Tutoring agencies occupy a uniquely sensitive position when it comes to data protection. They hold personal information about children and young people, their parents or guardians, and the tutors they employ or contract. They handle sensitive background check data, academic records, and financial details — all while operating largely without the compliance infrastructure that larger educational institutions take for granted.
If you run a tutoring agency, GDPR applies to you. Whether you work with primary school pupils, GCSE students, or university applicants, you are processing personal data — and in many cases, special category data about children. This guide covers the key GDPR obligations tutoring agencies need to understand.
Processing Children's Personal Data
Children receive enhanced protection under GDPR. The UK GDPR and the ICO's Children's Code (formally the Age Appropriate Design Code) both recognise that children are less able to understand the risks and consequences of sharing their personal data.
The key rule: if your tutoring service is directed at or likely to be accessed by children under 13, you need parental or guardian consent to process their personal data. Consent from the child themselves is not sufficient.
In practice, this means:
- Enrolment forms for under-13s must be completed by a parent or guardian, not the child
- Marketing to existing student families must be directed to parents, not children
- Your privacy notice must be written in age-appropriate language if accessible to students
- You should not require children to provide more personal data than is strictly necessary
For students aged 13 and over, the position is more nuanced. You will often be contracting with parents who are paying for the tuition, which makes the parent the natural data subject for billing and communication purposes. But the student's own data — academic progress, learning difficulties, subject performance — requires careful handling regardless of age.
Tutor Background Checks and DBS Data
If your tutors work with children, you will almost certainly require Disclosure and Barring Service (DBS) checks. DBS certificate information is criminal records data — a type of special category data under GDPR — and must be handled with particular care.
Key obligations:
- Retain only what you need. The DBS Service's Code of Practice states you should not keep DBS certificate information for longer than six months after the recruitment decision. Many agencies retain it for years — this is non-compliant.
- Limit access. Only the people who need to see DBS information should have access to it. Don't store it in a shared drive or a CRM that your whole team can access.
- Document your policy. You need a written policy on the use of DBS checks, required if you carry out more than 100 checks per year (though good practice regardless of volume).
- Never photocopy certificates unnecessarily. The DBS is clear that unless there is a legal obligation, you should record the certificate number, date, and outcome rather than retaining a copy.
Your privacy notice must include a specific section explaining why you collect DBS data, the legal basis (legitimate interest in safeguarding, or legal obligation), and how long you retain it.
Sharing Student Progress Data
One of the trickier areas for tutoring agencies is who can receive a student's progress data. The answer depends on who the data subject is, who has parental responsibility, and what data sharing arrangements have been agreed.
Typical scenarios:
- Sharing with parents: Generally straightforward if parents have engaged and paid for the tuition. However, for older students (particularly those aged 16+), consider whether the student has their own right to privacy in relation to academic performance discussions.
- Sharing with schools: Only with explicit consent from the parent (and, for older students, the student). A school requesting a progress update does not automatically entitle them to receive it.
- Sharing between tutors: If a student moves to a different tutor within your agency, transferring their records internally is generally fine under your legitimate interest — but document this and be transparent in your privacy notice.
Avoid the common mistake of including progress notes in emails without considering who might have access to that email account, or of storing session notes in unencrypted spreadsheets accessible to your entire team.
Online Tutoring Platforms and Data Processing Agreements
If your tutors deliver sessions via Zoom, Microsoft Teams, Google Meet, Skype, or any third-party platform, you are using a data processor. Under GDPR Article 28, you must have a Data Processing Agreement (DPA) in place with each platform before using it to process personal data.
Most major platforms offer DPAs — but you need to actively sign or accept them, not assume they exist. Check:
- Zoom: Data Processing Addendum available via their website
- Microsoft Teams: Covered under Microsoft's Data Protection Addendum in the Microsoft Online Services Terms
- Google Meet: Google's Workspace DPA, requires acceptance in the Admin Console
- Skype/Teams for consumers: Less clear — consider whether consumer products are appropriate for processing children's data
You should also review where your platform stores data. Many US-based platforms transfer data to the United States. After Schrems II, you need to verify the transfer mechanism (typically Standard Contractual Clauses) and conduct a Transfer Impact Assessment if required.
Custodia can help identify what third-party services your tutoring agency's website is connecting to — including analytics, communication tools, and embedded content that may be sending data overseas without your knowledge.
Recording Online Tutoring Sessions
Recording sessions is increasingly common — for quality review, safeguarding purposes, or to share with parents. But recording creates significant GDPR obligations:
- Explicit consent is required from the parent (for under-13s), the student, and the tutor before any session is recorded
- Consent must be freely given, specific, informed, and unambiguous — a checkbox in your enrolment form buried under other terms is not sufficient
- You must tell participants what the recording will be used for, who will have access, and how long it will be retained
- The tutor's consent must be separate from any employment or contractor obligation — you cannot make recording a condition of engagement without careful legal consideration
- Recordings of children are particularly sensitive — store them securely, limit access, and delete them when the stated purpose is fulfilled
Where recordings are used for safeguarding (e.g., to review a concern about a session), they may need to be retained longer — but that decision should be documented and proportionate.
Marketing to Parents via Email
Email marketing to parents is subject to both GDPR and the Privacy and Electronic Communications Regulations (PECR). The rules are distinct:
- For existing customers (parents who have purchased tuition): You can use the "soft opt-in" to market similar services, as long as you offered a clear opportunity to opt out at the time of collection and in every subsequent message.
- For new prospects: You need prior consent before sending marketing emails. Purchasing a mailing list of parents is almost certainly non-compliant.
- Every marketing email must include an easy way to unsubscribe, and you must honour opt-outs promptly.
Your CRM should segment your list and flag opt-outs. Sending marketing to a parent who has unsubscribed is a PECR breach — and parent groups talk.
Tutor Contractor Data vs Employee Data
Many tutoring agencies use a mix of employed tutors and self-employed contractors. GDPR applies to both, but the relationship is different:
- Employees: Data processing is typically justified under the contract of employment and legal obligations (PAYE, pension, right to work checks). Your employee privacy notice must cover all categories of data you collect.
- Contractors: The legal basis shifts more towards contract performance and legitimate interest. Contractors retain stronger rights over their data, and you should not assume you can process contractor data in the same way as employee data.
- For both: don't retain data after the relationship ends beyond what is required for legal or tax purposes. Most agencies can delete tutor data after 6-7 years post-engagement (to cover tax record retention requirements).
CRM Systems for Tracking Students
If you use a CRM — HubSpot, Salesforce, a custom spreadsheet, or a sector-specific platform like TutorCruncher — you are holding student and parent records in a system that needs to be properly configured for GDPR compliance:
- Access controls: Not everyone on your team needs access to every record. Apply role-based access.
- Data minimisation: Only store what you need. A CRM should hold contact details, booking history, and progress notes — not unrelated personal information.
- Retention schedules: Configure your CRM to flag records for review and deletion when retention periods expire. Keeping student records indefinitely "just in case" is not compliant.
- Processor agreements: If your CRM is a cloud-based platform, ensure you have a DPA in place.
Custodia's platform can audit your public-facing website and identify which third-party CRM or marketing tools are loading on your site, helping you understand your processor relationships before regulators ask.
Data Retention for Student Records
How long should you keep student records? GDPR requires you to keep data only for as long as necessary for the purpose it was collected. For tutoring agencies, a sensible framework:
| Record Type | Suggested Retention |
|---|---|
| Student progress notes | Duration of tuition + 12 months |
| Parent contact details | Duration of relationship + 6 months |
| Financial records (invoices) | 6-7 years (legal/tax obligation) |
| DBS check records | 6 months after recruitment decision |
| Session recordings | 30-90 days unless required for safeguarding |
| Tutor employment records | Duration + 6 years |
Document your retention policy and review it annually. If a parent submits a deletion request (Right to Erasure), you need to know which records you're legally required to keep and which can be deleted.
Website Contact Forms and Cookies
Your tutoring agency's website likely has a contact form, a booking enquiry form, and possibly a live chat widget. Each of these processes personal data — and needs to be covered in your privacy policy.
Key requirements:
- Contact forms must link to your privacy policy and ideally include a brief statement about how the data will be used
- Cookies: If your site uses Google Analytics, Facebook Pixel, or advertising cookies, you need a cookie consent banner that obtains prior, active consent before these cookies load
- WordPress/Wix/Squarespace sites: Many tutoring agency websites are built on platforms that load third-party scripts automatically — audit your site to understand what's actually firing
Run a free scan at app.custodia-privacy.com/scan to see exactly which cookies and trackers your website is loading — you may be surprised what's running without your knowledge or a lawful basis.
DSARs from Parents Requesting Their Child's Records
Parents have the right to submit a Data Subject Access Request (DSAR) on behalf of their child. This is a common scenario in tutoring: a parent who is dissatisfied with a tutor or concerned about a session may request all data you hold about their child.
Your obligations:
- Respond within one calendar month of receiving the request
- Provide all data you hold about the child and parent, including progress notes, emails, session records, and any internal notes
- Verify identity before disclosing — a written request with sufficient identifying information is usually sufficient
- Don't charge a fee in normal circumstances
- Consider the child's interests: For older students, weigh whether disclosing information to a parent is in the student's best interests — particularly if there is any safeguarding concern
Keep a log of all DSARs received, the date, and your response. If you fail to respond or respond inadequately, the parent can complain to the ICO — and tutoring agencies have received enforcement action for exactly this.
Getting GDPR Right as a Tutoring Agency
GDPR compliance for tutoring agencies isn't just a box-ticking exercise. When you're trusted with children's personal data — their academic struggles, their home address, their safeguarding records — getting it right is a matter of professional responsibility.
The starting point is understanding what data you actually hold and what's happening on your website. Scan your tutoring agency's website for free at app.custodia-privacy.com/scan — Custodia identifies tracker scripts, cookie consent issues, and missing privacy policy elements in under 60 seconds, giving you a clear action list without the consultant fees.
This guide is for informational purposes and does not constitute legal advice. Tutoring agencies dealing with complex safeguarding data or special category data should seek advice from a qualified privacy solicitor.
Top comments (0)