1. Introduction

Let's Go Learning is committed to protecting the privacy and security of all personal data processed in the course of delivering education, including online and alternative provision for SEND learners. This policy outlines how Let's Go Learning complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It also details how we process personal data as a contractor.

​

 

2. Purpose

This policy ensures that Let's Go Learning:

• Safeguards personal data against unauthorised access, loss, or misuse

• Meets legal obligations under GDPR and the Data Protection Act 2018

• Supports transparency and accountability in handling personal data

• Provides clear procedures for reporting data breaches and incidents

​

 

3. Scope

This policy applies to:

• All employees, volunteers, and contractors handling personal data

• Third-party service providers who process data on our behalf

• Personal data of students, parents/carers, staff, service users, and other stakeholders

It covers all forms of personal data, including electronic, paper, and verbal information.

​

 

4. Data Collection and Use

Let's Go Learning collects personal data only for legitimate educational, administrative, and statutory purposes. Examples include:

• Student registration, assessments, and academic records

• Staff employment records and training information

• Communication, safeguarding, and pastoral care records

• Payments and financial records

Data will be:

• Collected lawfully, fairly, and transparently

• Used only for the purpose it was collected

• Accurate, complete, and up-to-date

• Minimised to what is necessary

​

 

5. Legal Basis for Processing

Processing personal data is based on one or more lawful bases, such as:

• Consent of the data subject

• Performance of a contract or educational service

• Compliance with legal obligations

• Protection of vital interests

• Public task or legitimate interest

When processing sensitive personal data (special category data), additional safeguards are applied.

​

 

6. Data Storage and Security

Let's Go Learning ensures that personal data is:

• Stored securely using encryption, access controls, and secure servers

• Protected against accidental or unlawful destruction, loss, alteration, or disclosure

• Backed up regularly, with disaster recovery procedures in place

Staff receive mandatory training in data security and confidentiality.

​

 

7. Data Sharing and Third-Party Processing

Personal data may be shared:

• With authorised staff within Let's Go Learning for educational and operational purposes

• With third-party service providers under strict contractual obligations, including processing on behalf of SCC

• As required by law or safeguarding obligations

Third-party providers are vetted for compliance with GDPR, including security measures and contractual safeguards.

​

 

8. Individual Rights

Individuals have the following rights under GDPR:

• Right to access personal data (Subject Access Request)

• Right to rectification

• Right to erasure (“right to be forgotten”)

• Right to restrict processing

• Right to data portability

• Right to object to processing

• Right not to be subject to automated decision-making

Requests should be directed to the Data Protection Officer.

​

 

9. Data Breach Response

Let's Go Learning has a clear Data Breach Response Plan:

1. Immediate Action: Notify the Data Protection Officer (DPO) immediately

2. Investigation: Assess the scope, impact, and risk of the breach

3. Containment: Take steps to stop further unauthorised access

4. Notification:

   • Notify affected individuals where rights and freedoms are at risk

   • Report to the ICO within 72 hours if required under GDPR

5. Remedial Actions: Implement measures to prevent recurrence

Data breaches in the past 12 months: 0 reported to the ICO

​

 

10. Remote and Online Provision Considerations

• All online learning platforms comply with GDPR, and data is encrypted and access-controlled.

• Remote sessions and alternative provision maintain confidentiality and restrict data sharing to authorised personnel only.

• Staff working remotely complete DSE and lone-working risk assessments to safeguard data handling.

​

 

11. Training and Awareness

• All staff, volunteers, and contractors complete mandatory data protection and information governance training at induction and annually.

• Staff are required to report any data protection concerns or potential breaches promptly.

• Regular updates ensure compliance with SCC, UK GDPR, and ICO guidance.

​

 

12. Cookies and Website Privacy

Let's Go Learning provides transparency about:

• Use of cookies on our website

• Purpose of tracking technologies

• Obtaining user consent for non-essential cookies

​

 

13. International Data Transfers

Personal data transferred outside the UK is subject to safeguards, such as:

• Standard Contractual Clauses (SCCs)

• Ensuring adequate protection in line with GDPR

​

 

14. Data Processing 

• Let's Go Learning completes the Provider Services Data Processing Schedule via MS Form.

• All SCC personal data is processed only for the purposes specified in contractual agreements.

• SCC data is protected and handled in accordance with GDPR and this policy.

​

 

 

15. Monitoring and Compliance

• Compliance is monitored via audits, inspections, and annual reviews.

• Policy updates are communicated to staff, parents, and stakeholders.

• Non-compliance is addressed through corrective action and training.

​

 

16. Feedback and Complaints

Individuals may contact the DPO or submit complaints regarding data handling.

• Complaints are investigated promptly and escalated if necessary.

• External complaints may be raised with the ICO.

​

 

17. Policy Updates

Let's Go Learning reserves the right to update this policy to reflect changes in legislation, guidance, or operational requirements.

​

 

Approved by: Management Committee of Let's Go Learning
Next Review Date: September 2026