This policy (Version 6 revised March 2024) is for schools in the UK and EU only but will be followed for overseas organisations as well.

Little Wandle Letters and Sounds Revised is the copyright of Wandle Learning Trust (multi-academy trust).  Wandle Learning Trust takes the security of the data we hold very seriously.  


1.1 The School is the Customer and Little Wandle Letters and Sounds is the Contractor. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Contractor is the Processor. The only processing of the Customer’s data that the Contractor is authorised to do is listed within this policy. 

1.2 The Contractor shall notify the Customer immediately if it considers that any of the Customer’s instructions infringe the Data Protection Legislation.

1.3 The Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:

(a) process that Personal Data only in accordance with this policy, unless the Contractor is required to do otherwise by Law. If it is so required the Contractor shall promptly notify the Customer before processing the Personal Data unless prohibited by Law;

(b) ensure that it has in place Protective Measures, which have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event having taken account of the:

  • nature of the data to be protected;

  • harm that might result from a Data Loss Event;

  • state of technological development; and

  • cost of implementing any measures;

(c) ensure that :

(i) the Contractor Personnel do not process Personal Data except in accordance with this Agreement:
(ii) it takes all reasonable steps to ensure the reliability and integrity of any

Contractors’ personnel who have access to the Personal Data and ensure that they:

  • are aware of and comply with the Contractor’s duties under this clause;

    are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor;

  • are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and

  • have undergone adequate training in the use, care, protection and handling of Personal Data; and

  • at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data.

1.4 Subject to clause 1.6, the Contractor shall notify the Customer immediately if it:

(a) receives a Data Subject Access Request (or purported Data Subject Access Request);

(b) receives a request to rectify, block or erase any Personal Data;

(c) receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation;

(d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;

(e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or

(f) becomes aware of a Data Loss Event.

1.5 The Contractor’s obligation to notify under clause 1.4 shall include the provision of further information to the Customer in phases, as details become available.

1.6 Taking into account the nature of the processing, the Contractor shall provide the Customer with full assistance in relation to either Party’s obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing:

(a) the Customer with full details and copies of the complaint, communication or request;

(b) such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;

(c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject;

(d) assistance as requested by the Customer following any Data Loss Event;

(e) assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner’s Office.

1.7 The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause unless:

(a) the Customer determines that the processing is not occasional;

(b) the Customer determines the processing includes special categories of data as referred to in schedule 1 of DPA 2018 and

(c) the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.

1.8 The Contractor shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor.

1.9 The Contractor shall designate a data protection officer (see point 6).

1.10 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Contractor must:

(a) notify the Customer in writing of the intended Sub-processor and processing;

(b) enter into a written agreement with the Sub-processor which give effect to the terms set out in this policy such that they apply to the Sub-processor; and

(c) provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require.

1.10 The Contractor shall remain fully liable for all acts or omissions of any Sub-processor.

1.11. The Contractor shall comply with any further written instructions with respect to processing by the Customer


2.1 The following personal data will be securely stored: –

  • The unique pupil numbers (UPNs) and name of the children, as well as any additional pupil characteristic data that the school decides to share through manual data entry or automated transfer through the school’s MIS
  • Little Wandle Letters and Sounds assessment data

  • Name and contact details of anyone registering for further information

  • Your interactions with our website and the contents within it while you are logged in

2.2 Why we use this data

  • To keep you informed about children in your school or trust’s progress, to help you identify gaps and plan appropriate interventions.

  • To check how your children are doing and work out whether they need any help

  • To track how well the school is performing

  • To offer technical support

  • To keep your children safe

  • To carry out research

  • To comply with the law regarding data sharing

  • To keep you informed about Little Wandle Letters and Sounds

  • To continually improve our content by tracking how and when you use the resources that are available

2.3 We only collect and use the pupil’s personal data as permitted by law.  We will be using the data to

  • Perform an official task in the public interest

  • Where necessary for the performance of a contract

  • Consent when signing up for marketing

2.4 Duration of the processing.  This will be from the commencement of the agreement to its termination.

2.5 The Contractor will abide by the data security and procedural data protection standards imposed by the agreement.

2.6 All data will be held within the EU.  The exception is HubSpot who will be moving their data to the EU during 2023.

2.7 Where a Customer is based outside the UK, by accepting the Terms and Conditions they have agreed to ensure that all necessary appropriate consents and notices are in place to enable lawful transfer and processing of the Personal Data to the Contractor and/or lawful collection of the Personal Data by the Contractor on behalf of their school.  Where personal data originates outside the UK, then all local laws at the point of origin will apply to the Customer as the Controller, whereas the Contractor, as the Processor will abide by UK laws.

2.8 We keep personal information about pupils while you are signed up to Little Wandle Letters and Sounds Revised.  Unless you have already requested that we remove your data, we will securely delete all sensitive and personally identifiable children’s data from the System two years after the end of the licence period.  This period is set so that you are able to return to using the system within two years and still have access to the data for your children


3.1 The data gathered about students via the Little Wandle Letter and Sounds Revised website will be shared with Mime Consulting Ltd (“Mime”), but remains the responsibility of Wandle Learning Trust, who make sure that Mime ensure:-

(a) employees with access to sensitive data are DBS checked,

(b) access to sensitive information is protected by username and password.  All user passwords are encrypted and,

(c) adherence to an information security policy (available on request) which all Mime employees and subcontractors sign.

(d) Data is only used for the purposes specifically agreed with you and never for marketing purposes

(e) Our data is only retained for as long as is required for us to provide services to you, or where we are required to by law

3.2 Mime is registered with the Information Commissioners Office (reference Z1059351)


Little Wandle Letters and Sounds uses third parties, whose own privacy statements can be found on their websites: –

  • WooCommerce/Wordpress

  • Communitas

  • Hubspot

  • Sendinblue

  • G Suite

Under data protection law, individuals have certain rights regarding how their personal data is used and kept safe, including the right to:

  • Object to the use of personal data if it would cause, or is causing, damage or distress

  • Prevent it being used to send direct marketing

  • Object to decisions being taken by automated means (by a computer or machine, rather than by a person)

  • Have inaccurate personal data corrected, In certain circumstances, deleted or destroyed, or restrict processing

  • Claim compensation for damages caused by a breach of the data protection regulations

To exercise any of these rights, please contact our data protection officer.


If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance by contacting the Data Protection Officer, Satswana Ltd, either via email ([email protected]) or phone (01252 516898).  Alternatively, you can contact the Information Commissioner’s Office at


We take any complaints about our collection and use of personal information very seriously.  If you have any questions, concerns or would like more information about anything mentioned in this privacy policy, our Data Protection Officers’ details are above.