes dated 2nd December 2021

Next policy review due December 2022