The Tutor Train Data Protection Policy
Revised: 15th September 2021 by Praema Stelling
Next revision date: 15 September 2022
The Tutor Train needs to gather and use certain information about individuals in order to provide the service of tuition.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.
Data protection law
The Data Protection Act 1998 describes how organisations — including the Tutor Train— must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
Everyone who works for or with the Tutor Train has responsibility for ensuring data is collected, stored and handled appropriately. Each member that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these responsibilities lie with the business owner:
- Keeping the team updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Handling data protection questions from tutors and anyone else covered by this policy.
- Dealing with requests from individuals to see the data the Tutor Train holds about them (also called ‘subject access requests’).
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services, the company is considering using to store or process data. For instance, cloud computing services.
- Approving any data protection statements attached to communications such as emails and letters.
- Tutors will require some information to be shared with them about their student. This includes, but not limited to, the child’s age, academic achievement, home address and parent contact details. Only information that is needed for their work will be shared. This will predominately be shared via the Tutorcruncher platform.
- Tutors should keep all data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords must be used and they should never be shared.
- Personal data should not be disclosed to unauthorised people, either within the company or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
These rules describe how and where data should be safely stored.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. When not required, the paper or files should be kept in a locked drawer or filing cabinet. Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared among employees.
- If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and servers and should only be uploaded to approved cloud computing services.
- Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
- All servers and computers containing data should be protected by approved security software and a firewall.
The Tutor Train uses TutorCruncher to manage clients and lessons. Tutorcuncher acts as a data processor. In accordance with their Terms and conditions, they do not sell, trade, or rent users personal identification information to others. They may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with their business partners, trusted affiliates and advertisers. They may use third party service providers to help them operate their business or administer activities on their behalf. They may share your information with these third parties as part of our business operations. They treat user database with the greatest respect and will never share its contents with another user of TutorCruncher. Individuals, be they tutors, clients, or students, can create TutorCruncher accounts which they then use across multiple companies, therefore, these users may receive communications from different companies that are also using TutorCruncher. A company with a TutorCruncher account will only have access to the user data in its company-specific database. As The Tutor Train, information about a student, from initial contact with the parent/guardian (via email or phone call) will be shared with a Tutor once a job has been agreed. This is to allow the Tutor to prepare for a lesson to support the needs of the individual.
Disclosing data for other reason
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. An example of this may be for safeguarding purposes.
The Tutor Train abides by the European General Data Protection Laws (GDPR) and will never share your information with anyone outside the agency or via social media. We will pass your details on to our tutors when we have identified a suitable tutor to meet your requirements. We do not send unsolicited emails and will only contact you to send invoices or to discuss your personal needs.
Breaches in data security will be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
You have the right to have your data removed, to do so please contact us and we will delete all information we hold about you. You also have the right to request a copy of any information we hold about you. We will not hold your data if it is no longer required.