The Learning LabThe Learning LabProvision HubSign in

Data Processing Statement

The Learning Lab — SEND / AP / wellbeing provision. Last reviewed: 2026.

Controller and processors

The Learning Lab is the controller for the personal data it holds about children, families, and partner schools. Where we deliver provision commissioned by a school or local authority, that body may be a joint controller for the parts of the record they rely on for their statutory duties.

Categories of data subjects

  • Children and young people receiving provision.
  • Parents, carers, and emergency contacts.
  • School staff, SENDCos, local authority officers.
  • Our own staff and tutors.

Categories of data

  • Identification and contact details.
  • Educational records (EHCP, school history, SEND assessments).
  • Special-category data under Article 9: health, medical, safeguarding, behavioural.
  • Operational records: sessions, attendance, notes, communications, documents, consents.

Purposes

  • Delivering and recording SEND, AP and wellbeing provision.
  • Safeguarding and meeting Keeping Children Safe in Education duties.
  • Reporting progress to commissioning schools and local authorities.
  • Operational administration, billing, and audit.

Security measures

  • Role-based access: admin, DSL, tutor, parent, and school each see only what they need.
  • Row-level security at the database layer.
  • Encryption in transit and at rest.
  • Private document storage with signed, short-lived access links.
  • Audit logging of sensitive reads, edits, exports and downloads.
  • Idle session timeout and password breach checks on sign-in.

International transfers

Data is processed on infrastructure within the UK / EEA where available. Where a sub-processor processes data outside the UK, we rely on the UK International Data Transfer Agreement or adequacy regulations.

Sub-processors

We use a managed cloud platform for hosting, database, authentication and storage. A current list of sub-processors is available on request.