Version 2.0 · Effective 19 June 2026 · Next review 1 July 2027
How IWS Online School collects, uses and protects personal data, including children's data.
| Data controller | IWS Online School LTD |
|---|---|
| Registered office | 167–169 Great Portland Street, 5th Floor, London, England, W1W 5PF |
| Data protection contact | Lori Cali · [email protected] |
| ICO registration | ZB682634 |
| Safeguarding contact | Michelle Van Roon · [email protected] |
| Version | 2.0 — 2026 |
| Effective date | 19 June 2026 |
| Next review date | 1 July 2027, or sooner if required |
Related documents: Safeguarding & Child Protection Policy; Safeguarding Concern Reporting Form; Low-Level Concern Reporting Form; Allegation Against Staff Procedure; Website Terms & Conditions; Cookie Policy; Data Retention Schedule; Lesson Recording Protocol; Staff Code of Conduct; Acceptable Use Policy.
At IWS Online School, we collect information so we can teach you, support your learning, keep you safe, communicate with your parents or carer, and run your school account.
We only collect information we need. We do not sell your personal information.
We may share information with trusted people or organisations, such as teachers, learning platforms, payment providers, exam bodies, partner schools or safeguarding services, but only where there is a proper reason.
Some information is more sensitive, such as wellbeing, health, SEND, safeguarding or child protection information. We treat this carefully and only share it with people who need to know.
You or your parent/carer can ask us questions about your information by contacting our data protection contact at [email protected] or our safeguarding contact at [email protected].
IWS Online School ("IWS", "we", "us" or "our") is an online school delivering the Cambridge International curriculum to students in the UK, the EU/EEA and internationally.
We are committed to protecting the privacy and personal data of everyone we work with, especially children and young people. Children's personal data requires special care because children may be less aware of how their information is used and what rights they have.
This Privacy Policy explains what personal data we collect; why we collect it; the lawful bases we rely on; how we use children's data; how we handle safeguarding, wellbeing and child protection information; how we use lesson recordings and online learning data; who we share data with; how we protect data when it crosses borders; how long we keep data; what rights students, parents, carers, staff, applicants and other individuals have; and how to raise a data protection complaint.
This policy applies to students, parents, carers, prospective families, staff, applicants, contractors, partner schools, agents, website visitors and anyone else whose personal data we process.
IWS processes personal data mainly under UK data protection law, including the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025. Where IWS works with students, families or staff in the EU/EEA or other countries, IWS will also take account of applicable local data protection requirements, including the EU GDPR where relevant.
This policy should be read together with our Safeguarding & Child Protection Policy, Website Terms & Conditions, Cookie Policy, Data Retention Schedule, Lesson Recording Protocol and Acceptable Use Policy.
IWS Online School is the data controller for the personal data we collect and use. You can contact us about data protection at:
For safeguarding concerns, please contact:
Safeguarding concerns should be raised through the safeguarding route, not only through the data protection route.
We collect different types of personal data depending on your relationship with IWS.
We may collect and use the following information about students:
We may collect and use:
Full card or bank details are normally handled by our payment provider and are not stored by IWS in full.
We may collect and use:
Criminal record and safeguarding vetting information is handled with additional safeguards and access restrictions.
We may collect and use:
When someone uses our website, we may collect:
More information is provided in our Cookie Policy.
Some personal data requires extra protection. This may include health information; SEND or learning support information; wellbeing or pastoral information; safeguarding and child protection records; ethnicity, religion, language or nationality information where relevant and provided; and criminal record or vetting information for staff or applicants.
We only use this type of information where there is a lawful basis under UK GDPR and, where required, an additional condition under the Data Protection Act 2018. This may include safeguarding children, substantial public interest, employment obligations, legal claims, vital interests, or explicit consent where appropriate.
Because most IWS students are children, we put the child's best interests at the centre of our data protection decisions. We collect only what we need, limit access, explain things as clearly as possible, and apply additional safeguards to children's data.
We may collect personal data:
We use personal data only where we have a lawful basis to do so.
| Purpose | Examples | Lawful basis |
|---|---|---|
| Providing education | Enrolment, lessons, learning platform access, timetables, assignments, assessment, reports and academic support | Contract; legitimate interests |
| Communicating with families | Lesson updates, attendance, progress, administration, support and complaints | Contract; legitimate interests |
| Safeguarding and child protection | Recording and responding to concerns, referrals, safer recruitment, child protection action and information sharing | Legal obligation; vital interests; substantial public interest / safeguarding condition |
| Wellbeing and pastoral support | Success Coach support, wellbeing notes, student support planning | Contract; legitimate interests; safeguarding or special-category condition where relevant |
| Lesson recordings | Learning support, absence support, quality assurance, safeguarding review, complaint review and staff training where appropriate | Contract; legitimate interests; safeguarding condition where relevant |
| Payments and accounts | Invoices, payment plans, payment records, debt management and accounting | Contract; legal obligation |
| Recruitment and employment | Hiring, contracts, vetting checks, HR administration and staff training | Contract; legal obligation; legitimate interests; employment and safeguarding conditions where relevant |
| Legal and regulatory compliance | Accreditation, records, complaints, legal claims, safeguarding, tax and statutory obligations | Legal obligation; legitimate interests |
| Website security | Preventing misuse, fraud, cyber incidents and unauthorised access | Legitimate interests; legal obligation |
| Marketing and admissions communication | Open events, newsletters, admissions follow-up and programme updates | Consent where required; legitimate interests where permitted |
| Cookies and analytics | Website performance, visitor analytics and marketing tools | Consent for non-essential cookies |
| International education delivery | Supporting students and families in different countries and time zones | Contract; legitimate interests; legal obligation where applicable |
Where we rely on consent, consent can be withdrawn at any time. Where we rely on legitimate interests, we balance IWS's interests against the rights and freedoms of the individual, with particular care where children are involved.
Safeguarding information is handled with particular care. IWS may collect, record and share safeguarding information where this is necessary to protect a child, respond to a concern, comply with safeguarding duties, support a referral, or work with parents, carers, partner schools, police, children's social care or equivalent authorities.
Safeguarding information may include:
Safeguarding records are stored separately from ordinary academic records. Access is restricted to the DSL, Deputy DSL if appointed, Headteacher / Executive Head, authorised senior leaders and others who need access for safeguarding or legal reasons.
Data protection law does not prevent IWS from sharing information where this is necessary to keep a child safe. Staff must never delay safeguarding action because of uncertainty about data protection. Where in doubt, staff must speak to the DSL immediately.
As an online school, IWS may use lesson recordings and online learning data for legitimate educational, operational, quality assurance and safeguarding purposes. This may include allowing students to revisit learning; supporting absent students; helping teachers and Success Coaches support students; quality assurance and lesson review; staff support and training; investigating concerns or complaints; safeguarding and child protection review where necessary; and maintaining a safe online learning environment.
Lesson recordings must only be made through approved IWS systems. Staff must not make private recordings, screenshots or copies of students. Access to recordings is restricted to authorised users. Recordings must not be downloaded, shared or published unless this has been approved by IWS and is lawful.
Retention period for lesson recordings: Lesson recordings are normally kept for between 3 and 12 months and are not retained beyond 12 months, except where a recording is needed for safeguarding, complaint, legal or investigation purposes — in which case it may be kept for longer in line with our Data Retention Schedule and Safeguarding & Child Protection Policy.
We do not sell personal data. We may share personal data with trusted organisations and individuals where necessary, including:
| Recipient / category | Why data may be shared |
|---|---|
| Teachers, tutors, Success Coaches and IWS staff | To deliver education, support students and manage school services |
| Learning platform / LMS provider | To provide online learning access and learning records |
| Google Workspace / IWS email systems | To provide school accounts and communication tools |
| Virtual classroom provider, such as BigBlueButton | To deliver live lessons and one-to-one sessions |
| Payment provider | To process fees and payments securely |
| Cambridge International, exam centres or awarding bodies | To support exam guidance, registration, certification or academic progression where applicable |
| Partner schools and agents | To manage student support, partnership delivery, admissions or safeguarding responsibilities |
| Safeguarding authorities | To protect a child or respond to a child protection concern |
| Police or law enforcement | Where required by law or necessary to protect a child or others |
| Local Authority Designated Officer or equivalent | Where an allegation or adult conduct concern requires external safeguarding advice |
| Legal advisers, insurers and auditors | To obtain advice, manage legal claims or meet governance requirements |
| IT, hosting, security and systems providers | To operate, secure and maintain our systems |
| Regulators, accreditation bodies or professional bodies | Where required or appropriate |
| Other approved processors or service providers | Where IWS introduces approved tools or services from time to time for education, operations, marketing, communication, safeguarding, HR or administration |
Where third-party service providers process personal data for IWS, they must protect the data and use it only as instructed by IWS. IWS may update its list of service providers from time to time. Where a new provider involves significant privacy or safeguarding risk, IWS will assess the risk before use.
IWS may use the following types of platforms and service providers:
IWS will aim to use only approved systems for student, safeguarding and staff data. Staff must not move student or safeguarding information into personal accounts, unapproved apps or informal storage locations.
IWS teaches students internationally and may use service providers located in different countries. This means personal data may be transferred to, stored in or accessed from countries outside the UK and, where relevant, outside the EU/EEA.
Where personal data is transferred internationally, IWS will use appropriate safeguards where required. These may include a UK adequacy regulation where the destination country is recognised as providing adequate protection; the UK International Data Transfer Agreement; the UK Addendum to the EU Standard Contractual Clauses; EU Standard Contractual Clauses where EU/EEA personal data is involved; transfer risk assessments where required; and contractual and technical measures with service providers.
Where IWS works with EU/EEA students, families or staff, IWS will consider whether EU GDPR transfer requirements apply, including where personal data is transferred from the EU/EEA to the UK or to another country. You can contact us using the details in Section 2 if you would like more information about the safeguards that apply to a particular international transfer.
IWS works with students, families and staff in the UK, EU/EEA and other countries. For EU/EEA individuals, IWS will take account of EU GDPR requirements where they apply. This may include clear privacy information; lawful bases for processing; special protection for children's data; appropriate safeguards for international transfers; data subject rights; local age-of-consent rules for online services where relevant; and the right to contact a local data protection authority where applicable.
For individuals outside the UK and EU/EEA, IWS will take account of applicable local privacy requirements where relevant and practical. Because IWS receives admissions and enquiries from many countries, this policy sets out our main global privacy approach rather than listing every country individually. Where there is a conflict between local mandatory privacy laws and this policy, IWS will consider the relevant local legal requirement and take advice where necessary.
We keep personal data only for as long as necessary for the purpose it was collected, including legal, safeguarding, educational, financial, accreditation, HR and complaint-handling purposes.
| Record type | Retention approach |
|---|---|
| Enquiry or prospective family record where no enrolment follows | 24 months from last meaningful contact, unless deletion is requested earlier. |
| Student academic records, reports and transcripts | Retained while enrolled, then until the student's 25th birthday, to support references, academic progression and former-student requests. |
| Safeguarding and child protection records | Kept securely and separately, usually for a longer period, in line with safeguarding requirements, DSL/legal advice and the Data Retention Schedule. |
| Wellbeing and pastoral records | Kept until the student's 25th birthday; records that form part of a safeguarding file are retained as safeguarding records. |
| Lesson recordings | Normally kept for between 3 and 12 months and not retained beyond 12 months, except where needed for safeguarding, complaint, legal or investigation purposes. |
| Financial and invoice records | 6 years for accounting and tax purposes. |
| Recruitment records for unsuccessful applicants | 6 months from the recruitment decision, unless longer retention is justified. |
| Staff employment records | During employment and for 6 years after employment ends. |
| DBS / criminal record check information | Kept only as long as necessary and in line with safer recruitment requirements. |
| Low-level concern records | Retained securely in line with safeguarding, HR and legal requirements. |
| Allegation against staff records | Retained securely in line with safeguarding, HR, regulatory and legal requirements. |
| Website cookies and analytics | As stated in the Cookie Policy. |
When personal data is no longer needed, we will securely delete, anonymise or archive it in accordance with our Data Retention Schedule.
Depending on the circumstances and applicable law, individuals may have the right to:
Requests should be sent to our data protection contact at [email protected]. We may need to verify identity before responding. We will normally respond within one month, unless the law allows more time.
Children have their own data protection rights. Where a child is old enough to understand their rights, they may make a request themselves. A parent or carer may also make a request on behalf of a child, but IWS will consider the child's best interests before sharing information.
In some circumstances, IWS may refuse or limit a request where disclosure would place a child at risk; reveal information about another person unfairly; interfere with a safeguarding investigation; interfere with an allegation or staff conduct process; breach another legal duty; disclose confidential references or legally privileged information; or otherwise be restricted under data protection law.
Where a request involves safeguarding records, low-level concern records, allegation records or child protection information, the DSL and Data Protection Lead should review the request together.
Where IWS relies on consent for a particular activity, consent must be freely given, specific, informed and capable of being withdrawn. Where consent is needed for online services offered directly to children, the age at which a child can consent may differ depending on the country. In the UK, children aged 13 or over can usually consent to information society services themselves, but some EU/EEA countries set the age higher.
Where required, IWS will seek parent or carer consent for younger children or where local law requires it. IWS does not rely on consent for core safeguarding action where another lawful basis applies, such as legal obligation, vital interests or safeguarding/substantial public interest.
IWS does not use solely automated decision-making to make decisions that have a legal or similarly significant effect on students. We may use diagnostic tools, learning analytics, quizzes, platform data, attendance data, gamification or progress reports to support teaching and learning. These tools support staff judgement and do not replace human decision-making.
Where IWS introduces any new tool that significantly affects students, especially children, we will assess the data protection and safeguarding risks before use.
IWS may contact prospective families, parents, carers or adult students about programmes, admissions, open events or school updates where we have a lawful basis to do so. Where consent is required, we will ask for consent. Consent can be withdrawn at any time.
We do not knowingly send direct marketing to children without appropriate safeguards. Marketing tools, advertising pixels, analytics platforms and campaign tools must be confirmed by the Marketing Manager / website agency and described in the Cookie Policy where relevant.
Our website uses cookies and similar technologies. Strictly necessary cookies are used to make the website work. Non-essential cookies, such as analytics, marketing, advertising, embedded media or tracking cookies, are used only where consent is required and has been given. Full details are provided in our separate Cookie Policy.
Our website uses the following types of cookies and similar technologies:
Strictly necessary cookies are always active. All other cookies (analytics, functionality and marketing) are only set with your consent. You can change or withdraw your cookie choices at any time using the "Cookie settings" link in the footer of our website, or by adjusting your browser settings.
IWS uses appropriate technical and organisational measures to protect personal data. These may include access controls and role-based permissions; password protection and secure authentication; use of approved school systems; restricted access to safeguarding records; restricted access to low-level concern and allegation records; staff training on data protection, safeguarding and confidentiality; secure handling of lesson recordings; contractual confidentiality and security obligations for staff and contractors; processor contracts with service providers; procedures for reporting and responding to personal data breaches; and secure deletion, anonymisation or archiving when data is no longer needed.
Staff must follow the Staff Code of Conduct, Acceptable Use Policy and Safeguarding & Child Protection Policy when handling student information.
A personal data breach is a security incident that affects the confidentiality, integrity or availability of personal data. Examples include sending personal data to the wrong person; losing a device containing personal data; unauthorised access to an account; accidental deletion or alteration of records; cyberattack, malware or phishing; inappropriate sharing of student information; unauthorised access to safeguarding records; or storing student or safeguarding information in an unapproved location.
Staff must report any suspected data breach immediately to the Data Protection Lead at [email protected]. Where a safeguarding concern is involved, staff must also report to [email protected].
Where required by law, IWS will report a personal data breach to the ICO or other relevant data protection authority and inform affected individuals.
If someone is unhappy with how IWS has handled personal data, they should contact us first so we can investigate and respond. Complaints should be sent to the Data Protection Lead at [email protected], or by post to Data Protection Lead, IWS Online School, 167–169 Great Portland Street, 5th Floor, London, England, W1W 5PF.
IWS will provide a clear route for making a data protection complaint; acknowledge receipt of the complaint within 30 days; investigate the complaint appropriately; keep the complainant informed where needed; respond without undue delay; explain the outcome; and explain any further steps available where the complainant remains unhappy.
If the complaint involves safeguarding information, the DSL and Data Protection Lead will work together to ensure the response protects the child's welfare. Individuals also have the right to complain to the UK Information Commissioner's Office or another relevant data protection authority.
In the UK, individuals can complain to the Information Commissioner's Office.
Individuals in the EU/EEA or other countries may also have the right to contact their local data protection authority where applicable. We encourage individuals to contact IWS first so we can try to resolve the issue.
We review this policy at least annually. We may update it sooner if the law changes; ICO or data protection authority guidance changes; IWS changes its systems, platforms or processors; IWS introduces new learning tools, AI tools or marketing tools; there is a safeguarding, data protection or security incident; or our services, countries of operation or partner arrangements change.
The current version and effective date are shown at the top of this policy. Material changes will be communicated to families and staff through appropriate IWS channels.
For privacy questions, data rights requests or data protection complaints, contact IWS Online School at 167–169 Great Portland Street, 5th Floor, London, England, W1W 5PF, by email at [email protected], or by phone on +44 7440 423094.
For safeguarding concerns, contact the Designated Safeguarding Lead, Michelle Van Roon, at [email protected]. If a child is in immediate danger, contact emergency services in the child's location first.

A Cambridge-accredited British online school, delivering live, expert-taught education to students aged 7–19 worldwide.
A warm, close-knit school community where every child is known by name and supported to thrive.




Qualified, experienced educators who teach live, follow progress closely, and genuinely invest in every student.




Executive Headteacher

Head of Community

Head Deputy