Back

Aims

The Learning Centre (TLC) takes data protection very seriously. As such, this policy outlines the measures the tuition centre will put in place to ensure the protection of all personal and sensitive data about staff, parents and children. This policy outlines a data protection by design culture within the tuition centre so that all collection, storage and processing of data, whether digital or on paper, is carried out lawfully in accordance with the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018.

Legislation and guidance

On 25th May 2018, the General Data Protection Regulation (GDPR) became effective. The GDPR aims to protect the right to privacy of every EU resident giving them a greater say over how their personal data is used. Furthermore, it details how EU personal data laws are applied outside the EU. The GDPR, therefore, has important implications for how organisations handle confidential data.

The Learning Centre is classified under GDPR as a data controller, we have always complied rigorously with the Data Protection Act (DPA, 2018). We have taken every step to ensure that we are also compliant with the new legislation under the GDPR. It also places responsibilities on every person, business or organisation that collects personal data, to ensure that this data is managed appropriately and is held securely.

Roles and responsibilities

The Learning Centre (TLC) will follow the outline below for distribution of responsibilities in relation to GDPR within the tuition centre.

Role

Responsibility
Tutors Our tutors have signed a full and comprehensive confidentiality agreement and have had their ID checked and hold valid DBS certificates.
Other staff TLC operates a secure connection to communicate between our website and browsers.

All information is stored on a password-protected laptop.

Files are stored with our hosting provider, who in turn, are both bound by DPA and GDPR for information security management.

Data protection principles

The data protection principles that the tuition centre must follow in order to be compliant with GDPR state that personal data must be:

  • processed lawfully, fairly and in a transparent manner;
  • collected for legitimate purposes;
  • relevant and limited to what is necessary in order to fulfil the purposes for which it is processed;
  • kept up to date;
  • stored for no longer than is necessary;
  • processed in a way that ensures it is appropriately secure.

This policy outlines how the school will comply with these principles.

Photos

  • Photos and videos taken within tuition centre for public use are to be considered under GDPR.
  • Any photo or video of recognisable individuals which the tuition centre wishes to publish for example, on the tuition webpage or social media platform, will only be published with prior written consent. Written consent will be obtained via completion of registration form.

Photographs and video captured by parents for personal use do not fall under the scope of GDPR.

Disposal of data

The Learning Centre will always ensure that records containing personal and/or sensitive data are disposed of safely and securely.

For example, any paper records due to be disposed of will be securely shredded, either on site, or through an approved third-party disposal service. When using a third party, it is the tuition’s responsibility to ensure that the company guarantees the records are disposed of securely.

Any digital records containing personal data will be deleted using the internal erasure procedure of the relevant software. For example, records stored on a Windows laptop would be deleted using the Windows delete functions. It is up to individuals to make sure they have deleted personal data from devices once that data is no longer relevant, or the device is being passed on.

When disposing of sensitive personal data, the tuition centre will use a file-wiping utility to remove the sensitive personal data, preventing the possible retrieval if erased, using internal procedures.