Website Privacy Notice

    Estimated Reading Time: 10 minutes

    Last Updated: 17/09/2024

    Driven Tutors Ltd

    Website Privacy Notice

    Adopted by Driven Tutors on 1st of September 2024

    The Purpose of this privacy statement is to explain how Driven Tutors Ltd processes personal data to fulfil its data protection responsibilities for users of our website.

    This statement will be supplemented by separate privacy notices for Tutors engaged by Driven Tutors Ltd and for the Parents/ Carers and the Students themselves for those that are being tutored.

    The scope of this statement covers the data processing activity of the staff and agents of Driven Tutors Ltd as it relates to the use of this website and when responding to enquiries made by letter, phone, email or other electronic means of communications.

    Driven Tutors Ltd will be referred to as DT for the remainder of this privacy statement.

    The Role of DT in data protection terms is that of a data controller where it determines the purpose and use of the personal data being processed. Once received it becomes the responsibility of the DT Data Protection Officer (DPO) to ensure that it is processed in accordance with the latest UK and EU data protection legislation (when applicable).

    Data Protection Officer (DPO)

    Name: Piranavan Kirupakaran

    Phone: 07983 740006

    Email: info@driventutors.co.uk

    The sort of personal data processed by DT will be your basic contact information as provided by you and any other technical data derived about you during your visit to this website (see ‘cookies’ section below). The personal data being requested will be kept to a minimum and will only be used in relation to the purposes stated below. Please note that if you cannot/ do not provide the information requested, we may not be able to provide the appropriate services that are available.

    DT will use your personal data to follow up any enquiries for our services that you make with us and to notify you of any relevant updates, unless you have asked us not to do this. Any technical data we have been permitted to collect from you automatically will be used to administer the website and to enable any interactive features that will improve the website visit experience.

    DT’s duty of confidentiality means that DT staff will treat your personal data with respect and in confidence. It is only disclosed to staff and agents that need to know it. DT uses reasonable organisational and technical measures to safeguard all personal data. We also expect the same duty of confidentiality of all third parties with whom we share personal data which will only be done on a need-to-know basis.

    DT processes personal data against a lawful basis in the instances described below:

    • To log your enquiry onto our third-party IT support system and to respond to it, we will use our legitimate interests;
    • To comply with our legal obligations; and
    • When processing for a pre-defined purpose, such as the collection of health-related data, for which your consent will be sought prior to that processing commencing.

    In all cases the processing of personal data by DT shall be:

    ¡ Processed lawfully, fairly and transparently;

    ¡ Collected for specified, explicit and legitimate purposes;

    ¡ Adequate, relevant and limited to what is necessary (and no more);

    ¡ Accurate and, when necessary, updated;

    ¡ Kept for no longer than is necessary; and

    ¡ Processed in a manner that ensures appropriate security.

    DT will not share your personal data, when you make a general enquiry; it will only be handled internally.

    DT will process your data in the UK and it is backed up on a contractual basis with a trusted third party, whose servers are based in the UK. It should be noted that no personal data is stored on the DT website server.

    DT follows a retention schedule to determine the length of time it holds different types of personal data. The retention schedule is shown below:

    • Contact data is stored for 12 months after our last contact with you unless we receive a valid request to erasure from you;
    • Routine correspondence in electronic format as well as in hard copy, will be retained for 12 months after our last contact with you; and
    • By exception, documentation that includes personal data may be retained by DT beyond the schedule, but only for a specific purpose and only when DT believes there is a legitimate interest or a legal obligation to do so.

    At the end of the retention schedule, DT will either return, destroy or delete your personal data and any associated emails or relevant documentation. If it is technically impractical to delete electronic copies of personal data, it will put it beyond operational use. It should be noted that DT allows up to 3 months after the end of the schedule to complete this action.

    The DT website uses cookies (and similar technologies) and all but strictly necessary ones, if used at all, will require the users’ permission before they are dropped. A separate ‘Use of Cookies Policy’ can be found on the website homepage.

    DT’s website may link to appropriate websites of potential interest. If these are used, the visitor should be aware that the DT has no responsibility for the control, content or handling of personal data by these other websites.

    The General Data Protection Regulation defines the rights that you have (although these do not apply in all situations), For convenience, these rights are shown below:

    • Right to be informed as to how your personal data is being processed by us – this is done through this statement;
    • Right to access your personal data held by us which is done by making a ‘Data Subject Access Request’ (DSAR) to the DT DPO;
    • Right to rectification of your personal data if you believe DT has collected it incorrectly or it needs to be updated;
    • Right to erasure of your personal data for which we no longer have a legitimate purpose to process or where your interests outweigh our own;
    • Right to restrict processing under certain circumstances, during which time your personal data but will not be in operational use until the related matter is resolved;
    • Right to data portability of your personal data in a machine-readable version, as you have provided but only applicable to data provided with your consent or under contract;
    • Right to object to DT processing your personal data for which it does not have a legal or contractual obligation; and
    • Rights related to automated decision making and profiling (however DT does not use these techniques in its decision making).

    DT will recognise any and all breaches of the GDPR, including a breach of any of the data protection principles shall be reported as soon as it is/they are discovered, to the Data Protection Officer. The data breach procedure is shown below:

    Once notified of Data Breach, the Data Protection Officer shall assess:

    • the extent of the breach;
    • the risks to the data subjects as a consequence of the breach;
    • any security measures in place that will protect the information;
    • any measures that can be taken immediately to mitigate the risk to the individuals.

    Unless the Data Protection Officer concludes that there is unlikely to be any risk to individuals from the breach, it must be notified to the Information Commissioner’s Office within 72 hours of the breach having come to the attention of DT, unless a delay can be justified.

    The Information Commissioner shall be told:

    • details of the breach, including the volume of data at risk, and the number and categories of data subjects;
    • the contact point for any enquiries (which shall usually be the Data Protection Officer);
    • the likely consequences of the breach;
    • measures proposed or already taken to address the breach.

    If the breach is likely to result in a high risk to the rights and freedoms of the affected individuals then the Data Protection Officer shall ensure that data subjects are notified of the breach without undue delay unless the data would be unintelligible to those not authorised to access it, or measures have been taken to mitigate any risk to the affected individuals.

    Data subjects shall be told:

    • the nature of the breach;
    • who to contact with any questions;
    • measures taken to mitigate any risks.

    The Data Protection Officer shall then be responsible for instigating an investigation into the breach, including how it happened, and whether it could have been prevented. Any recommendations for further training or a change in procedure shall be reviewed by the board and a decision made about implementation of those recommendations.

    Further details on data subjects’ rights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.

    Raising concerns, exercising rights or making queries about our processing of personal data can be done by contacting the DT DPO. Please be aware that we will need to verify your identity before responding fully, therefore, you may be asked for proof of your ID. Alternatively, you may wish to contact the ICO directly, using the details provided above, but naturally we would welcome the opportunity to handle any concerns you have first.

    Next Review: No later than September 2025