Data Protection Policy

The Literacy Tree Data Protection Policy – September 2025

Summary of Policy

The Literacy Tree Limited needs to collect personal information to effectively carry out our everyday functions and activities and to provide our products and services. Such data is collected from employees, members, international partners, customers, stakeholders, suppliers and clients and includes (but is not limited to), name, address, email address, data of birth, IP address, identification numbers, private and confidential information, sensitive information and bank/credit card details.

In addition, we may be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to processing all personal information in accordance with the General Data Protection Regulation (GDPR), UK data protection laws and any other relevant data protection laws and codes of conduct (collectively referred to as "the data protection laws").

The Literacy Tree Limited is committed to ensuring and maintaining the security and confidentiality of personal and/or special category data and all colleagues are responsible for handling data in accordance with this policy.

Scope

The purpose of this policy is to ensure compliance with the Data Protection Act (DPA) 2018 and General Data Protection Regulation (GDPR) (EU) 2016/679 which govern any processing of information about living individuals and the rights those individuals have relating to this information. This legislation covers all personal information held in both electronic form and manual form.

The Literacy Tree Limited is both a controller and processor of personal data and is registered with the Information Commissioner's Office (ICO) as a Data Controller. The policy incorporates guidance from the ICO, and outlines how QAA will discharge its duties and obligations to comply with Data Protection legislation.

This policy applies to all parts of QAA and to all personal data held and processed by the organisation. This includes data held in any system or format, whether electronic or hard copy.

Adherence to this policy is mandatory for all employees of The Literacy Tree Limited whether permanent, fixed term or temporary, reviewers, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with The Literacy Tree Limited in the UK or overseas. Non- compliance could lead to disciplinary action.

Categories of Data

For the purposes of information categorisation, The Literacy Tree Limited applies the GDPR definitions of "personal data" and "special category data", as follows:

“Personal data” “Special category data”

Any information relating to an identified or identifiable natural person.

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

  • a name
  • an identification number
  • location data
  • an online identifier or
  • to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Personal data revealing or relating to an identifiable natural person's:

  • racial or ethnic origins
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person
  • data concerning health or
  • data concerning a natural person's sex life or sexual orientation.

The Literacy Tree Limited ensures that personal data falling within the GDPR's "special categories" is handled with a particularly high level of care, due to the assumption that this type of information could be used in a negative or discriminatory way and is of a sensitive, personal nature to the persons it relates to. The processing of special category data by The Literacy Tree Limited is kept to the minimum necessary to enable us to perform our functions.

Policy

1. Data protection principles

1.1 Article 5 (2) of the GDPR requires that The Literacy Tree Limited, its employees and others who process or use any personal information shall be responsible for, and be able to demonstrate, compliance with the data protection principles.

1.2 The data protection principles state that personal data should be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

1.3 The Literacy Tree Limited’s policy is that the processing of all personal data should be safe, secure, ethical and transparent and we have procedures in place to enable data subjects to exercise their rights:

  • we protect the rights of individuals with regards to the processing of personal information
  • we develop, implement and maintain a data protection policy, procedure and training for compliance with the data protection laws
  • we record consent at the time it is obtained and evidence such consent where requested
  • we have a robust and documented Complaints Procedure and Data Incident Reporting policies for identifying, investigating, reviewing and reporting any breaches or complaints about data protection
  • we store and destroy all personal information in accordance with our Information Retention policy
  • any information provided to an individual in relation to personal data held or used about them, with be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language
  • we maintain records of processing activities

2. Records of processing where The Literacy Tree Limited is a Data Controller or Data Processor

2.1 2.1 Where we act either in the capacity as a data controller or in the capacity as a data processor (or a representative), our internal records of the categories of processing activities carried out will contain the following information:

  • the full name and contact details of the processor(s) and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer
  • the categories of processing carried out on behalf of each controller
  • where applicable, transfers of personal data to a third country or an international organisation (including the identification of that third country or international organisation and where applicable, the documentation of suitable safeguards)
  • a general description of the processing security measures applied (pursuant to Article 32(1) of the data protection laws).

3. External certification

3.1 The Literacy Tree Limited is committed to obtaining ISO 27001:2022 certification at some point in the near future.

4. Third-party processors

4.1 The Literacy Tree Limited utilises external processors for certain processing activities. We use information audits to identify, categorise and record all personal data that is processed outside of The Literacy Tree Limited, so that the information, processing activity, processor and legal basis are all recorded, reviewed and easily accessible. Such external processing may include (but is not limited to):

  • IT systems and services
  • Legal services
  • Payroll
  • Insurance
  • Financial sustainability, management and governance checks
  • Direct marketing / mailing services

4.2 We have due diligence procedures and measures in place and review, assess and background check all processors prior to forming a business relationship. In the course of these checks, we may obtain company documents, certifications and references to ensure that the processor is adequate, appropriate and effective for the task we are employing them for.

4.3 We ensure that Service Level Agreements (SLAs) and contracts containing appropriate compliance obligations are in place with all data processors via the contract approval process. Processors are notified that they must not engage another processor without our prior specific authorisation and any intended changes concerning the addition or replacement of existing processors must be done in writing, in advance of any such changes being implemented.

4.4 It is the responsibility of the contract manager to ensure that each of the processing activities specified in the contract are monitored, audited and reported on.

5. Data Subject Rights

5.1 The rights given to data subjects under Data Protection legislation are:

  • The right to be informed
  • The right of access to the information held about them (through a Subject Access Request)
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision-making and profiling

5.2 Under Data Protection Regulation legislation, data subjects have the right of access to their personal data held by The Literacy Tree Limited.

5.3 Any individual who wishes to exercise this right can do so verbally or in writing by contacting admin@literacytree.com.

6. Data Governance

6.1 Employee personal data: We do not use consent as a legal basis for obtaining or processing employee personal information. Our HR policies have been updated to ensure that employees are provided with the appropriate information about how we process their data and why.

6.2 The Literacy Tree Limited’s Privacy Notice tells you what to expect when we collect personal information to meet our legal, regulatory, statutory and contractual obligations and to provide members, international partners, customers and stakeholders with information, either about our products and services or about matters of public interest

6.3 Data storage: Information and records relating to data subjects will be stored securely and will only be accessible to authorised employees. Information will be stored for only as long as it is needed or in accordance with the required statute and will be disposed of appropriately.

6.4 Data accuracy: The Literacy Tree Limited takes reasonable steps to ensure that this information is kept up to date by asking data subjects whether there have been any changes.

6.5 Audits & monitoring: Regular internal audits are completed independently by an outsourced consultant. We also have compliance monitoring processes with a view to ensuring that the measures and controls in place to protect data subjects and their information are adequate, effective and compliant at all times. The Literacy Tree Limited is accountable to the Board, in respect of compliance with this policy.

6.6 Training: The Literacy Tree Limited is committed to a staff awareness programme ensuring that new and existing employees are trained, assessed and supported in a variety of ways to discharge their data protection responsibilities in a variety of ways, including online and virtual induction.

7. Penalties for non-compliance

7.1 The Literacy Tree Limited understands its obligations and responsibilities under the data protection laws and recognises the severity of breaching any of these. We respect the Information Commissioner's authority to impose and enforce fines and penalties where there is a failure to comply with regulations, a failure to mitigate the risks where possible and operate in a knowingly non- compliant manner.

7.2 Employees should note the severity of such penalties and their proportionate nature in accordance with the breach, including the following:

Type of Breach Maximum Fine
Breaches of the basic principles for processing, conditions for consent, the data subjects' rights, the transfers of personal data to a recipient in a third country or an international organisation, specific processing situations or non-compliance with an order by the Information Commissioner. Administrative fines up to £17.5 million or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

8. Roles and responsibilities

8.1 As a Data Controller (or when acting as a joint Data Controller or a Data Processor), The Literacy Tree Limited has a corporate responsibility for the following:

  • complying with Data Protection legislation and holding records to demonstrate this
  • cooperating with the ICO, the UK regulator of Data Protection legislation
  • responding to regulatory / court action and paying fines issued by the ICO.

8.2 Roles and responsibilities are defined as follows:

  • Co-CEOs: The Literacy Tree Limited is a Data Controller, and the co-CEOs are responsible for ensuring that the requirements of "data protection laws" are met and the organisation provides sufficient resources to enable the company and all employees to comply with their data protection duties.
  • Employees: It is the responsibility of all employees to:
    • Ensure that they collect, store and process personal data in accordance with “data protection laws” and comply with The Literacy Tree’s Data Protection Policy.
    • Only use personal data for the purpose of their contracted duties.
    • Keep personal data secure, including following applicable company policies and processes.
    • Store contacts in approved and managed systems and not held in duplicate copies elsewhere.
    • Not attempt to gain access to information that it is not necessary for them to hold, know or process.
    • Ensure that any personal data obtained is accurate and relevant to the purpose for which it is required.
    • Successfully complete mandatory training.

The Literacy Tree Limited is committed to keeping a safe working environment and contributing to a safe and just society where people are treated fairly and respectfully, and where we anticipate and respond positively to unlawful circumstances. Any violation or non-compliance with this policy may be treated as a serious misconduct and may include termination of employment or contractual arrangements, civil or criminal prosecution.

The Literacy Tree Limited will commit necessary resources in terms of people, time, money and training to make sure that we comply with our statutory duties and that our equality scheme is implemented effectively.

For assistance or further guidance please contact Anthony Legon or Lynn Sear (co-CEOs)

Menu

My Cart

    Your cart is empty.

Subtotal

£0.00

or