This notice is for parents and guardians. Please read it before your child's first session. You are entitled to a copy to keep.
[Your Name], trading as [Business Name], is the data controller for the personal data described in this notice. Contact: [Your Email Address] ยท [Your Phone Number].
This notice is written in plain English, as required by the ICO's guidance on transparency for children's data.
| Data held | Why we need it | Legal basis (UK GDPR Art. 6) |
|---|---|---|
| Child's full name | To address and identify the student in sessions and records | Art. 6(1)(b) โ performance of the tutoring contract |
| Date of birth / year group | To tailor teaching to curriculum stage and confirm under-18 safeguarding applies | Art. 6(1)(b) |
| School attended | To align sessions with the child's current curriculum and exam board | Art. 6(1)(b) |
| Parent/guardian name(s) and contact details | To communicate about sessions, invoices, and safeguarding matters | Art. 6(1)(b) |
| Emergency contact details | To reach a responsible adult in an emergency during in-person sessions | Art. 6(1)(d) โ vital interests |
| Relevant medical conditions or learning needs | To adapt teaching and ensure safety | Art. 6(1)(f) โ legitimate interest (education and safety); Art. 9 special category data โ explicit parental consent |
| Session notes and progress records | To track progress, plan future sessions, and provide progress reports to parents | Art. 6(1)(b) |
| Safeguarding records (if any) | Legal obligation to record and report safeguarding concerns | Art. 6(1)(c) โ legal obligation; Art. 9(2)(b) |
Medical information and SEND details are special category data under UK GDPR Article 9. We collect this only with your explicit consent (given in the Parental Consent Form) and use it solely to adapt sessions for your child's welfare. It is never shared with third parties except in a safeguarding emergency where disclosure is required by law.
We do not sell or share your child's data with third parties for marketing. Data may be shared with:
| Data type | Retention period | Reason |
|---|---|---|
| Contact and session records | 2 years after the final session | Resolving any payment or contract disputes |
| Financial records (invoices) | 6 years after the tax year-end | HMRC requirement for sole traders |
| Safeguarding records | Minimum 10 years (or until child turns 25, whichever is longer) | Statutory requirement; may be needed in future legal proceedings |
| Progress notes | 1 year after the final session | Sufficient to answer future reference queries |
Under UK GDPR, you (and where appropriate your child, depending on their age and capacity) have the following rights:
To exercise any right, contact [Your Name] at [Your Email Address]. We will respond within one calendar month.
If you are unhappy with how we handle your data, you may complain to the Information Commissioner's Office: ico.org.uk ยท 0303 123 1113.
Note: self-employed tutors processing personal data are legally required to register with the ICO (currently ยฃ40/year) unless a specific exemption applies. See ico.org.uk/registration for guidance.
Internal record โ not shared with clients. Review annually and on any change to data practices.
| Category | Format / location | Encrypted? | Access | Retention | Deletion method |
|---|---|---|---|---|---|
| Client contact details | [e.g. Google Contacts / spreadsheet] | [Yes / No] | Me only | 2 years post-session | Permanent delete + empty trash |
| Signed agreements | [e.g. PDF in Google Drive / OneDrive] | [Yes / No] | Me only | 2 years post-session | Permanent delete |
| Session / progress notes | [e.g. Notebook / Google Doc] | [Yes / No] | Me only | 1 year post-session | Shred physical / permanent delete digital |
| Invoices | [e.g. Bookkeeping software / spreadsheet] | [Yes / No] | Me + accountant | 6 years (HMRC) | Permanent delete |
| Safeguarding records | [e.g. Password-protected Word doc / locked folder] | Yes | Me only (LA if referred) | 10 years / child's 25th birthday | Consult LA before any destruction |
| Health / SEND data | [e.g. Parental consent form โ encrypted] | Yes | Me only | Duration of tutoring relationship + 1 year | Permanent delete |
If I become aware of a data breach (e.g. device lost or stolen, data sent to wrong person, unauthorised access):
Use this template when a parent or guardian (or an eligible child) requests a copy of their data. Adapt as needed and respond within one calendar month of the request.
Dear [Parent/Guardian name],
Thank you for your Subject Access Request dated [date], requesting the personal data held by [Business Name] in respect of [child's name].
Enclosed / attached is a copy of all personal data held by me relating to [child's name], as follows:
Data not included: Financial records containing only invoice amounts (not identifying the child beyond their name) are retained for HMRC purposes for 6 years and form part of my business accounting records. Safeguarding records, if any, are subject to separate legal retention requirements and disclosure restrictions โ I will take advice from the local authority before releasing these.
If you believe any data held is inaccurate or you wish to exercise any other right under UK GDPR (erasure, rectification, restriction of processing), please contact me at [Your Email Address].
If you are not satisfied with this response, you may complain to the Information Commissioner's Office at ico.org.uk.
Yours sincerely,
[Your Name]
[Business Name]
[Your Email Address]