Children's Data GDPR Pack

๐Ÿซ [Business Name] ๐Ÿ‘ค [Your Name] ๐Ÿ“… Date: [Date]

๐Ÿ“‹ This pack contains three documents


Part A โ€” Children's Data Privacy Notice

This notice is for parents and guardians. Please read it before your child's first session. You are entitled to a copy to keep.

Who we are

[Your Name], trading as [Business Name], is the data controller for the personal data described in this notice. Contact: [Your Email Address] ยท [Your Phone Number].

This notice is written in plain English, as required by the ICO's guidance on transparency for children's data.

What data we collect and why

Data heldWhy we need itLegal basis (UK GDPR Art. 6)
Child's full name To address and identify the student in sessions and records Art. 6(1)(b) โ€” performance of the tutoring contract
Date of birth / year group To tailor teaching to curriculum stage and confirm under-18 safeguarding applies Art. 6(1)(b)
School attended To align sessions with the child's current curriculum and exam board Art. 6(1)(b)
Parent/guardian name(s) and contact details To communicate about sessions, invoices, and safeguarding matters Art. 6(1)(b)
Emergency contact details To reach a responsible adult in an emergency during in-person sessions Art. 6(1)(d) โ€” vital interests
Relevant medical conditions or learning needs To adapt teaching and ensure safety Art. 6(1)(f) โ€” legitimate interest (education and safety); Art. 9 special category data โ€” explicit parental consent
Session notes and progress records To track progress, plan future sessions, and provide progress reports to parents Art. 6(1)(b)
Safeguarding records (if any) Legal obligation to record and report safeguarding concerns Art. 6(1)(c) โ€” legal obligation; Art. 9(2)(b)

Health and special educational needs data

Medical information and SEND details are special category data under UK GDPR Article 9. We collect this only with your explicit consent (given in the Parental Consent Form) and use it solely to adapt sessions for your child's welfare. It is never shared with third parties except in a safeguarding emergency where disclosure is required by law.

Who we share data with

We do not sell or share your child's data with third parties for marketing. Data may be shared with:

How long we keep data

Data typeRetention periodReason
Contact and session records2 years after the final sessionResolving any payment or contract disputes
Financial records (invoices)6 years after the tax year-endHMRC requirement for sole traders
Safeguarding recordsMinimum 10 years (or until child turns 25, whichever is longer)Statutory requirement; may be needed in future legal proceedings
Progress notes1 year after the final sessionSufficient to answer future reference queries

Your rights as a parent / guardian

Under UK GDPR, you (and where appropriate your child, depending on their age and capacity) have the following rights:

To exercise any right, contact [Your Name] at [Your Email Address]. We will respond within one calendar month.

If you are unhappy with how we handle your data, you may complain to the Information Commissioner's Office: ico.org.uk ยท 0303 123 1113.

Data controller: [Your Name], [Business Name]
Contact: [Your Email Address]
ICO registration number: [ICO number, if registered]

Note: self-employed tutors processing personal data are legally required to register with the ICO (currently ยฃ40/year) unless a specific exemption applies. See ico.org.uk/registration for guidance.


Part B โ€” Data Retention & Processing Register

Internal record โ€” not shared with clients. Review annually and on any change to data practices.

Data held โ€” current register

Category Format / location Encrypted? Access Retention Deletion method
Client contact details [e.g. Google Contacts / spreadsheet] [Yes / No] Me only 2 years post-session Permanent delete + empty trash
Signed agreements [e.g. PDF in Google Drive / OneDrive] [Yes / No] Me only 2 years post-session Permanent delete
Session / progress notes [e.g. Notebook / Google Doc] [Yes / No] Me only 1 year post-session Shred physical / permanent delete digital
Invoices [e.g. Bookkeeping software / spreadsheet] [Yes / No] Me + accountant 6 years (HMRC) Permanent delete
Safeguarding records [e.g. Password-protected Word doc / locked folder] Yes Me only (LA if referred) 10 years / child's 25th birthday Consult LA before any destruction
Health / SEND data [e.g. Parental consent form โ€” encrypted] Yes Me only Duration of tutoring relationship + 1 year Permanent delete

Security measures in place

Data breach procedure

If I become aware of a data breach (e.g. device lost or stolen, data sent to wrong person, unauthorised access):


Part C โ€” Subject Access Request (SAR) Response Template

Use this template when a parent or guardian (or an eligible child) requests a copy of their data. Adapt as needed and respond within one calendar month of the request.

Subject Access Request received: [Date of request]
Requested by: [Parent/Guardian name], in respect of [Child's name]
Response deadline: [One calendar month from request date]

Response โ€” what to include

Dear [Parent/Guardian name],

Thank you for your Subject Access Request dated [date], requesting the personal data held by [Business Name] in respect of [child's name].

Enclosed / attached is a copy of all personal data held by me relating to [child's name], as follows:

Data not included: Financial records containing only invoice amounts (not identifying the child beyond their name) are retained for HMRC purposes for 6 years and form part of my business accounting records. Safeguarding records, if any, are subject to separate legal retention requirements and disclosure restrictions โ€” I will take advice from the local authority before releasing these.

If you believe any data held is inaccurate or you wish to exercise any other right under UK GDPR (erasure, rectification, restriction of processing), please contact me at [Your Email Address].

If you are not satisfied with this response, you may complain to the Information Commissioner's Office at ico.org.uk.

Yours sincerely,
[Your Name]
[Business Name]
[Your Email Address]

Exemptions to be aware of