Data Protection Policy
Purpose and Scope
This policy outlines how the National Society for Education, Mentoring and Media (NSEMM) collects, uses, stores, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and Privacy and Electronic Communications Regulations (PECR).
NSEMM is committed to protecting the privacy and rights of all individuals whose personal data we process, including students, parents, guardians, volunteers, donors, and website visitors. This policy applies to all personal data processing activities across our tutoring, mentoring, and educational services.
As a registered charity (1209673), we balance our duty to protect personal data with our charitable mission to advance education and support young people’s development.
Legal Framework and Principles
NSEMM processes personal data in accordance with the UK GDPR data protection principles.
Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and transparently. We clearly communicate how and why we use personal data through this policy and our Privacy Notice.
Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not processed in ways incompatible with those purposes.
Data Minimisation: We collect only personal data that is adequate, relevant, and limited to what is necessary for our purposes.
Accuracy: Personal data is accurate and kept up to date. We take reasonable steps to ensure inaccurate data is corrected or deleted without delay.
Storage Limitation: Data is kept only for as long as necessary for the purposes for which it was collected as detailed in our Data Retention Schedule below.
Integrity and Confidentiality: Personal data is processed securely using appropriate technical and organisational measures to protect against unauthorised access, loss, or damage.
Accountability: NSEMM demonstrates compliance with these principles through policies, procedures, training, and documentation.
Legal Bases for Processing
We process personal data under specific lawful bases depending on the purpose and context of processing.
Consent is used for newsletters, marketing communications, photographs, testimonials, and optional feedback where individuals have explicitly agreed to processing.
Contract is used for delivering tutoring services, managing bookings, and fulfilling service agreements where processing is necessary to perform our obligations.
Legal Obligation applies for safeguarding requirements, financial auditing, HMRC compliance, and statutory reporting where we must process data to comply with legal duties.
Legitimate Interests is used for monitoring engagement, fraud prevention, security measures, safeguarding logging not covered by legal obligations, volunteer applications, and supporting local authority public tasks through partnership agreements.
When we process special category data such as health information or religious beliefs, we rely on Explicit Consent for voluntary disclosure of learning difficulties, disabilities, or medical needs, or Substantial Public Interest for safeguarding children and young people.
For processing under legitimate interests, we have conducted balancing tests confirming that we process limited personal data to deliver high-quality services, monitor engagement, ensure safeguarding, maintain contact for continuity, and evaluate impact. Processing is essential for service delivery, safeguarding compliance, and reporting obligations. Individual rights are protected through data minimisation, transparency, security measures, and opt-out rights where appropriate.
Types of Data We Collect
Students and Parents/Guardians: We collect contact information including names, email addresses, phone numbers, and postal addresses. Educational data includes learning needs, academic progress, session records, and assessment information. Special category data such as learning difficulties, disabilities, medical needs, and dietary requirements for events is collected with explicit consent. Safeguarding records are maintained as detailed in our Safeguarding Policy, including session recordings and incident reports. Technical data includes session recordings in video and audio format, attendance logs, and platform usage data.
Volunteers and Staff: Application data includes contact details, qualifications, experience, references, and availability. Background checks cover DBS or PVG status and safeguarding training records. Performance data includes training completion, session feedback, and supervision notes. Financial information covers payment details for expenses or stipends where applicable.
Donors and Supporters: Contact information includes names, email addresses, postal addresses, and phone numbers. Financial data covers donation amounts, Gift Aid declarations, and payment method details. Communication preferences include newsletter subscriptions and communication consent records.
Website Visitors: Technical data includes anonymised usage statistics, page views, and session duration without tracking cookies. Contact forms capture names, email addresses, and enquiry details when voluntarily submitted.
How We Use Personal Data
Service Delivery: We use personal data for matching students with appropriate tutors and mentors, delivering tutoring and mentoring sessions, tracking progress and providing feedback, making reasonable adjustments for learning needs, and managing bookings and communications.
Safeguarding and Safety: Personal data is used for recording tutoring sessions for safeguarding purposes with a minimum 180-day retention period, monitoring for concerning behaviour or content, maintaining safeguarding records and incident reports, automated keyword detection for user safety which cannot be opted out separately, and sharing information with authorities when legally required.
Communications and Engagement: We use personal data for sending service-related updates and information, newsletter communications based on consent with opt-out options, following up on service outcomes and satisfaction, and fundraising communications where consent has been provided.
Administration and Compliance: Personal data supports financial record-keeping and audit compliance, meeting charity law and regulatory requirements, processing Gift Aid claims, managing volunteer applications and training, and conducting impact evaluation and reporting.
Automated Processing and Decision-Making
NSEMM uses limited automated processing in specific circumstances with appropriate safeguards.
Application Filtering: We use automated tools to sort volunteer applications based on availability, experience, and training criteria. No final decisions are made without human review, ensuring that automated processing supports rather than replaces human judgment.
Safety Monitoring: We use automated keyword detection on our servers to identify potential safeguarding concerns in communications. This system protects user safety by preventing sensitive information leaving our servers, flags content for human review by safeguarding leads, and does not make decisions about individuals. This safety monitoring cannot be opted out of separately as it supports user safety, but individuals can access support through alternative channels if they prefer not to use systems with automated monitoring.
Data Sharing and Third Parties
We share personal data only when necessary and lawful under strict conditions and safeguards.
Service Providers: Personal data is shared with trusted processors under comprehensive Data Processing Agreements as detailed in our Third-Party Services section below.
Safeguarding: Information is shared with police, social services, or other agencies when required for child protection in accordance with our Safeguarding Policy.
Legal Requirements: Data is shared when compelled by court orders or statutory obligations with appropriate verification and documentation.
Partnership Data: Anonymised usage data is shared with Nottingham City Council and University of Nottingham Students Union for community education network purposes under formal data sharing agreements.
Data Sharing with Authorities
We follow strict procedures for sharing data with police and other authorities. Valid legal requests must meet Schedule 2 Part 1 Para. 2 Data Protection Act 2018 requirements. We verify the requesting organisation and officer through independent channels. Disclosure is limited to directly relevant information only. We maintain transparency with parents and guardians where possible and safe to do so. All requests and decisions are formally documented. Full procedures are detailed in our Safeguarding Policy.
Third-Party Services and GDPR Compliance
We use trusted platforms to deliver our services, each operating under comprehensive Data Processing Agreements ensuring GDPR compliance and appropriate data protection standards.
| Service Provider | Purpose | GDPR Compliance Documentation |
|---|---|---|
| Lessonspace | Online tutoring platform | Privacy Policy – GDPR policy, Right to Erasure support, global transfers |
| Microsoft 365 / Teams | Communication and collaboration | GDPR-aligned with global compliance controls and data residency options |
| Umami Analytics | Website analytics | GDPR Compliance – Anonymised, cookie-free, GDPR/PECR compliant |
| Krystal Hosting | Web hosting and servers | GDPR Information – UK-based, ISO27001, GDPR-compliant |
| GoCardless | Payment processing | GDPR Programme – GDPR-based privacy program, DPO oversight |
| Stripe | Payment processing | Data Processing Agreement – GDPR Data Processing Agreement and Privacy Center |
| FreeAgent | Accounting software | GDPR Compliance – GDPR compliance and strong security |
| Airtable | Database management | GDPR at Airtable – GDPR, SCCs, EU data residency, ISO27701 |
| Okta | Identity management | Trust and Compliance – Identity management with Standard Contractual Clauses |
All processors operate under comprehensive Data Processing Agreements ensuring GDPR compliance, appropriate security measures, and clear data protection obligations.
International Transfers
Some personal data may be transferred outside the UK and EEA via our service providers. These transfers are protected by Standard Contractual Clauses approved by the European Commission, adequacy decisions where applicable, and processor contractual commitments to maintain equivalent data protection standards. We regularly review international transfer mechanisms to ensure ongoing compliance with UK GDPR requirements.
Data Retention
We retain personal data only as long as necessary for the purposes collected, with clear retention periods for different categories of information.
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Students and Parents | ||
| Contact details | Up to 2 years after tutoring ends | Allows follow-up support |
| Educational records | Up to 2 years after tutoring ends | Service continuity |
| Tutoring recordings | Minimum 180 days, longer if safeguarding concerns | Safeguarding obligations |
| Safeguarding records | Indefinitely, or until age 25 and deletion requested* | Child protection requirements |
| Volunteers and Staff | ||
| Application records | Up to 5 years before anonymisation | HR and safeguarding policies |
| Training and performance records | Up to 5 years after involvement ends | Performance management |
| Safeguarding-related records | As per safeguarding retention policy | Child protection requirements |
| Donors and Supporters | ||
| Financial records | 7 years | Statutory accounting and audit requirements |
| Contact preferences | Until consent withdrawn or contact invalid | Ongoing consent management |
| Website and Analytics | ||
| Visitor analytics | 12 months (completely anonymised) | Service improvement |
| Contact form submissions | 2 years unless ongoing correspondence | Communication management |
| Marketing Communications | ||
| Newsletter lists | Until unsubscribe or email invalid | Ongoing consent management |
| Consent records | 3 years after consent withdrawn | Compliance evidence |
*Safeguarding records may be retained despite deletion requests where compelling safeguarding or legal reasons exist.
Individual Rights
Under UK GDPR, individuals have comprehensive rights regarding their personal data, which we respect and facilitate.
Right to Information: We provide clear information about how we process personal data through this policy and our Privacy Notice.
Right of Access: Individuals can request copies of personal data we hold about them. Requests should be submitted in writing to our Data Protection Contact at [email protected].
Right to Rectification: Individuals can request correction of inaccurate or incomplete personal data, which we will address promptly.
Right to Erasure: Individuals can request deletion of personal data in certain circumstances. Safeguarding records may be retained despite erasure requests where compelling protection needs exist.
Right to Restrict Processing: Individuals can request limitation of processing in specific circumstances while we verify accuracy or assess objections.
Right to Data Portability: Individuals can receive personal data in a structured, machine-readable format where technically feasible and applicable.
Right to Object: Individuals can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds that override individual interests.
Rights Related to Automated Decision-Making: Individuals have the right to be informed about automated processing and request human intervention where appropriate.
Exercising Rights
Rights can be exercised by contacting our Data Protection Contact at [email protected]. We respond within 30 days, which may be extended by 2 months for complex requests. We may require identity verification for security purposes. Rights are generally exercised free of charge unless requests are excessive or unfounded. Some requests may be partially refused where disclosure could jeopardise safety, ongoing investigations, or breach legal exemptions, with clear documentation and an appeals process offered.
Security Measures
NSEMM implements comprehensive technical and organisational measures to protect personal data against unauthorised access, loss, damage, or destruction.
Technical Safeguards: Data is encrypted in transit and at rest using industry-standard encryption protocols. Role-based access controls ensure only authorised personnel can access personal data, with regular permission reviews. Multi-factor authentication is enabled on all supported services. Secure identity management operates via Okta Single Sign-On systems. Encrypted backup systems include tested recovery procedures. Monitoring systems include access logs and platform-level alerts for unusual activity.
Organisational Measures: All staff and volunteers receive regular data protection and safeguarding training. Comprehensive policies and procedures cover all processing activities. Privacy by design principles ensure data protection is considered in all new systems and processes. Regular audits systematically review data processing and security measures. Formal incident response procedures handle breach detection and response effectively.
Physical Security: Secure storage requirements ensure locked storage for any physical documents. Clean desk policies require clear workspace when not working. Device security includes screen locks, secure storage, and restrictions on household member access. Secure disposal procedures ensure safe destruction of documents containing personal data.
Data Breach Procedures
NSEMM maintains structured breach response procedures that exceed legal notification requirements to ensure comprehensive incident management.
Detection and Monitoring: We monitor through access control logs and user permission reviews, platform-level alerts from all major services, regular vulnerability assessments of systems handling personal data, and staff training to identify and report potential breaches promptly.
Incident Recording and Response: All breaches are recorded using NSEMM’s IR1 form (Incident Report Form) with comprehensive documentation including nature of breach, timing and detection details, systems and data affected, risk assessment including special category implications, containment and recovery actions taken, notification decisions and rationale, and lessons learned for future prevention. Staff report immediately to our Data Protection Contact with escalation to trustees where appropriate. Post-incident reviews ensure protocol updates and continuous improvement.
Legal Notifications: We notify the Information Commissioner’s Office within 72 hours if breach is likely to result in risk to rights and freedoms. Individual notification occurs where breach is likely to result in high risk to rights and freedoms. All breach assessments and decisions are formally documented for regulatory compliance.
Ongoing Controls: Regular access audits and permission reviews ensure appropriate data access. Multi-factor authentication operates on all supported services. Encrypted backup systems include tested recovery procedures. Continuous monitoring and improvement of security measures adapt to emerging threats.
Marketing and Communications
NSEMM occasionally sends newsletters, project updates, and fundraising communications under strict consent requirements and PECR compliance.
Legal Basis: We rely on explicit consent under UK GDPR Article 6(1)(a) and PECR compliance for all marketing communications. Explicit opt-in is required through web forms with clear tick-box consent or joining mailing lists during event sign-up or project involvement. Separate consent is obtained for different communication types where appropriate.
Opt-Out Mechanisms: Every marketing email includes clear unsubscribe links for immediate opt-out. Direct email requests to [email protected] are processed within 5 working days. Consent withdrawal is logged permanently and honoured across all systems.
Additional Safeguards: Marketing lists are maintained separately from service databases to prevent accidental inclusion. No sharing occurs with third parties without explicit consent. Regular review and removal of inactive contacts maintains list accuracy. Clear distinction is maintained between essential service communications and optional marketing materials.
Training and Awareness
All staff and volunteers receive comprehensive data protection training covering UK GDPR principles and individual rights, data handling procedures and security requirements, breach detection and incident reporting procedures, safeguarding obligations and information sharing protocols, and platform-specific training for systems processing personal data.
Training is refreshed annually and updated when regulations or procedures change. Additional training is provided for staff with enhanced data processing responsibilities or access to sensitive information.
Complaints and Concerns
Internal Complaints: Data protection complaints follow our Complaints Procedure Policy. Concerns can be submitted via our feedback page or directly to [email protected]. We conduct thorough investigation within 4 weeks with clear communication of outcome and any remedial action. Appeals can be escalated if individuals are dissatisfied with initial response.
External Rights: If unsatisfied with our response, individuals have the right to complain to the Information Commissioner’s Office at ico.org.uk, by phone on 0303 123 1113, or by post to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
Regulatory Cooperation: NSEMM cooperates fully with ICO investigations and implements any recommended improvements to data protection practices promptly and comprehensively.
Policy Governance
Responsibility and Oversight: Our Data Protection Contact is Adrian Angol-Henry, Designated Safeguarding Lead, contactable at [email protected]. The Board of Trustees reviews data protection compliance quarterly as part of governance oversight. All staff and volunteers are accountable for data protection compliance in their respective roles.
Policy Review and Updates: This policy is reviewed and updated annually to ensure continued compliance and effectiveness. Updates are implemented when legislation changes or new guidance is issued. Policy updates follow any significant breaches or incidents to incorporate lessons learned. Stakeholder feedback and suggestions are welcomed for continuous improvement.
Related Policies: This policy should be read alongside our Safeguarding Policy for recording retention and information sharing procedures, Complaints Procedure Policy for data protection complaints process, Financial Management Policy for financial data processing requirements, and Risk Management Policy for data security risk assessment.
Contact Information
For data protection queries, exercising rights, or raising concerns, contact our Data Protection Contact Adrian Angol-Henry, Designated Safeguarding Lead at [email protected].
General enquiries can be submitted through our website contact form.
For complaints, follow our Complaints Procedure Policy or contact the ICO directly at ico.org.uk.
This policy demonstrates NSEMM’s commitment to protecting personal data while delivering our charitable mission. We welcome feedback and questions to help us continuously improve our data protection practices.