How National Learning Group protects your personal data
At the National Learning Group, company number 10503505, we are committed to protecting the privacy and security of the personal data we handle. This policy explains how we collect, use, store and protect personal data in line with UK GDPR, the Data Protection Act 2018 and other relevant data protection legislation.
Applies to parents, students, tutors and staffReviewed annually or when required
โ UK GDPR aligned
โ Data Protection Act 2018
โ Safeguarding-aware data handling
โ ICO escalation route
1
Scope
Who is this privacy policy for?
This Privacy Notice applies to students, parents and guardians, tutors, teachers, internal staff, and any other individual or business that uses NLG products or services or participates in research programmes conducted by the National Learning Group.
Students, parents and guardians, referred to as Clients.
Tutors, teachers and internal staff.
Any other person or business using NLG services or taking part in NLG research activity.
Policy updates
Any changes to this Privacy Notice will be posted on the website, so users can see what personal data is collected, why it is used and when it may be disclosed.
2
Purpose
Why and how does NLG use personal data?
NLG uses personal data to provide individually tailored tutoring and learning support. This may include contacting approved representatives to discuss progress, learning needs, privacy matters or safeguarding concerns where appropriate.
To provide suitable tutoring and learning support.
To match students with appropriate tutors and services.
To communicate with clients, approved representatives and relevant staff.
To support safeguarding, quality assurance and service improvement.
To research the impact of NLG services on student learning outcomes using minimal necessary data.
NLG will never sell personal data or use it to market or sell non-NLG products or services. Non-personal data may be shared in aggregated or anonymised form, provided that individuals cannot be identified from that data.
3
Collection and retention
How does NLG get personal data, and how long is it kept?
Enrolment data
During enrolment, NLG collects and verifies information needed to provide the correct service, such as age, year group, learning needs, subject requirements and appropriate tutor matching details.
Approved representatives
An approved representative may be anyone with lawful access to personal, sensitive, education or health data in the context of NLG services, such as an employer or school Designated Safeguarding Lead.
NLG does not keep personal data for longer than is necessary. Personal data is retained while a Client is active. When a user stops using NLG, their data is retained only for as long as necessary to meet reporting, safeguarding, legal or operational requirements.
When personal data is no longer required, it will be deleted or stripped of identifying data.
Where re-identification is not possible, data may no longer be personal data and may be retained by NLG.
Video lesson recordings are secured for 90 days before being deleted.
Calls are held only for as long as necessary.
4
Data categories
What data does NLG collect?
NLG collects data that is necessary to provide safe, suitable and effective tutoring services. We do not collect unnecessary data and we do not process personal information in ways that are not specified in this notice.
Personal data
Name, date of birth, home address, contact information, employment status, recruitment qualifications, DBS checks and internal communication records.
Education data
Information linked to education status, year group, subjects of study, exam reports, SENDCo referrals or learning support needs where provided.
Health or sensitive data
Where disclosed or required for support, this may include diagnoses, additional support needs or safeguarding-related information handled under NLG's duty of care.
Through tutoring services, some special category information may be accidentally captured or disclosed during contact or recorded tutoring sessions. Where this creates a safeguarding or privacy concern, NLG will take appropriate steps, including discussing data destruction options where relevant.
5
Legal basis
Lawful basis for processing
NLG processes personal data using the following lawful bases, depending on the context and the type of data being handled.
Consent
Explicit consent from Clients where required or appropriate.
Contract
Processing necessary for the performance of a contract with staff, tutors or Clients.
Legal obligation
Processing required to comply with legal and regulatory responsibilities.
Legitimate interests
Processing needed to ensure the safety, quality and effective delivery of NLG educational services.
6
Principles
Data processing principles
NLG follows the core data protection principles when handling personal data.
Lawfulness, fairness and transparency.
Purpose limitation.
Data minimisation.
Accuracy.
Storage limitation.
Integrity and confidentiality.
7
Your rights
Rights of data subjects
Depending on the circumstances, data subjects may have the following rights over their personal data.
Access: request access to personal data.
Rectification: request correction of inaccurate or incomplete data.
Erasure: request deletion of data under certain conditions.
Restriction: request restriction of processing under certain conditions.
Data portability: request transfer of data to another organisation.
Objection: object to processing under certain conditions.
Consent: withdraw consent at any time where relevant.
Complaint: complain to the Information Commissionerโs Office in the United Kingdom.
8
Security
Data security measures
NLG implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Encryption of sensitive data in transit and at rest where appropriate.
Access controls that restrict access based on roles and responsibilities.
Regular security audits and risk assessments.
Safeguarding-aware handling of education, health and sensitive information.
9
Complaints
Data Protection Complaints
If you have a concern about how the National Learning Group has collected, used, stored, shared, or otherwise handled your personal data, you can make a data protection complaint to us.
This includes concerns about:
How we use your personal data.
How we contact you by phone, email, SMS, or other marketing channels.
Where we obtained your personal data from.
How we use cookies, tracking, or online advertising data.
How we handle requests to unsubscribe, opt out, delete data, or access personal data.
We will acknowledge receipt of your complaint within 30 days. We will then take appropriate steps to investigate your complaint, keep you informed where necessary, and tell you the outcome without undue delay.
If you are unhappy with how we handle your complaint, you have the right to complain to the Information Commissionerโs Office, the UK supervisory authority for data protection matters.
10
Suppliers
Third-party vendors
NLG ensures that third-party vendors comply with GDPR requirements by taking appropriate steps before and during supplier relationships.
Due diligence before engaging vendors.
Data processing agreements outlining GDPR obligations.
Regular monitoring and review of vendor compliance with data protection standards.
NLG does not collect special categories of information via third-party vendors without due notification. Where a partner service uses NLG, or where NLG refers a Client to a partner service, relevant privacy notices and data-sharing arrangements apply.
11
Incidents
Data breach management
In the event of a data breach, NLG will take appropriate steps to contain, assess and respond to the incident.
Contain and recover: immediately contain the breach and begin recovery procedures.
Assess impact: assess the potential impact on data subjects.
Notify authorities: notify the Information Commissionerโs Office within 72 hours, if required.
Communicate: inform affected data subjects if the breach poses an elevated risk to their rights and freedoms.
12
Tracking
Cookies
To provide NLG services through a web browser, NLG and associated third parties may place cookies on usersโ devices. Cookies are used to collect standard internet logs and user behaviour information.
To arrange and improve website content.
To support website security.
To track use of NLG services.
To compile statistical reports.
To support online advertising or marketing where consent and settings allow.
13
Governance
Review, approval and editorial control
This policy will be reviewed annually or when there are significant changes in the workplace, a new workplace is added, or relevant legislation requires a review.
This policy is approved by the Data Protection Officer of the National Learning Group, reporting operationally to the Managing Director of the National Learning Group, and updating the Human Resources Manager with all non-sensitive changes.
14
Changelog
Version control
This policy requires all changes to be tracked and reviewed. The current version should always be noted, with quality control completed by the Data Protection Officer where required.
Date
Authorising
Details
Version
01/01/2018
Legal Services
Initial version.
1
01/06/2022
Legal Services
Updates for GDPR and vendor processing agreements.
2
18/06/2024
Privacy Team
Reviewed and updated to accommodate changes to legislation.
3
23/06/2026
Privacy Team / DPO review required
Redesigned web presentation and added Data Protection Complaints section.
4 draft
Quick answers
Privacy policy FAQ
It applies to students, parents, guardians, tutors, teachers, internal staff and other individuals or businesses using National Learning Group products or services.
Email the Data Protection Officer at dan.williams@thenationallearninggroup.co.uk. NLG will acknowledge receipt of your complaint within 30 days.
Yes. You may have rights to access, correct, delete, restrict, transfer or object to the use of your personal data, depending on the circumstances.
Video lesson recordings are secured for 90 days before being deleted, unless a specific safeguarding, legal or operational requirement applies.
Yes. If you are unhappy with how NLG handles your complaint, you have the right to complain to the Information Commissionerโs Office.
Need to raise a privacy concern?
Contact the National Learning Group Data Protection Officer with details of your concern, the personal data involved, and the outcome you are asking us to consider.