Data Protection Policy
1. Introduction & Scope
Classroom365 Limited is committed to protecting the rights, privacy and personal data of individuals in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018 and other applicable data protection requirements.
This policy applies to all staff, contractors and relevant suppliers who handle or process personal data in connection with Classroom365’s operations and services.
This policy covers personal data held by the Company, including names, contact details, employment records, customer records, financial or contract records, technical identifiers and any other personal data processed during the delivery of our services.
Our public-facing Privacy Policy explains how Classroom365 collects, uses and protects personal data when individuals contact us, use our website or interact with our services.
2. Data Protection Principles
Classroom365 ensures that personal data is:
- processed lawfully, fairly and transparently;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary;
- accurate and, where necessary, kept up to date;
- retained only for as long as necessary;
- processed securely using appropriate technical and organisational measures;
- managed in a way that supports accountability and compliance.
Financial, contractual and business records are normally retained for up to 6 years where required for legal, tax, contractual or accounting purposes. Other categories of personal data are retained in line with Classroom365’s data retention requirements and deleted when no longer needed.
3. Roles and Responsibilities
Board of Directors: Holds overall responsibility for data protection compliance, governance and resourcing.
Data Protection Officer / Data Protection Lead: Manages Classroom365’s data protection approach, advises on data protection matters, oversees Subject Access Requests, supports staff awareness and monitors compliance.
Systems Director: Ensures that IT systems, equipment, cloud services and technical controls are appropriately secured and managed.
Office Manager: Supports day-to-day data protection administration, marketing compliance, external communications and record keeping.
All Staff and Contractors: Responsible for handling personal data securely, following this policy, reporting concerns and only accessing personal data where there is a legitimate business need.
4. Operational Data Security
4.1 Physical Security
Paper Records: Sensitive paper files must be kept in locked drawers, cabinets or secure areas when not in use.
Disposal: Paper records containing personal data must be shredded or securely disposed of.
Clear Desk and Clear Screen: Staff must not leave personal data exposed unnecessarily. Computer screens must be locked whenever a workstation is left unattended.
4.2 Electronic Security
Access Control: Only authorised personnel with a legitimate business need may access personal data.
Passwords and Authentication: Strong, unique passwords must be used and must not be shared. Additional authentication controls must be used where required by company systems or customer requirements.
Storage: Personal data must be stored on approved company systems, secure servers or approved cloud services. Personal data must not be saved directly to unmanaged local laptops, desktops, removable media or personal devices.
Approved Systems: Cloud systems and third-party platforms used to process personal data must be reviewed and approved where appropriate, with suitable contractual, technical and organisational safeguards in place.
Backups: Data is backed up and tested in line with Classroom365’s standard IT and business continuity procedures.
4.3 Data Transfer and Sharing
Personal data must only be shared where there is a lawful, legitimate and necessary business reason.
Sensitive or confidential personal data must not be shared informally or sent using insecure methods.
Electronic transfers of sensitive or confidential personal data must use appropriate security controls, such as encryption, secure portals, access controls or approved file-sharing systems.
Personal data must not be transferred outside the UK unless appropriate legal safeguards are in place. These may include adequacy regulations, the International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or other appropriate safeguards. ICO guidance explains that appropriate safeguards may be needed for international transfers under UK data protection law.
5. Data Accuracy & Retention
Accuracy: Staff must take reasonable steps to ensure that personal data is accurate and kept up to date. Where inaccuracies are identified, they should be corrected promptly.
Marketing Data: Marketing data must be managed in line with applicable data protection and electronic marketing requirements. Suppression lists and unsubscribe requests must be respected.
Retention: Personal data must be retained only for as long as necessary for the purpose for which it was collected or where retention is required for legal, regulatory, contractual, tax, accounting or legitimate business reasons.
Basic customer, supplier, contract and financial records may be retained for up to 6 years after the end of the relationship, where required.
6. Rights of Individuals & Subject Access Requests
Individuals have rights under data protection law, including the right to access their personal data.
Subject Access Requests may be submitted to Classroom365 using the published contact details or by emailing office@classroom365.co.uk.
Classroom365 will verify the requester’s identity before disclosing personal data.
Subject Access Requests will be handled without undue delay and normally within one month of receipt. ICO guidance confirms that organisations must respond to a SAR without undue delay and at the latest within one month. However, this can be extended by a further two months where a request is complex or multiple requests have been received.
7. Personal Data Breaches
All staff and contractors must report any actual or suspected personal data breach immediately to the Data Protection Officer / Data Protection Lead, Senior Management Team or a Director. Classroom365 will assess the breach, record the incident and take appropriate steps to contain, investigate and remediate the issue.
Where a personal data breach is reportable, Classroom365 will notify the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of becoming aware of it.
Where a breach is likely to result in a high risk to individuals’ rights and freedoms, affected individuals will also be informed without undue delay.
8. Training, Awareness and ISO Evidence
Relevant staff receive appropriate data protection guidance, training or policy acknowledgement as part of Classroom365’s management system.
Records supporting this policy are retained securely in line with Classroom365’s document control and data protection procedures.
Records relating to recruitment, DBS checks, safeguarding concerns or school-site work are managed in line with this policy and, where applicable, our Safer Recruitment Policy and Safeguarding & Child Protection Policy.
Evidence may include:
- staff training or policy acknowledgement records;
- Subject Access Request records;
- data breach logs;
- supplier and processor records;
- data processing agreements;
- retention records;
- risk assessments or DPIAs where required;
- access control reviews;
- backup and security review records;
- internal audit findings;
- management review notes;
- corrective action records.
9. Review and Approval
This policy is reviewed annually or sooner where there are significant changes to data protection law, business operations, customer requirements, systems, suppliers, security risks or ISO management system requirements.
This policy has been reviewed and approved by the Board of Directors of Classroom365 Limited.
Document control
Version: 4.0
Last reviewed: May 2026
Next review due: May 2027
Approved by: Board of Directors
Policy owner: Classroom365 Limited