Privacy and Data Protection (GDPR) Policy

SPM Development Services Limited Assessment Policy May 2025

Reviewed and Updated: September 2025

Next Review: September 2026, or sooner if awarding body or JCQ guidance changes.

Introduction

Your privacy is important to us. This policy explains how SPM Development Services Ltd protects and uses personal data in compliance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). It sets out the rights of individuals, the responsibilities of SPM, and how we keep data safe.

Who We Are

SPM Development Services Ltd is the data controller for the personal data we collect and
process. Director and Data Controller: Simon Piper-Masha
Address: 90 East India Way, Croydon, Surrey, CR0 6RZ
Website: http://spmdevelopmentservices.co.uk
What Information We Collect

We collect personal data about students, their parents or carers, tutors, and staff. This may include:

  • Names, contact details and addresses
  • Names, contact details and addresses
  • Tuition needs and support requirements
  • Right to work information and qualifications (for tutors/staff)
  • Employment records and references Purpose and Lawful Basis for Processing We process personal data for the following purposes:
  • To provide education and tuition services
  • To ensure safeguarding and welfare of children
  • To manage safe recruitment and HR processes
  • To meet contractual and legal obligations Our lawful bases for processing include:
  • Contractual necessity
  • Legal obligations
  • Legitimate interests
  • Consent (where appropriate, e.g. use of images)

Safeguarding and Information Sharing

Safeguarding the welfare of children is our highest priority. Where safeguarding concerns arise, information may be shared with other agencies without consent if necessary to protect a child or young person. This is in line with Keeping Children Safe in Education (2025) and Working Together to Safeguard Children (2023). The Designated Safeguarding Lead (DSL) is responsible for decisions about safeguarding information sharing.

Security Measures

SPM uses technical and organisational measures to protect data against loss, damage or unauthorised access. These include secure storage, password protection, restricted access, encryption where appropriate, and regular staff training in data protection.

Staff Responsibilities

All staff, tutors and contractors must:
  • Only collect and use data necessary for their role
  • Keep records factual, accurate and secure
  • Report any data breaches or concerns immediately to the Director
  • Follow SPM policies on safeguarding, online safety and record keeping Data Breach Notification If a data breach occurs, SPM will notify the Information Commissioner’s Office (ICO) within 72 hours, where required. Individuals affected will also be informed without delay if the breach poses a high risk to their rights and freedoms.

Retention of Information

We keep personal data only as long as necessary for legal or operational purposes. Typical

retention periods are:

  • Student records: until the student turns 26
  • Tutor/mentor records: 5 years after ceasing work with SPM
  • Staff records: 3 years after employment ends
  • Client records: 10 years Records may be kept longer where safeguarding or legal requirements apply. Your Data Protection Rights
Under data protection law, individuals have the following rights:
  • Right of access – request copies of your personal data
  • Right to rectification – correct inaccurate or incomplete data
  • Right to erasure – request deletion of data in certain circumstances
  • Right to restrict processing – request limits on how data is used
  • Right to data portability – request transfer of data to another provider
  • Right to object – object to processing of personal data Requests will be responded to within one month and will be free of charge.

Complaints

If you have concerns about how SPM handles your personal data, please contact the Director at the above address. If you are not satisfied, you can also complain to the Information Commissioner’s Office (ICO): www.ico.org.uk

Policy Review

This policy will be reviewed annually, or sooner if legislation or statutory guidance changes.