Privacy and Data Policy

Privacy and Data Policy

Data Protection and Privacy Policy

  1. Policy Statement

Vision Academy is committed to protecting the privacy and personal data of our students, parents, and staff. We recognise our responsibilities under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We ensure that all personal information is collected, stored, and processed lawfully, fairly, and transparently. We are registered with the Information Commissioner’s Office (ICO) and adhere to its requirements.

  1. Scope

This policy applies to:

  • All personal data held by Vision Academy relating to students, parents, staff, and contractors.
  • Data collected in both paper and electronic form.
  • All staff and tutors who handle personal data on behalf of Vision Academy.
  1. Data We Collect

Vision Academy collects personal data for the purpose of delivering educational services. This may include:

For Students:

  • Full name, date of birth, and gender.
  • Contact details (address, phone, email).
  • Emergency contact details.
  • Educational records (school year, academic progress, assessment data).
  • Medical information relevant to safeguarding and health.

For Parents/Guardians:

  • Full name and contact details.
  • Relationship to the student.
  • Payment and billing details.

For Staff/Tutors:

  • Contact details.
  • Proof of identity and qualifications.
  • Employment references.
  • DBS check records.
  1. Purpose of Data Collection

Data is collected for the following purposes:

  • To provide tuition and educational support.
  • To monitor student progress and share updates with parents.
  • To safeguard student health and wellbeing.
  • To process tuition fees and financial transactions.
  • To comply with legal obligations (e.g., safeguarding, tax).

We will never sell personal data to third parties.

  1. Lawful Basis for Processing

Vision Academy relies on the following lawful bases for processing personal data:

  • Consent: where parents/guardians give permission (e.g., use of student photos for marketing).
  • Contract: processing necessary to deliver tuition services agreed with parents.
  • Legal obligation: compliance with safeguarding, child protection, and financial regulations.
  • Vital interests: safeguarding children in emergencies.
  • Legitimate interests: maintaining records and communication necessary for the efficient running of the academy.
  1. Data Storage and Security

Vision Academy ensures all personal data is stored securely.

  • Paper records are stored in locked cabinets with restricted access.
  • Electronic records are stored on password-protected systems with encrypted backups.
  • Staff are trained in secure handling of data.
  • Personal data is only accessible to staff who need it to fulfil their role.
  1. Data Sharing

Vision Academy may share data in the following circumstances:

  • With emergency services in the event of a medical emergency.
  • With safeguarding authorities where a child’s welfare is at risk.
  • With regulatory bodies (e.g., HMRC for financial compliance).
  • With IT and service providers who support our operations (subject to data processing agreements).

We do not share data with third parties for marketing or commercial gain.

  1. Data Retention

Personal data will not be kept longer than necessary. Our retention schedule is as follows:

  • Student and parent records: retained for 6 years after a student leaves Vision Academy.
  • Safeguarding records: retained for 25 years in line with statutory guidance.
  • Financial records: retained for 7 years for tax purposes.
  • Staff records: retained for 6 years after leaving the academy.

After this period, records will be securely destroyed (shredded or permanently deleted).

  1. Rights of Parents and Students

Under the UK GDPR, parents/guardians (and students where applicable) have the right to:

  • Access their personal data (Subject Access Request).
  • Rectify incorrect or incomplete data.
  • Erase data (the “right to be forgotten”), subject to legal obligations.
  • Restrict processing in certain circumstances.
  • Object to processing carried out under legitimate interests.
  • Data portability where applicable.

Requests should be made in writing to the Data Protection Officer (DPO). We will respond within one calendar month.

  1. Data Breach Procedure

Vision Academy takes all breaches of personal data seriously. In the event of a data breach:

  • The Data Protection Officer will investigate immediately.
  • The ICO will be notified within 72 hours if the breach poses a risk to individuals.
  • Affected parents/students will be informed promptly.
  • Steps will be taken to mitigate and prevent recurrence.
  1. Use of Photography and Media
  • Student photographs or videos may be used for internal teaching records and progress monitoring.
  • Public use (marketing, website, social media) requires explicit parental consent.
  • Parents may withdraw consent at any time.
  1. Staff Responsibilities
  • All staff must complete data protection training.
  • Staff must not store personal data on personal devices unless authorised and encrypted.
  • Staff must ensure documents are not left unattended.
  • Any suspected breach must be reported immediately to the DPO.
  1. Data Protection Officer (DPO)

Vision Academy has appointed a Data Protection Officer responsible for:

  • Monitoring compliance with data protection laws.
  • Responding to Subject Access Requests.
  • Reporting breaches to the ICO.
  • Reviewing and updating this policy annually.

Contact:
Ibrahim Ali
Data Protection Officer
Vision Academy
ibrahim.ali@vision-academy.co.uk

  1. Review of Policy

This policy is reviewed periodically by the Data Protection Officer and approved by the academy’s leadership. Updates are made in line with changes in law or ICO guidance.

Signed:

DPO, Vision Academy
Date: 02.09.2025