Data Protection and Privacy Policy

1. Who is this for?
2. Why and how does NLG use personal data?
3. How does NLG get personal data, how long do you keep it?
4. What data do we collect?
5. Lawful Basis for Processing
6. Data Processing Principles
7. Rights of Data Subjects
8. Data Security Measures
9. Third-Party Vendors
10. Data Breach Management
11. Cookies
12. Review
13. Approval & Editorials
14. Version Control

1.     Who is this for?

1. This Privacy Notice applies to:
   1. Students, Parents and Guardians (“Clients”)
   2. Tutors, Teachers, and Internal (“Staff”)

• Any other individual or business that utilise NLG products or services, or who are participating in research programmes conducted by the NLG.

1. Changes and Declarations:
   1. Any changes we may make to our Privacy Notice in the future will be posted on the website, so you will always know what personal data we collect about you, the purposes we might use it for and to whom we might disclose it. Businesses and Schools using NLG are required to provide information to Clients about NLG’s data processing. Please refer to this information.
   2. This version of our Privacy Notice was published in August 2018, and updates are recorded in the version control statement on the last page.

• This applies to the collection and use of personal data by NLG from August 2020. It aligns with the requirements of the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

1. If you would like more information about how TNLG uses personal data that you provide directly to us, including through our websites or our social media channels, please write to us or send an email to us at:
   1. (ATTN: DPO)
   2. In writing to the head office for the attention of the DPO.

2.     Why and how does NLG use personal data?

1. To produce individually tailored tutoring and other learning support, NLG uses data relating to Clients. This may include reaching out to approved representatives to discuss progress and alert them to any potential safeguarding or privacy issues.
2. NLG also researches the impact it has on students’ learning outcomes, so minimal data is collected on a student’s performance through its research programme each term season.

• NLG may also disclose personal data in the event that a third party acquires NLG or its assets, or NLG enters into any joint venture arrangements. Personal data will never be sold or used to market or sell non-NLG products or services. TNLG may share non-personal data with third parties provided that data is in an aggregated or wholly anonymised form, and that the third party agrees not to attempt to identify individuals from that data.

3.     How does NLG get personal data, how long do you keep it?

1. How do we receive information?
   1. Your Enrolment
      1. When Clients are enrolled at NLG, the NLG Enrolment and Allocations teams respectively will take and verify the authenticity of information relating to a client to ensure that we are providing the correct provisioned services (e.g., we will take the age and year group of a student to match them with an appropriate tutor).
      2. During the Enrolment process, we will collect further sensitive information relating to the needs of the Client to ensure that we are following our duty of care and providing clients with the best service possible.
   2. Approved Representatives
      1. An “Approved Representative” may be anyone who has the lawful right, access, and use of your personal, sensitive, education or health data in the context of NLG services. Examples of such people can include a client’s immediate employer, or the Designated Safeguarding Lead of their school.

1. How long do we keep it for?
   1. NLG does not keep personal data for longer than is necessary. Personal data is retained by NLG whilst the Client is active. When a user stops using NLG, their personal data will be retained for as long as necessary to fulfil reporting and other requirements. When the personal data is no longer required for these purposes, it will either be deleted or stripped of identifying data, so as to block re-identification (a process called pseudonymisation). As such, because re-identification is not possible, the data is no longer personal data and may be retained indefinitely by NLG.
   2. All video lesson recordings will be secured for 90 days before being deleted.

• All calls will be held as long as necessary.

4.     What data do we collect?

1. Which categories of data do we collect?
   1. Personal Data
      1. Name
      2. Date of Birth
      3. Home Address
      4. Contact Information (Tel/Email)
      5. Employment Status
      6. (Recruitment) Qualifications
      7. (Recruitment) DBS Checks
      8. (Internal) Communication Records
   2. Special Categories / Sensitive Information
      1. Through our Tutoring services, for effective safeguarding under the Keeping Children Safe in Education framework, the Care Act 2014 and Safeguarding Vulnerable Groups Act 2006 including the Protection of Freedoms Bill, we may store any information of note revealed to our Staff in accordance with our duty of care (e.g. religious or philosophical beliefs where disclosures of radicalization may occur).
      2. As all contact is recorded, including the tutoring sessions themselves, it may be that special categories of data are accidentally captured or disclosed as part of our safeguarding and monitoring. In these cases, we never store this information, and should the information be raised as a safeguarding or privacy concern, we will reach out to provide you with appropriate options for data destruction.

• Education Data
  1. Aside from the information we collect during your enrolment, which can include your status of education, year group (if relevant) and subjects of study, NLG may also receive information classified as “Education Data.”
     1. This can be provided by the Client if they wish for a more personalised approach, and NLG is often trusted with maintaining information from exam reports to SENDCo referrals.
  2. Health Data
     1. Aside from the information we collect during your enrolment, which can include any existing diagnoses or requested additional support systems, NLG may also receive information classified as “Health Data.”
        1. If “Health Data” is received by way of disclosure, we will ensure that storage of this information is consensual and understood.
        2. If “Health Data” is received by way of a responsible person or service, such as a SENCo liaison, this must be disclosed to you by them. You still have control of your data and may make a referral to us in writing or via email (see: Section 1, Point B-III).

1. Third Party Resourcing?
   1. NLG does not and will not without due notification consider collecting special categories of information via third-party vendors.
      1. In instances where you have signed up to a service that uses NLG as a partner, your notification of rights and data-sharing mandates are managed by their privacy policy.
      2. In instances where NLG may refer you to a partner service, we may provide special categories of information we maintain under the terms of this policy to ensure that the same or similar service is met per our tutoring provision agreements.
   2. All data is provided via the Client, or a client authorised responsible person; We will never collect any unnecessary data and do not process your information in any way other than as specified in this notice.

5.     Lawful Basis for Processing

1. We process personal data based on the following lawful bases:
   1. Consent: Explicit consent from Clients for all data.
   2. Contract: Necessary for the performance of a contract with Staff and Clients.
   3. Legal Obligation: Compliance with legal and regulatory requirements.
   4. Legitimate Interests: Ensuring the safety and quality of our educational services.

6.     Data Processing Principles

1. We adhere to the following data protection principles:
   1. Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and in a transparent manner.
   2. Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
   3. Data Minimisation: Data collected is adequate, relevant, and limited to what is necessary.
   4. Accuracy: Data is accurate and kept up to date.
   5. Storage Limitation: Data is retained only for as long as necessary.
   6. Integrity and Confidentiality: Data is processed securely to protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

7.     Rights of Data Subjects

1. Data subjects have the following rights:
   1. Access: Request access to their personal data.
   2. Rectification: Request correction of inaccurate or incomplete data.
   3. Erasure: Request deletion of their data under certain conditions.
   4. Restriction: Request restriction of processing under certain conditions.
   5. Data Portability: Request transfer of their data to another organisation.
   6. Objection: Object to the processing of their data under certain conditions.
   7. Consent: The right to withdraw consent at any time where relevant.
   8. Complaint: The right to complain to the Information Commissioner of the United Kingdom of Great Britain and Northern Ireland.

8.     Data Security Measures

1. We implement appropriate technical and organisational measures to ensure the security of personal data, including:
   1. Encryption: Encrypting sensitive data both in transit and at rest.
   2. Access Controls: Restricting access to data based on roles and responsibilities.
   3. Regular Audits: Conducting regular security audits and risk assessments.

9.     Third-Party Vendors

1. We ensure that our third-party vendors comply with GDPR requirements by:
   1. Due Diligence: Conducting thorough due diligence before engaging vendors.
   2. Data Processing Agreements: Signing data processing agreements outlining GDPR obligations.
   3. Regular Monitoring: Regularly reviewing vendor compliance with data protection standards.

10. Data Breach Management

1. In the event of a data breach, we will:
   1. Contain and Recover: Immediately contain the breach and initiate recovery procedures.
   2. Assess Impact: Assess the potential impact on data subjects.
   3. Notify Authorities: Notify the Information Commissioner’s Office (ICO) within 72 hours, if required.
   4. Communicate: Inform affected data subjects if the breach poses an elevated risk to their rights and freedoms.

11. Cookies

To provide NLG services via a web browser, NLG and associated third parties will place cookies on users’ devices. Cookies are used to collect standard internet logs and user behaviour information. This information is used to arrange the content of NLG websites, ensure security, track use of NLG services and to compile statistical reports. For further information visit: About Cookies

12. Review

This policy will be reviewed annually or when there are significant changes in the workplace, a new workplace added, or relevant legislation requires it.

13. Approval & Editorials

This policy is approved by the Data Protection Officer of the National Learning Group, reporting operationally to the Managing Director of the National Learning Group, and updating the Human Resources Manager with all non-sensitive changes.

14. Version Control

This policy requires all changes to be tracked and reviewed via the document core and the below changelog. The current version will always be notated on the first page, with QC noted. QC can be performed by the Data Protection Officer.