Privacy Policy

Last updated: November 2022

Introduction

Your privacy is important to us.  This privacy policy explains how we maintain the privacy of your personal data and explains your legal rights and our legal obligations in accordance with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) 2018 (collectively, the “GDPR Regulations”).

It explains what information we collect about you, the lawful basis and purpose for which we collect the information, how we use your information and protect its privacy and under what circumstances we disclose it.  This notice also provides further information on your rights under GDPR and the actions you can take to address any concerns you may have. Please read it carefully. If we update this policy, we will post any changes on our website.

Who are we?

In this policy, “we”, “our” or “us” refers to Bright Heart Education Ltd and Bright Heart Education Consulting LLP. The legal information for which is:

Bright Heart Education Ltd, registered in England and Wales under company number 11179043, registered office 20 – 22 Wenlock Rd, London, N1 7GU and Bright Heart Education Consulting LLP, registered in England and Wales under company number OC434055, registered office 20 – 22 Wenlock Rd, London, N1 7GU.  Our website is at https://www.brightheart.co.uk/.

We provide self-employed tutors to clients as an employment business through Bright Heart Education Ltd, and provide tuition services to certain clients as a principal (using our own employees) through Bright Heart Education Consulting LLP. 

For the purposes of the GDPR Regulations, we are the data controller. We are registered on the Information Commissioner’s Office (ICO) data protection register (as a data controller) with entry URL https://ico.org.uk/ESDWebPages/Entry/ZA788776.  

Note that for tutoring under the National Tutoring Programme (“NTP”), the Department for Education (DfE) is the controller of certain personal data (for example relating to tutors), and Tribal Education Limited (“Tribal”) and we are the processors of this data for GDPR purposes. School clients under the NTP are the controllers of certain personal data (for example relating to pupils), and we are the processors of this data for GDPR purposes.

What information do we collect about you?

We collect personal data about students, their parents, legal guardians or other persons that arrange for tuition on their behalf (i.e. clients), tutors that wish to provide tuition on our behalf, and our staff. The information collected may include

Information typically collected:

Clients

Students

Tutors

Staff

  • Relevant personal details
   Yes    Yes  Yes Yes
  • Contact Details 
   Yes   Yes Yes
  • Bank account information
Varies   Yes Yes
  • Date of birth
     Yes  Yes Yes
  • School information, incl. subjects
     Yes  
  • Interests, hobbies, learning likes and dislikes
     Yes  
  • Special requirements, e.g. SEN / EHCP
     Yes  
  • Tuition lesson reports
     Yes  Yes Yes
  • CVs, cover letters and interview notes
    Yes Yes
  • References and academic certificates
    Yes Yes
  • Criminal records background checks and other checks required by our Safer Recruitment Policy
    Yes Yes
  • Test results of nasen SEN training course
    Yes Yes

Note that the GDPR Regulations have additional requirements in place that must be met in order to store personal data relating to criminal records background checks (specifically in our case, an Enhanced Disclosure & Barring Service (DBS) Certificate).  We are entitled to request and store this personal data as we are supplying tuition services to children and, in certain cases, to vulnerable adults with special educational needs (SEN).  We also require our tutors to register for the DBS update service and provide us with permission to use the update service to check that their Enhanced DBS Certificates remain valid.

How do we collect this information?

We may collect and process information you give us (or certain third party service providers), for instance by filling in online forms, by contacting us by phone (calls made to and from our business phone line are recorded for internal monitoring purposes), email, online chat or otherwise, by providing us with information during a consultation, or by filling in your details and feedback on tuition using our secure management information system, TutorCruncher.

In the event that you apply for a job with us or to represent us as a tutor, we will require detailed information about you in order to make sure that you are suitable for the role and to comply with our Safeguarding and Child Protection Policy – information will be gathered by way of a face-to-face interview, provided by you, and, with your permission, provided by third parties..

In addition, when you visit our website we may automatically collect technical information including the Internet Protocol (IP) address used to connect your computer to the internet, and information about your site visit.  Please refer to our separate Cookies Policy for further information.

On what basis do we use your information?

Our lawful basis for processing your data is contractual. We use the information we collect from you for a variety of purposes, including to provide you with the tuition services or with an introduction to provide tuition services (or to provide you with a consultation in connection with providing you with such services), to provide you with information by post, email, telephone, SMS or otherwise about those services and to notify you about changes to our services. We also process personal information to maintain our accounts and records and to support and manage our employees and the tutors that agree to represent us as independent self-employed tutors under a Contract for Services.

We may also use your information to notify you about news, events and other updates we consider may be of interest to you where you have opted in to receive such communications (and have not notified us of your intention to withdraw your consent).

Where we store your personal data

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

Your financial information (where applicable, for example with respect to clients, if you are a direct debit client), together with most other client and tutor personal information is stored using our secure management information system, TutorCruncher.  TutorCruncher’s systems are hosted with Heroku on Amazon AWS, which is used globally by companies of all sizes. The data centre operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

More information on Heroku and AWS can be found at https://www.heroku.com/policy/security and https://aws.amazon.com/security/.  Passwords provided to our clients and tutors through TutorCruncher are hashed using PBKDF2, with a 256-bit SHA (secure hash algorithm), to ensure a high degree of data security. If you have any questions about TutorCruncher’s security, please email them using [email protected] or alternatively, let us know, and we will follow up directly on your behalf.  Tutors cannot see the personal details of the clients or students, and clients cannot see the personal details of tutors.

All personal data not stored in the TutorCruncher management information system is stored using Microsoft Office 365’s secure cloud-based server, with two-step verification required to access our server and protection provided by Microsoft’s stringent security measures, which includes advanced encryption of the data in transit and data at rest.

Our website uses a SSL (Secure Sockets Layer) Certificate provided by Starlight Technologies LLC to help protect your data.  This SSL uses SHA-2 256-bit encryption and a 2048-bit signing algorithm to encrypt the personal information that is submitted using our website.

Disclosure of your information

We share certain personal data about the student as well as the client’s contact information with the tutor(s) and / or staff that we think would be suitable for your assignment.  Where information is considered sensitive, for example, information shared with us from a student’s Education, Health and Care Plan (EHCP), we will specifically seek your permission before sharing it with a tutor.  In all other cases, we will share information that we feel is relevant to helping the tutor provide the tuition services, unless you request otherwise. Each tutor signs a Contract for Services with us which requires them to maintain the confidentiality and security of any information shared with them about the client and / or student and any information gathered by them in the course of providing tuition.  Tutors agree not to disclose such information to a third party, other than as required by law, court order or any governmental or regulatory authority, or in terms of our Safeguarding and Child Protection Policy.

We also provide information about tutors and / or staff to clients to help them determine whether they would like to proceed with a particular tutor / staff member for tuition.  Clients are required to maintain the confidentiality of this information in accordance with the terms and conditions that they agree to in using our services and not disclose the information to any third party, other than as required by law, court order or any governmental or regulatory authority, or in terms of our Safeguarding and Child Protection Policy.

For NTP tutoring, tutors’ and staff personal data may be shared with Tribal (as the data processor on behalf of the DfE) for the purposes of auditing compliance with safer recruitment and data relating to safeguarding allegations and incidents, including personal data (including special
category data) relating to students, tutors and other personnel engaged by us may be shared with Tribal for safeguarding requirements and quality assurance purposes.

Tribal and the DfE will only share and use data provided by us in a lawful, fair and transparent manner in conformance with applicable GDPR Regulations and the Human Rights Act, 1998. For further information on how Tribal handles data, please see Tribal’s Privacy Policy. For more information about how the DfE handles personal data, please see the DfE’s personal information charter here https://www.gov.uk/government/organisations/department-for-education/about/personal-information-charter.

We will never sell, trade, or disclose any personal information to any third party (other than to any of our service providers, and only to the extent necessary to provide such service and in cases where we are satisfied with their privacy policies and procedures), other than as required by law, court order or any governmental or regulatory authority, or in terms of our Safeguarding and Child Protection Policy. Third-party service providers also have in place their own privacy policies, which prevent them from selling, trading or renting your personal information to others. These can be read at:

  – https://secure.tutorcruncher.com/terms/;

  – https://www.drift.com/gdpr/;

  – https://mailchimp.com/legal/privacy/;

  – https://www.circleloop.com/privacy; and

  – https://www.xero.com/za/about/privacy/.

We confirm that we do not transfer personal data outside of the European Union.

Our retention of your information

We retain client information for a period of 10 years after tuition services have ceased – this helps us to maintain a record of all client’s that have joined us as members and are therefore entitled to introductions to tutors at no further registration fee.  We retain student information until the student turns 26 years’ old (this is to enable us to retain information on students that may be covered under the Special educational needs and disability code of practice: 0 to 25 years’). We retain tutor information for a period of 5 years after the tutor has ceased to tutor for us.  We retain staff data for a period of 3 years after the staff member has ceased to work for us.

Your rights as a data subject

The GDPR Regulations provide data subjects certain rights relating to the processing of their personal data.  Given the nature of personal data processed by us, and the lawful basis we have identified for doing so, you have the following rights:

  • You may request from us access to the personal data we process concerning you through making a subject access request (note that we already provide access to personal data stored in our TutorCruncher management information system through providing a secure login to clients and tutors).

  • You may request rectification of the personal data we process concerning you where it is incomplete or inaccurate.

  • You may request, subject to certain criteria, the erasure of the personal data we process concerning you (note that this may impact the services we provide, and where you have provided any tuition as a tutor on our behalf, we may not be able to remove certain information we hold about you as evidence of our verification of your suitability to be a tutor, other than in accordance with the Contract for Services you signed with us).

  • You may request that we restrict the processing of personal data concerning you.  Restriction means that we will only store the personal data and not further process it.

  • You have the right to data portability whereby we will provide you (or another data controller where technically feasible) your personal data in a structured, commonly used and machine-readable format.

You can make a request expressing your rights by contacting us via email at [email protected] or you may write to us at our registered office address: Bright Heart Education Ltd, 20 – 22 Wenlock Rd, London, N1 7GU.

Please note that while we will endeavour to make the updates as promptly as possible, communications may be sent using the original details until the changes have been processed.

Further information about your data rights is provided at https://ico.org.uk/your-data-matters/.

Data protection insurance

We have in place cyber and data protection insurance with a reputable insurer (Hiscox Business Insurance), with £250,000 of annual cover. This insurance is designed to support and protect us from evolving cyber threats and risks associated with data. Through this policy, we have access to the Hiscox CyberClear® Academy, which is a GCHQ-certified, web-based training platform that assists us in the prevention of network, cyber and privacy losses.

Lodging a complaint with the Information Commissioner’s Office

If you feel that your personal data has been, or is being, processed in an inappropriate manner or you feel that your rights as described above have been infringed, you may lodge a complaint with the Information Commissioner’s Office (ICO).  The ICO is the UK’s supervisory authority regarding data protection matters and has a responsibility to act on complaints made to it.  You may lodge a complaint by visiting their website https://ico.org.uk/concerns/ or by calling the ICO’s helpline on 0303 123 1113.

Social media and other websites

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.  We also encourage you to consult the guides provided on the ICO’s website with respect to protecting your privacy when using popular social media sites i.e.

https://ico.org.uk/your-data-matters/be-data-aware/social-media-privacy-settings/