Home/Policies/Privacy Policy
Data Protection and Privacy Policy

How National Learning Group protects your personal data

At the National Learning Group, company number 10503505, we are committed to protecting the privacy and security of the personal data we handle. This policy explains how we collect, use, store and protect personal data in line with UK GDPR, the Data Protection Act 2018 and other relevant data protection legislation.

Applies to parents, students, tutors and staff Reviewed annually or when required
โœ“ UK GDPR aligned
โœ“ Data Protection Act 2018
โœ“ Safeguarding-aware data handling
โœ“ ICO escalation route
1
Scope

Who is this privacy policy for?

This Privacy Notice applies to students, parents and guardians, tutors, teachers, internal staff, and any other individual or business that uses NLG products or services or participates in research programmes conducted by the National Learning Group.

  • Students, parents and guardians, referred to as Clients.
  • Tutors, teachers and internal staff.
  • Any other person or business using NLG services or taking part in NLG research activity.
Policy updates

Any changes to this Privacy Notice will be posted on the website, so users can see what personal data is collected, why it is used and when it may be disclosed.

2
Purpose

Why and how does NLG use personal data?

NLG uses personal data to provide individually tailored tutoring and learning support. This may include contacting approved representatives to discuss progress, learning needs, privacy matters or safeguarding concerns where appropriate.

  • To provide suitable tutoring and learning support.
  • To match students with appropriate tutors and services.
  • To communicate with clients, approved representatives and relevant staff.
  • To support safeguarding, quality assurance and service improvement.
  • To research the impact of NLG services on student learning outcomes using minimal necessary data.

NLG will never sell personal data or use it to market or sell non-NLG products or services. Non-personal data may be shared in aggregated or anonymised form, provided that individuals cannot be identified from that data.

3
Collection and retention

How does NLG get personal data, and how long is it kept?

Enrolment data

During enrolment, NLG collects and verifies information needed to provide the correct service, such as age, year group, learning needs, subject requirements and appropriate tutor matching details.

Approved representatives

An approved representative may be anyone with lawful access to personal, sensitive, education or health data in the context of NLG services, such as an employer or school Designated Safeguarding Lead.

NLG does not keep personal data for longer than is necessary. Personal data is retained while a Client is active. When a user stops using NLG, their data is retained only for as long as necessary to meet reporting, safeguarding, legal or operational requirements.

  • When personal data is no longer required, it will be deleted or stripped of identifying data.
  • Where re-identification is not possible, data may no longer be personal data and may be retained by NLG.
  • Video lesson recordings are secured for 90 days before being deleted.
  • Calls are held only for as long as necessary.
4
Data categories

What data does NLG collect?

NLG collects data that is necessary to provide safe, suitable and effective tutoring services. We do not collect unnecessary data and we do not process personal information in ways that are not specified in this notice.

Personal data

Name, date of birth, home address, contact information, employment status, recruitment qualifications, DBS checks and internal communication records.

Education data

Information linked to education status, year group, subjects of study, exam reports, SENDCo referrals or learning support needs where provided.

Health or sensitive data

Where disclosed or required for support, this may include diagnoses, additional support needs or safeguarding-related information handled under NLG's duty of care.

Through tutoring services, some special category information may be accidentally captured or disclosed during contact or recorded tutoring sessions. Where this creates a safeguarding or privacy concern, NLG will take appropriate steps, including discussing data destruction options where relevant.

5
Legal basis

Lawful basis for processing

NLG processes personal data using the following lawful bases, depending on the context and the type of data being handled.

Consent

Explicit consent from Clients where required or appropriate.

Contract

Processing necessary for the performance of a contract with staff, tutors or Clients.

Legal obligation

Processing required to comply with legal and regulatory responsibilities.

Legitimate interests

Processing needed to ensure the safety, quality and effective delivery of NLG educational services.

6
Principles

Data processing principles

NLG follows the core data protection principles when handling personal data.

  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality.
7
Your rights

Rights of data subjects

Depending on the circumstances, data subjects may have the following rights over their personal data.

  • Access: request access to personal data.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of data under certain conditions.
  • Restriction: request restriction of processing under certain conditions.
  • Data portability: request transfer of data to another organisation.
  • Objection: object to processing under certain conditions.
  • Consent: withdraw consent at any time where relevant.
  • Complaint: complain to the Information Commissionerโ€™s Office in the United Kingdom.
8
Security

Data security measures

NLG implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

  • Encryption of sensitive data in transit and at rest where appropriate.
  • Access controls that restrict access based on roles and responsibilities.
  • Regular security audits and risk assessments.
  • Safeguarding-aware handling of education, health and sensitive information.
9
Complaints

Data Protection Complaints

If you have a concern about how the National Learning Group has collected, used, stored, shared, or otherwise handled your personal data, you can make a data protection complaint to us.

This includes concerns about:

  • How we use your personal data.
  • How we contact you by phone, email, SMS, or other marketing channels.
  • Where we obtained your personal data from.
  • How we use cookies, tracking, or online advertising data.
  • How we handle requests to unsubscribe, opt out, delete data, or access personal data.
You can make a data protection complaint by contacting: Data Protection Officer
The National Learning Group
dan.williams@thenationallearninggroup.co.uk

We will acknowledge receipt of your complaint within 30 days. We will then take appropriate steps to investigate your complaint, keep you informed where necessary, and tell you the outcome without undue delay.

If you are unhappy with how we handle your complaint, you have the right to complain to the Information Commissionerโ€™s Office, the UK supervisory authority for data protection matters.

10
Suppliers

Third-party vendors

NLG ensures that third-party vendors comply with GDPR requirements by taking appropriate steps before and during supplier relationships.

  • Due diligence before engaging vendors.
  • Data processing agreements outlining GDPR obligations.
  • Regular monitoring and review of vendor compliance with data protection standards.

NLG does not collect special categories of information via third-party vendors without due notification. Where a partner service uses NLG, or where NLG refers a Client to a partner service, relevant privacy notices and data-sharing arrangements apply.

11
Incidents

Data breach management

In the event of a data breach, NLG will take appropriate steps to contain, assess and respond to the incident.

  • Contain and recover: immediately contain the breach and begin recovery procedures.
  • Assess impact: assess the potential impact on data subjects.
  • Notify authorities: notify the Information Commissionerโ€™s Office within 72 hours, if required.
  • Communicate: inform affected data subjects if the breach poses an elevated risk to their rights and freedoms.
12
Tracking

Cookies

To provide NLG services through a web browser, NLG and associated third parties may place cookies on usersโ€™ devices. Cookies are used to collect standard internet logs and user behaviour information.

  • To arrange and improve website content.
  • To support website security.
  • To track use of NLG services.
  • To compile statistical reports.
  • To support online advertising or marketing where consent and settings allow.
13
Governance

Review, approval and editorial control

This policy will be reviewed annually or when there are significant changes in the workplace, a new workplace is added, or relevant legislation requires a review.

This policy is approved by the Data Protection Officer of the National Learning Group, reporting operationally to the Managing Director of the National Learning Group, and updating the Human Resources Manager with all non-sensitive changes.

14
Changelog

Version control

This policy requires all changes to be tracked and reviewed. The current version should always be noted, with quality control completed by the Data Protection Officer where required.

DateAuthorisingDetailsVersion
01/01/2018Legal ServicesInitial version.1
01/06/2022Legal ServicesUpdates for GDPR and vendor processing agreements.2
18/06/2024Privacy TeamReviewed and updated to accommodate changes to legislation.3
23/06/2026Privacy Team / DPO review requiredRedesigned web presentation and added Data Protection Complaints section.4 draft
Quick answers

Privacy policy FAQ

It applies to students, parents, guardians, tutors, teachers, internal staff and other individuals or businesses using National Learning Group products or services.

Email the Data Protection Officer at dan.williams@thenationallearninggroup.co.uk. NLG will acknowledge receipt of your complaint within 30 days.

Yes. You may have rights to access, correct, delete, restrict, transfer or object to the use of your personal data, depending on the circumstances.

Video lesson recordings are secured for 90 days before being deleted, unless a specific safeguarding, legal or operational requirement applies.

Yes. If you are unhappy with how NLG handles your complaint, you have the right to complain to the Information Commissionerโ€™s Office.

Need to raise a privacy concern?

Contact the National Learning Group Data Protection Officer with details of your concern, the personal data involved, and the outcome you are asking us to consider.

Contact the Data Protection Officer
Year 6 SATs results? Understand scores and what happens next.
Read guide