DATA PROTECTION & PRIVACY POLICY

The Headteacher’s Report Limited

1. Who We Are

The Headteacher’s Report Limited (“we”, “us”, “our”) is a company registered in England and Wales (Company No. 222374336).

Registered Office:
3000 Aviator Way
Manchester Business Park
Manchester
M22 5TG

We are registered with the Information Commissioner’s Office (ICO).

For all data protection enquiries:
📧 [email protected]

2. Our Role Under UK GDPR

Depending on the context, we act as either:

A. Data Controller

When processing:

• Website visitor information
• Account registration details
• Direct enquiries
• Marketing subscriptions
• Billing and administrative records

B. Data Processor

When providing our platform services to schools.

In these cases:

• The school is the Data Controller
• We act as Data Processor under Article 28 UK GDPR
• We process data only on the documented instructions of the school

3. The Services We Provide

We provide an online platform that assists schools with:

• Headteacher reporting
• Self-evaluation documentation
• Policy documentation
• Compliance-related drafting
• AI-assisted content generation

4. Categories of Personal Data We Process

When Acting as Controller

We may process:

• Name
• Email address
• School name and address
• Telephone number
• Login credentials
• Communication history

When Acting as Processor for Schools

Where schools use our platform, we may process:

• Aggregated pupil population data
• Attendance statistics
• Demographic breakdowns (non-identifiable)
• School-level performance summaries
• Staff role information (non-sensitive)
• Self-evaluation responses
• Policy documentation

Important Clarification

Via our integration with Wonde API:

• We do not request or require directly identifiable pupil data (such as names, addresses, dates of birth, UPNs).
• We do not intentionally process identifiable pupil-level records within report outputs.
• Data is used in aggregated and statistical form.

Schools remain responsible for ensuring that only necessary and proportionate data is entered into the system.

5. Lawful Basis for Processing

When Acting as Controller

We rely on:

• Article 6(1)(b) Contract – To provide account access and services
• Article 6(1)(f) Legitimate Interests – To operate and improve our services
• Article 6(1)(c) Legal Obligation – For compliance with applicable laws
• Article 6(1)(a) Consent – For marketing communications where required

When Acting as Processor

Schools determine the lawful basis for the data they provide.
This will typically be:

• Article 6(1)(e) Public Task
• Article 6(1)(c) Legal Obligation

Where any special category data is processed, the school remains responsible for identifying the appropriate Article 9 condition.

6. Use of Artificial Intelligence (AI)

Our platform uses a commercial version of the ChatGPT API provided by OpenAI to generate suggested draft text.

How It Works

• Schools enter contextual and statistical information into our secure portal.
• Our system transmits relevant content securely via API to the AI provider.
• Schools do not submit data directly to the AI provider.
• AI-generated outputs are draft suggestions only.

All AI outputs require human review and approval before use.

AI Safeguards

• We use a paid commercial API service.
• Data submitted via API is not used to train public AI models.
• We instruct schools not to enter directly identifiable pupil data.
• The system does not make automated decisions about individuals.

The AI functionality is an assistive drafting tool only.

7. Sub-Processors

We use carefully selected third-party service providers who act as Sub-Processors when we act as Data Processor.

All Sub-Processors are subject to contractual data protection obligations.

8. International Transfers

Some of our service providers operate internationally.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

• UK International Data Transfer Agreements (IDTA)
• UK Addendum to Standard Contractual Clauses
• Adequacy decisions where applicable

9. Data Security

We implement appropriate technical and organisational measures, including:

• HTTPS secured with TLS encryption
• Encrypted database backups
• Encrypted inter-server communications
• Role-based access controls
• Secure API authentication
• Firewall protection
• Restricted administrative access

Access to personal data is limited to authorised personnel only.

10. Data Retention

We retain data only for as long as necessary:

• Account data is retained while a school relationship exists.
• Marketing data is retained until consent is withdrawn.
• School data is retained in accordance with contractual terms.

Schools may request deletion of their data in accordance with contractual and legal requirements.

11. Data Breaches

In the event of a personal data breach affecting school data:

• We will notify the relevant Data Controller (the school) without undue delay.
• We will cooperate fully in any required investigation or regulatory notification.

12. Your Rights (When We Act as Controller)

Individuals have the right to:

• Access their personal data
• Rectify inaccurate data
• Request erasure
• Restrict processing
• Object to processing
• Data portability
• Lodge a complaint

Complaints may be made to:

Information Commissioner’s Office
www.ico.org.uk

13. Consequences of Not Providing Data

If required personal data is not provided, we may be unable to:

• Create user accounts
• Provide access to the platform
• Deliver contracted services

14. Changes to This Policy

We may update this policy periodically to reflect legal, technical or operational changes. The latest version will always be available on our website.

Use of Artificial Intelligence (AI) Services

1. Role in Data Processing

In providing our services to schools, we act as a Data Processor in accordance with Article 28 UK GDPR.

The school remains the Data Controller and is responsible for determining the lawful basis and purpose for processing personal data entered into our platform.

We process data solely in accordance with the school’s instructions and our contractual agreement.

2. Use of AI to Generate Draft Content

Our platform uses a commercial Artificial Intelligence (AI) service accessed via the ChatGPT API to generate suggested draft text for documents such as:

• Headteacher reports

• Self-evaluation documents

• Policy summaries

• Compliance documentation

Users enter relevant contextual and statistical information into our secure portal. Our system then submits appropriate data to the AI service via secure API in order to generate draft content.

Schools do not submit data directly to the AI provider.

All AI-generated content is subject to human review and approval before use.

3. Categories of Data Processed

Data submitted to the AI service may include:

• Aggregated pupil population data

• Attendance statistics

• Assessment summaries

• Policy information

• Contextual school information

• Self-evaluation responses

We do not require directly identifiable pupil data (such as names, dates of birth, addresses or unique identifiers) to be entered into the system.

Schools are responsible for ensuring that only necessary and proportionate personal data is entered into the platform.

4. Sub-Processors and International Transfers

We use a paid commercial version of the ChatGPT API provided by OpenAI as a Sub-Processor.

Where personal data is transferred outside the United Kingdom, appropriate safeguards are in place in accordance with Chapter V of the UK GDPR. These safeguards may include:

• UK International Data Transfer Agreements (IDTA), or

• The UK Addendum to EU Standard Contractual Clauses.

Details of our Sub-Processors are available upon request.

5. Data Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encrypted transmission (HTTPS/TLS)

• Secure API authentication

• Access controls

• Role-based permissions

• Commercial terms with the AI provider that limit data use beyond service provision

6. Automated Processing

The AI system generates draft text only. It does not:

• Make automated decisions about individuals

• Produce legally binding outcomes

• Replace professional judgement

All outputs require human review.