1. Purpose
This Data Protection Policy sets out how Ten Points Education Limited (“Ten Points”, “we”, “our”, or “us”) ensures personal data is handled lawfully, securely, and transparently in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and relevant guidance.
As an EdTech provider, we act as a Data Processor on behalf of schools and educational institutions (the Data Controllers).
2. Scope
This policy applies to:
- all personal data processed by Ten Points in delivering our services;
- all employees, contractors, and third parties acting on our behalf; and
- all systems, applications, and environments where personal data is stored or processed.
3. Children’s Data & “Children’s GDPR”
Ten Points recognises that children’s personal data merits special protection. Our service is designed for schools and other educational institutions, not for direct use by children outside that context.
Our role as a Processor
- Ten Points acts solely as a Data Processor, processing children’s data only on the documented instructions of schools (the Controllers).
- Ten Points does not determine the purposes or lawful bases of processing. These are set by the school (e.g. fulfilling their public task).
- Ten Points does not use, sell, or repurpose children’s data beyond the school’s instructions.
Application of the Children’s Code (Age Appropriate Design Code, “Children’s GDPR”)
- The ICO has confirmed the Code applies mainly to online services offered directly to children.
- Ten Points’ service is not offered on a direct-to-consumer basis. Students only access the platform through their school.
- Ten Points only processes children’s personal data to fulfil the school’s public task and educational functions, and solely under the school’s instructions.
- On this basis, the Code does not directly apply to Ten Points.
Our voluntary commitments
Although the Code does not apply to us directly, we believe children’s privacy deserves the highest standards. We therefore:
- apply the spirit of the Children’s Code wherever possible;
- build privacy and data minimisation into the platform by design;
- provide schools with transparency and tools to respect children’s rights; and
- ensure data use is proportionate and strictly limited to educational functions.
4. Principles of Data Protection
We adhere to the principles under Article 5 of UK GDPR:
- lawfulness, fairness, transparency;
- purpose limitation;
- data minimisation;
- accuracy;
- storage limitation;
- integrity and confidentiality; and
- accountability.
5. Roles & Responsibilities
- The Board of Directors approves and oversees this policy.
- The Data Protection Officer (DPO) is James Carne (Registration No: ZB716018, email: [email protected]).
- All staff and contractors must complete training and comply with this policy.
6. Legal Basis for Processing
We process personal data only on documented instructions from our Customers (Controllers). The lawful basis for processing (public task, legitimate interests, or consent) is determined by the Controller.
7. Types of Data Processed
On behalf of Customers, we may process:
- student data – name, identifiers, class, house, behaviour points, wellbeing submissions, avatars, gender, analytics;
- teacher data – name, display name, classes, analytics, photos, gender;
- parent/guardian data – not collected or held unless explicitly instructed by the Controller;
- system data – logs, identifiers, access records, audit information; and
- financial data – not processed (e.g. payment card details of students or parents).
8. Artificial Intelligence (AI)
Ten Points may develop or use AI features within the platform.
Our AI commitments:
- explicit consent – we only train AI models on personal data with explicit consent from the Controller (and confirmation of any necessary parental/guardian consent);
- no unauthorised training – data entered into the platform is never used for AI training without explicit authorisation;
- transparency – schools are informed of any AI features and the data they involve;
- minimisation – AI features are designed to use the smallest dataset necessary, with anonymisation where possible; and
- oversight – the DPO and Board oversee AI use to ensure ethical and compliant application.
9. Data Security
We adopt robust measures to protect personal data:
- hosting & infrastructure – data encrypted in transit and at rest; hosting providers have no direct access;
- minimum access policy – staff granted the least privilege required;
- production database access – restricted to limited technical staff for troubleshooting;
- school-level access – limited to staff supporting that school; logged and auditable;
- monitoring & logging – all access and system changes recorded;
- staff vetting – annual privacy and cybersecurity training; DBS Basic Checks for all staff; and
- incident response – breach detection, notification, and recovery procedures in place.
10. Data Retention & Deletion
- Data retained only as long as necessary for contractual purposes or law.
- Upon termination, data is securely deleted or returned.
- Backups are securely stored and purged after a defined retention period.
11. Sub-Processors & International Transfers
- Sub-processors are contractually bound to UK GDPR standards and listed in the DPA.
- Where data is transferred outside the UK (e.g. to the US), appropriate safeguards such as Standard Contractual Clauses apply.
12. Data Subject Rights
We support Controllers in fulfilling data subject rights, including:
- access;
- rectification;
- erasure;
- restriction;
- portability; and
- objection.
Requests must be submitted via the Controller.
13. Data Protection Impact Assessments (DPIAs)
Ten Points will support Controllers in carrying out DPIAs where required, particularly for:
- high-risk processing of wellbeing or safeguarding data;
- introduction of AI-driven features; and
- any new or substantially changed processing that may affect children’s rights and freedoms.
14. Privacy by Design & Default
We are committed to embedding privacy at the heart of our service design:
- all new features undergo a privacy review during development;
- data collection is limited to what is necessary;
- privacy and data minimisation are applied as defaults; and
- security considerations are integrated from the earliest stages of design.
15. Data Portability & Exit Plan
- Schools (Controllers) may request a full export of their data during or at the end of their contract.
- Exports are provided in commonly used formats (e.g. CSV, xlsx).
- After the exit process, data is securely deleted from our systems within agreed timelines.
- We work with schools to ensure continuity and minimal disruption.
16. Breach Management
- Breaches reported immediately to the DPO.
- Controllers notified without undue delay.
- Support provided for ICO notifications within 72 hours, if required.
17. Review & Accountability
- Records of processing, risk assessments, and audits are maintained.
- Policy reviewed annually or when laws/practices change.
- Board approval required for updates.
Contact
Data Protection Officer
Ten Points Education Limited
Email: [email protected]