Footnote Education Logo; navy blue letters against a white background

Data Protection Policy

Policy Owner: Joshua Lynbeck

Approved By: Charlotte Lynbeck

Effective Date: 01/05/2026

Review Date: 01/05/2027

Applies To: All staff, tutors, contractors, volunteers, students, parents/carers, and third-party providers.

1. Purpose of this Policy

This Data Protection Policy sets out how Footnote Education (“the Company”) collects, processes, stores, retains, and protects personal data in connection with the provision of online one-to-one tuition services in Humanities subjects within the United Kingdom.

The Company is committed to ensuring that all personal data is handled lawfully, fairly, transparently, securely, and in accordance with applicable data protection legislation and guidance.

This policy applies to all staff, tutors, contractors, consultants, and any third parties acting on behalf of the Company.

2. Legislative Framework

This policy is based upon the following legislation and regulatory guidance:

  • The UK General Data Protection Regulation (“UK GDPR”) 

  • The Data Protection Act 2018 

  • The Privacy and Electronic Communications Regulations 2003 (“PECR”), where applicable 

  • Guidance issued by the UK Information Commissioner’s Office (“ICO”) 

The Company recognises the seven key data protection principles established under Article 5 UK GDPR. 

3. Scope

This policy applies to all personal data processed by the Company, including data relating to:

  • Students 

  • Parents and guardians 

  • Tutors 

  • Employees and contractors 

  • Prospective clients 

  • Website users 

  • Suppliers and professional contacts 

The policy covers all formats of personal data, including:

  • Electronic records 

  • Emails 

  • Online learning platforms 

  • Video conferencing systems 

  • Paper records 

  • Audio or visual recordings where applicable 

4. Definitions

4.1 Personal Data

Any information relating to an identified or identifiable living individual. 

4.2 Special Category Data

Personal data requiring additional protection, including information concerning health, ethnicity, religion, or biometric data. 

4.3 Processing

Any operation performed on personal data, including collection, storage, use, disclosure, deletion, or destruction. 

4.4 Data Controller

The organisation determining the purposes and means of processing personal data. The Company acts as the data controller in relation to the personal data it processes.

4.5 Data Processor

A third party processing personal data on behalf of the Company.

5. Data Protection Principles

The Company shall comply with the following principles of data protection:

5.1 Lawfulness, Fairness, and Transparency

Personal data shall be processed lawfully, fairly, and transparently. The Company shall clearly explain how personal data is used and ensure there is an appropriate lawful basis for processing. 

5.2 Purpose Limitation

Personal data shall only be collected for specified, explicit, and legitimate purposes and shall not be used incompatibly with those purposes. 

5.3 Data Minimisation

The Company shall only collect personal data that is adequate, relevant, and limited to what is necessary for tuition services and associated administration. 

5.4 Accuracy

Reasonable steps shall be taken to ensure that personal data is accurate and kept up to date. Inaccurate data shall be corrected or deleted promptly. 

5.5 Storage Limitation

Personal data shall not be retained longer than necessary for the purposes for which it was collected. 

5.6 Integrity and Confidentiality

Appropriate technical and organisational measures shall be implemented to protect personal data against unauthorised access, accidental loss, destruction, or damage. 

5.7 Accountability

The Company shall be responsible for demonstrating compliance with all applicable data protection obligations. 

6. Categories of Personal Data Processed

The Company may process the following categories of personal data:

6.1 Student Data

  • Name 

  • Date of birth 

  • Educational level 

  • School or college attended 

  • Academic progress information 

  • Tuition records 

  • Attendance records 

  • Examination goals 

  • Contact details 

6.2 Parent or Guardian Data

  • Names 

  • Contact information 

  • Billing and payment details 

  • Correspondence records 

6.3 Tutor and Staff Data

  • Employment and recruitment records 

  • DBS information where applicable 

  • Qualifications and references 

  • Payroll and banking details 

  • Performance records 

6.4 Technical and Website Data

  • IP addresses 

  • Website usage analytics 

  • Login credentials 

  • Device and browser information 

6.5 Special Category Data

The Company will only process special category data where strictly necessary and where an additional lawful condition applies under the UK GDPR and Data Protection Act 2018.

7. Lawful Bases for Processing

The Company processes personal data under one or more lawful bases, including:

7.1 Contract

Processing necessary for the provision of tuition services or administration of tutor agreements. 

7.2 Legitimate Interests

Processing necessary for the legitimate interests of the Company, provided such interests are not overridden by the rights and freedoms of individuals.

Examples include:

  • Safeguarding students 

  • Preventing fraud 

  • Improving educational services 

  • Internal administration 

7.3 Consent

Where required, consent shall be obtained freely, specifically, informedly, and unambiguously. Individuals may withdraw consent at any time. 

7.4 Legal Obligation

Processing necessary to comply with legal or regulatory obligations.

8. Children’s Data

As the Company provides tuition services to children and young people, it recognises that children’s personal data requires enhanced protection.

The Company shall:

  • Process children’s data fairly and transparently 

  • Collect only data necessary for educational purposes 

  • Obtain parental or guardian involvement where appropriate 

  • Implement safeguarding measures 

  • Restrict access to children’s information to authorised personnel only 

9. Collection of Personal Data

Personal data may be collected through:

  • Website enquiry forms 

  • Email correspondence 

  • Online registration forms 

  • Video conferencing platforms 

  • Payment systems 

  • Tutor reports 

  • Telephone communications 

The Company shall provide privacy information explaining:

  • What data is collected 

  • Why it is collected 

  • The lawful basis for processing 

  • How long it will be retained 

  • Individual rights 

10. Data Sharing

The Company may share personal data with:

  • Tutors engaged by the Company 

  • Payment providers 

  • IT and cloud service providers 

  • Professional advisers 

  • Regulatory authorities where legally required 

The Company shall ensure that any third-party processors:

  • Provide sufficient guarantees regarding data security 

  • Process data only on documented instructions 

  • Comply with UK GDPR obligations 

Personal data shall not be sold to third parties.

11. International Transfers

Where personal data is transferred outside the United Kingdom, the Company shall ensure that appropriate safeguards are in place in accordance with UK GDPR requirements, including:

  • Adequacy regulations 

  • International Data Transfer Agreements 

  • Approved contractual clauses 

12. Data Security

The Company shall implement appropriate technical and organisational measures including:

  • Password-protected systems 

  • Multi-factor authentication where appropriate 

  • Encrypted communications 

  • Secure cloud storage 

  • Restricted access permissions 

  • Staff training on data protection 

  • Secure disposal of records 

  • Regular review of cybersecurity measures 

All tutors, employees, and contractors shall be required to maintain confidentiality.

13. Data Retention

Personal data shall only be retained for as long as necessary.

Typical retention periods may include:

  • Student records: up to 6 years after the end of tuition 

  • Financial records: 6 years in accordance with HMRC requirements 

  • Recruitment records: up to 12 months unless otherwise required 

  • Safeguarding records: retained in accordance with safeguarding obligations 

At the end of retention periods, data shall be securely deleted or destroyed.

14. Individual Rights

Individuals have the following rights under UK GDPR:

  • The right to be informed 

  • The right of access 

  • The right to rectification 

  • The right to erasure 

  • The right to restrict processing 

  • The right to data portability 

  • The right to object 

  • Rights relating to automated decision-making 

Requests relating to these rights shall be handled promptly and within statutory timescales.

15. Subject Access Requests

Individuals may request access to their personal data by submitting a Subject Access Request (“SAR”).

The Company shall:

  • Verify identity where appropriate 

  • Respond within one calendar month unless an extension is permitted 

  • Provide information in a concise and accessible format 

16. Personal Data Breaches

A personal data breach includes accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data. 

All suspected breaches must be reported immediately to management.

The Company shall:

  • Investigate breaches promptly 

  • Assess risks to individuals 

  • Notify the ICO where legally required 

  • Notify affected individuals where there is a high risk to their rights and freedoms 

17. Staff Responsibilities

All staff, tutors, and contractors must:

  • Comply with this policy 

  • Handle personal data confidentially 

  • Complete relevant training 

  • Report suspected breaches immediately 

  • Use Company systems securely 

  • Avoid sharing personal data unnecessarily 

Failure to comply may result in disciplinary action and potential legal consequences.

18. Use of Online Platforms and Remote Learning Tools

The Company uses online systems to deliver tuition services. Appropriate safeguards shall be implemented when using:

  • Video conferencing software 

  • Shared learning platforms 

  • Cloud-based storage systems 

  • Messaging and communication systems 

Sessions shall not be recorded unless:

  • There is a clear lawful basis 

  • Participants have been informed 

  • Appropriate safeguards are in place 

19. Marketing Communications

The Company may send marketing communications regarding educational services where permitted by law.

Individuals shall have the right to opt out of marketing communications at any time.

Marketing activities shall comply with UK GDPR and PECR requirements.

20. ICO Registration

Where required by law, the Company shall maintain registration with the Information Commissioner’s Office and pay any applicable data protection fees. 

21. Policy Monitoring and Review

This policy shall be reviewed annually or sooner where:

  • Legislative changes occur 

  • ICO guidance changes 

  • Business operations materially change 

  • Significant data protection incidents arise 

22. Contact Details

For questions regarding this policy or the handling of personal data, contact:

Data Protection Lead: Charlotte Lynbeck

Email: footnoteeducation@gmail.com

Individuals also have the right to lodge complaints with the UK Information Commissioner’s Office.

ICO Website:Information Commissioner’s Office


Policy Approval

Name: Charlotte Lynbeck

Role: Co-Founder & Business Manager

Signature: CED Lynbeck

Date: 01/05/2025