The safety of your personal information is something that we take very seriously and we are committed to protecting and respecting your privacy.

You may have heard of the General Data Protection Regulation (or GDPR); if you haven’t, it is legislation regarding how personal data can be stored and used and was effective from 25th May 2018. This updated Privacy Policy has been written in accordance with GDPR.

This Privacy Policy explains how we use, process and protect your personal information for the purposes of providing educational consultancy, tailored tuition and mentoring. We also organise events and publicise these via our mailing list.

Please read the following carefully to understand our views and practices regarding your personal information and how we will treat it.

If you have any questions about what we have set out below then please contact us.

How do we collect personal information?

Personal information is anything that can identify you, for example your name, address, personal details in an email to us, or email address for a newsletter subscriber. We collect information about you if you have:

  • Contacted us to discuss how we might offer support
  • Instructed us as a client
  • Applied to us for a role as a Tutor or Employee
  • Attended an event
  • Signed up to our newsletter
  • Accessed our website
  • Worked with us as a partner

Contacted us

When you contact us to discuss how we might support your child then we will work through a detailed assessment of your child’s needs and design a plan of support. This will include some sensitive information, for example any particular health needs, or personal matters that might be relevant to educational development. We keep all of this information securely on our purpose-built database, and share it internally and with our expert tutors so that your child can receive the support to achieve their educational goals.

The legal basis for us to process your information is our legitimate interests in offering support to clients.

Instructed us as a client

If you become a client then you will sign a contract which sets out our relationship, and each of our rights and responsibilities. We will gather financial data from you as required to receive fee payment, and as required by UK law.

The legal basis for us to process this information is the performance of a contract, and compliance with legal obligations.

Applied for a role as Tutor or Employee

When you apply for a role you will fill in a standard form which sets out your contact details, some personal information about your career and / or education history, and your information in support of your application. This will include a statement about any criminal convictions or cautions you may have. We process your information to carry out a recruitment / placement exercise.

Once working with us you will continue to share information with us, and we will record information about you, including relevant health information (e.g. if you take sick leave, maternity leave, disclose a disability), financial information (salary / pension / NI contributions etc) and information you might share in supervision. We will process this information to manage and support you in your work, and to comply with employment and other legal requirements and any contractual relationships we have in place (for example with external educators).

The legal bases for us to process your information are the performance of a contract (of employment or consultancy), compliance with legal obligations (financial regulations, employment law) and our legitimate interests in supporting and managing staff and consultants.

Attended an event

You may have registered to attend with us via email, or directly onto an Eventbrite page. We will process your information in order to provide the event, and follow up with you for feedback on the event and to inform you of future similar events in which you are interested (you can opt out of this information at any time).

The legal basis for us to process your personal data is our legitimate interests in delivering events, recording who has attended, and provide follow up information.

Signed up to our newsletter

When you subscribe to newsletters or emails from us, we require:

  • your name
  • your email address

We will collect this information as part of your subscription to our mailing lists.

A subscription to our mailing lists means that you will automatically receive email updates about our activities. We will not email you unnecessarily or for a purpose that you have not agreed to.

Our legal basis for processing your information is consent, therefore you will only receive emails and other information that you have consented to receive. We make sure that our consent process is double-opt in, which means that your consent is validated before we send any communications to you.

You may withdraw your consent at any time by using the ‘unsubscribe’ link on any of our newsletters.

If you unsubscribe from our emails or withdraw your consent for us to use your personal information in this way, we will retain your information within our systems to prevent emails from being sent to you by us. We will keep this information only for as long as we require it for these purposes.

We use external platforms to manage our email marketing and communications. The platform we use is MailChimp.

Our emails may, from time to time, contain links to and from the websites of third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Accessed our website

Whilst using our website we collect anonymous information about your browsing session to help us improve our website.

We use a tool called Google Analytics to collect this data. All of the data is stored securely on Google’s servers. In order to track your browsing across sessions, Google analytics will place a ‘cookie’ on your machine (a small text file that websites use to track and remember information across several browsing sessions). You can tell your web browser not to accept cookies if you don’t your data to be collected in this way (refer to your web browser’s help file for more information).

For further details on Google Analytics, and the Google Analytics privacy policy, please visit the Google Analytics website.


We work with schools, colleges and universities to develop links to support our students. We also facilitate student work experience placements with businesses and organisations. We gather contact information from individuals within these establishments.

The basis on which we process this information is our legitimate interests in building relationships with schools and other educational establishments to support students in their educational goals, and our interests in building a network of partner organisations to provide work placements to our students.

How do we share your information?

We believe that to trust another person with private and personal information is a significant matter. When you give us information in confidence, we will only use it for the purpose you share it, and will only share it with other people in the specific situations described below.


You may ask us to share your information, for example if you ask us to make contact with a partner organisation on your behalf.

Safeguarding concern

We have a safeguarding policy in place which deals with how we respond to disclosures of abuse or neglect from children or young people. We have a legal duty to report safeguarding concerns, although we would ask for consent from the parent (in the case of a child) or individual (if a young person) first, and only share information without consent if we feel under a duty to share it because of the risk, or exceptionally if there is no time to get consent, or if we are legally prevented from speaking to the parent / individual concerned.

Required by law

HMRC, regulators and other authorities may require reporting of processing activities in certain circumstances, and HMRC may audit our financial books and records.

If we receive information about a terrorist threat then we are legally required to report this to police.

If a local authority is acting under its safeguarding powers then it can legally require us to share information.

If there is a court order requiring us to produce documents then we must comply.

Data processors

Professional advisors may have access to Bruton Lloyd data in the course of performing their duties (these may include lawyers, auditors, insurers, bankers, accountants, HR and IT support).

Where we do share data in this way, we have contracts in place which protect the security of your personal data and ensure that your data is only processed for specific purposes and in accordance with our instructions.

How do we look after your information?

Bruton Lloyd has taken suitable measures to safeguard and secure data collected. These are compliant with the General Data Protection Regulation (GDPR).

In the unlikely event that your personal information is compromised, you will be informed as required in the GDPR.

How long do we keep your information?

We will only keep personal data for as long as necessary to fulfil the purpose for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. In deciding how long to keep data, we consider:

  1. The amount, nature, and sensitivity of the personal data
  2. The potential risk of harm from unauthorised use or disclosure of personal data
  3. The reason why we are processing the personal data and whether it is possible to achieve those ends through other means
  4. The applicable legal requirements
Description of data Period to keep
Information about clients, and prospective clients Six years from the date we last had contact with you
Unsuccessful job applicants Six months from the date of the recruitment decision
Information about staff, including tutors who work with us Six years from the date you finish working with Bruton Lloyd
Personal information within the finance records, for example invoices, or if a bank transfer discloses the name of the transferor Six years from the end of the financial year to which the record relates
Name and contact details for partner agencies Six years after last contact
Name and email address for mailing list subscribers For as long as consent is in force. Subscribes may opt-out at any time, at which point their details are deleted

Your rights

Under certain circumstances, you have rights under data protection laws. These include the right to:

  1. Request access to your personal data
  2. Request correction of your personal data
  3. Request erasure of your personal data
  4. Object to processing of your personal data
  5. Request restriction of processing of your personal data
  6. Request transfer of your personal data (where it has been processed using automated means, which does not apply to us)
  7. Withdraw consent for processing

These rights are set out fully here. You always have the right to complain to the Information Commissioners Office (here).

If you would like to see what information we hold about you, or exercise any of these rights, just contact us.

Where in the world does your information go?

Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to personal data, so European law has forbidden transfers of personal data outside of the EEA unless the transfer meets certain criteria.

We makes use of some third party service providers based in the United States so that processing of your personal data will involve a transfer of data outside the EEA. In order to protect you, such transfers only take place with providers who have signed up to the EU –US Privacy Shield: These are:

  • Google (provides Google Analytics on our website) certificate here
  • Mailchimp (newsletter / campaigns service) certificate here

There is information about the Shield here.

Bruton Lloyd operates in countries outside the EU, including the US and Russia. The GDPR does not apply to non-EU residents, but we process all client data in the same way, save that data for overseas clients will of course be transferred outside the EU in the process of our communication.

In the course of supporting students to make university applications outside the EU we may need to transmit personal data to organisations based outside the EU. We will do this as required for the performance of our contract with you, and on the basis that you understand that non-EU countries have different standards of protection for personal data, and you are content to assume the associated risk.

How to contact us

Bruton Lloyd LLP

43 Berkeley Square

Mayfair, London


Telephone: +44 207 493 5875

This policy was drafted on 7th June 2018 and approved by the members of Bruton Lloyd LLP on 11th of June 2018.