Privacy and Data Policy
Prepped Academy
Data Protection Policy
Version: 1.0
Effective Date: September 2025
Review Date: September 2026
Approved By: George Bradley
This Data Protection Policy sets out how Prepped Academy manages personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and other applicable legislation. It applies to all employees, tutors, contractors, volunteers and anyone handling personal information on behalf of Prepped Academy.
1. Purpose
This policy explains how personal information must be collected, used, stored, shared and disposed of. It supports compliance with legal obligations and helps protect the privacy of students, parents, staff and partner organisations.
2. Scope
This policy applies to all personal data processed by Prepped Academy, whether held electronically, on paper or verbally. It covers information relating to students, parents, carers, schools, local authorities, staff, contractors and suppliers.
3. Data Protection Principles
Prepped Academy will ensure that personal data is:
• Processed lawfully, fairly and transparently.
• Collected for specified purposes only.
• Adequate, relevant and limited to what is necessary.
• Accurate and kept up to date.
• Retained only as long as necessary.
• Kept secure using appropriate technical and organisational measures.
• Managed in a way that demonstrates accountability.
4. Roles and Responsibilities
The organisation is responsible for ensuring compliance with UK GDPR.
Data Protection Lead: George Bradley
All staff, tutors and contractors must:
• Follow this policy.
• Protect confidential information.
• Report suspected data breaches immediately.
• Complete required training.
5. Lawful Basis for Processing
Personal data will only be processed where there is a lawful basis, including consent, contract, legal obligation, legitimate interests or another applicable lawful basis.
6. Special Category Data
Where necessary, Prepped Academy may process SEND information, medical information or safeguarding information. Additional safeguards will always be applied.
7. Children's Data
We recognise that children's personal data requires additional protection. Information will only be collected where necessary for educational provision, safeguarding or legal obligations.
8. Collecting Personal Information
Personal information may be obtained directly from parents, carers, students, schools, local authorities, referral agencies or through our website and secure forms.
9. Using Personal Information
Information may be used to:
• Deliver educational services.
• Communicate with parents and schools.
• Monitor attendance and progress.
• Meet safeguarding responsibilities.
• Comply with legal obligations.
• Improve our services.
10. Data Sharing
Personal information will only be shared where there is a lawful basis. This may include schools, local authorities, safeguarding agencies, professional advisers and trusted IT providers.
11. Information Security
Prepped Academy will:
• Restrict access to those with a business need.
• Use password-protected devices.
• Keep software up to date.
• Store paper records securely.
• Encrypt devices where possible.
12. Passwords and IT Security
Strong passwords, multi-factor authentication where available, secure networks and approved systems must be used. Passwords must never be shared.
13. Email and Electronic Communications
Personal data should only be sent using approved email systems. Sensitive information should be encrypted or password protected where appropriate. Staff must check recipients before sending emails.
14. Paper Records
Paper records containing personal information must be stored securely and shredded using confidential waste when no longer required.
15. Remote Working
Staff working remotely must ensure devices are secure, avoid public Wi-Fi unless protected, keep paperwork secure and report any loss immediately.
16. Data Retention
Records will be retained only for as long as necessary in accordance with legal, contractual and safeguarding requirements. A separate retention schedule should be maintained.
17. Individual Rights
Individuals have rights including access, rectification, erasure, restriction, objection and data portability where applicable. Requests should be forwarded promptly to the Data Protection Lead.
18. Subject Access Requests
Requests for access to personal data should be acknowledged promptly and managed in accordance with UK GDPR timescales.
19. Data Breaches
Any actual or suspected data breach must be reported immediately to the Data Protection Lead. Breaches will be investigated, documented and reported to the ICO where required.
20. Staff Training
All staff, tutors and contractors handling personal information should receive appropriate data protection and information security training.
21. Monitoring and Compliance
Compliance with this policy will be monitored periodically. Failure to comply may result in disciplinary action or termination of engagement.
22. Policy Review
This policy will be reviewed annually or sooner where legislation, guidance or organisational changes require.
23. Complaints
Prepped Academy is committed to handling personal information responsibly and in accordance with UK data protection legislation.
If you have any concerns about how we have collected, used or protected your personal information, please contact us in the first instance so that we have the opportunity to investigate and resolve your concerns..
24. Contact Details
Email: hello@preppedacademy.co.uk
Data Protection Lead: George Bradley, Managing Director
If you remain dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority for data protection.
Further information about making a complaint can be found on the ICO website: https://ico.org.uk/make-a-complaint/
Document Control
Policy Owner: George Bradley
Approved By: George Bradley
Version: 1.0
Effective Date: September 2025
Review Date: September 2026
