top of page

Data Privacy Policy

Data Privacy Policy

1. Introduction

This Data Protection Policy outlines how No Walls Teaching (hereafter referred to as "the Business") collects, processes, stores, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The Business provides A-Level Biology tutoring services, both online and in-person, within the United Kingdom.

​

2. Scope

This policy applies to all personal data processed by the Business, including data relating to students, parents/guardians, tutors, and any other individuals whose personal data is collected or processed in the course of our operations.

​

3. Principles of Data Protection

The Business adheres to the following principles of data protection, as outlined in the UK GDPR:

 

  • Lawfulness, Fairness, and Transparency: Personal data will be processed lawfully, fairly, and in a transparent manner.

  • Purpose Limitation: Personal data will be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

  • Data Minimisation: Personal data collected will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

  • Accuracy: Personal data will be accurate and, where necessary, kept up to date. Every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

  • Storage Limitation: Personal data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

  • Integrity and Confidentiality: Personal data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

​​

4. Types of Data Collected

The Business may collect and process the following types of personal data:

 

  • Student Data:

    • Name

    • Date of birth

    • Contact information (email address, phone number, address)

    • Academic information (e.g., current A-Level Biology grade, predicted grades, learning objectives)

    • Special educational needs or disabilities (if applicable and relevant to tutoring)

    • Attendance records

    • Progress reports

  • Parent/Guardian Data:

    • Name

    • Contact information (email address, phone number)

    • Billing information

  • Tutor Data:

    • Name

    • Contact information (email address, phone number, address)

    • Qualifications and experience

    • DBS check details

    • Bank details for payment

​​

5. How Data is Collected

Personal data may be collected through various means, including:

 

  • Online enquiry forms

  • Direct communication (phone, email, video calls)

  • Registration forms

  • During tutoring sessions (e.g., progress updates)

  • Via third-party platforms used for online tutoring (e.g., video conferencing software)

​​

6. Lawful Basis for Processing

The Business will only process personal data where there is a lawful basis to do so under UK GDPR. The lawful bases typically relied upon include:

 

  • Contract: Processing is necessary for the performance of a contract with the data subject (e.g., providing tutoring services).

  • Legitimate Interests: Processing is necessary for the legitimate interests pursued by the Business, provided these interests do not override the fundamental rights and freedoms of the data subject (e.g., improving services, marketing activities with consent).

  • Consent: Where explicit consent has been obtained from the data subject for specific processing activities.

  • Legal Obligation: Processing is necessary for compliance with a legal obligation (e.g., tax requirements, safeguarding).

​​

7. Data Storage and Security

The Business will implement appropriate technical and organisational measures to ensure the security of personal data, including:

 

  • Data Minimisation: Only collecting data that is necessary for the stated purposes.

  • Access Control: Restricting access to personal data to authorised personnel only.

  • Encryption: Encrypting sensitive data where appropriate.

  • Pseudonymisation/Anonymisation: Where possible, personal data will be pseudonymised or anonymised.

  • Regular Security Reviews: Conducting regular reviews of our security measures.

  • Data Backup and Recovery: Implementing robust backup and recovery procedures to prevent data loss.

  • Secure Platforms: Using reputable and secure online platforms for online tutoring sessions and data storage.

 

Personal data will be stored securely on password-protected devices and cloud-based storage solutions with appropriate security features. Physical documents, if any, will be stored in locked cabinets.

​

8. Data Sharing

Personal data will not be shared with third parties without the explicit consent of the data subject, unless required by law. Where data sharing is necessary (e.g., with online tutoring platforms), the Business will ensure that appropriate data processing agreements are in place to safeguard personal data.

​

9. Data Retention

Personal data will be retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The retention periods will be reviewed regularly. Once data is no longer required, it will be securely deleted or anonymised.

​

10. Data Subject Rights

Under UK GDPR, individuals have the following rights regarding their personal data:

 

  • Right to be Informed: Individuals have the right to be informed about the collection and use of their personal data.

  • Right of Access: Individuals have the right to request a copy of the personal data held about them.

  • Right to Rectification: Individuals have the right to request correction of inaccurate or incomplete personal data.

  • Right to Erasure (Right to be Forgotten): Individuals have the right to request the deletion or removal of their personal data in certain circumstances.

  • Right to Restrict Processing: Individuals have the right to request the restriction or suppression of their personal data.

  • Right to Data Portability: Individuals have the right to obtain and reuse their personal data for their own purposes across different services.

  • Right to Object: Individuals have the right to object to the processing of their personal data in certain circumstances.

  • Rights in Relation to Automated Decision Making and Profiling: Individuals have the right to object to decisions based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

​​

To exercise any of these rights, please contact Clare Wharton at clare@nowallsteaching.co.uk.

​

11. Data Breach Procedure

In the event of a data breach, the Business will:

 

  • Assess the severity and risk of the breach.

  • Notify the Information Commissioner's Office (ICO) within 72 hours if the breach is likely to result in a risk to the rights and freedoms of individuals.

  • Communicate the breach to affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

  • Take immediate steps to mitigate the impact of the breach and prevent further breaches.

​​

12. Policy Review

This policy will be reviewed and updated annually, or more frequently if there are changes in data protection legislation or the Business's practices. The next review is scheduled for Sep 1, 2026.

​

13. Contact Information

If you have any questions or concerns about this Data Protection Policy or the Business's data processing practices, please contact:

 

Clare Wharton (Data Protection Lead)
 

 

This policy was last updated on 25th August 2025

bottom of page