Loading...
The published policy. Versioned, dated, owned by the Designated Safeguarding Lead, reviewed annually before the start of each academic year, and on every material change to KCSIE.
TutorStudio is an information society service likely to be accessed by children. We process the personal data of minors aged 5–17 and adults in support of one-to-one and small-group tutoring engagements. This policy sets out how we discharge our duty of care toward the children using the platform, the adults working with them, and the schools and agencies commissioning that work.
We treat Keeping Children Safe in Education (KCSIE) 2025 as a statutory floor, not a ceiling. Working Together to Safeguard Children (2023), the Children Acts 1989 and 2004, the Online Safety Act 2023 and Ofcom Illegal Harms Codes (March 2025), the ICO Age Appropriate Design Code, UK GDPR + Data Protection Act 2018, and the Casey Audit (2024) are the governing instruments cited in this document.
Where this policy and a statutory instrument disagree, the statute governs. Where this policy and a contractual instrument disagree, the policy governs. Deviations from this policy are deliberate, documented and defensible.
We use the KCSIE 2025 definitions of safeguarding, child, child protection, designated safeguarding lead, low-level concern, allegation against staff, and contextual safeguarding. We use the Working Together 2023 definitions of a child in need, a child in need of protection, and significant harm.
A safeguarding-relevant action is any platform action that records, escalates, restricts, releases, or otherwise handles a concern about the welfare of a child, an allegation against an adult working with children, or a disclosure of harm.
Every concern resolves through a four-tier DSL pathway. Tier 1 is the TutorStudio Safeguarding Team — 24/7 coverage with a documented out-of-hours redirect to Childline, Samaritans and 999. Tier 2 is the agency DSL where the engagement is agency-affiliated. Tier 3 is the school DSL where the engagement is school-commissioned, operated on a joint-DSL pattern. Tier 4 is the statutory agencies — LADO, the local authority, the police, and NHS routes — engaged on KCSIE Part 4 and Working Together 2023 thresholds.
First-triage SLAs: five minutes for a general concern at Tier 1, one minute for a crisis case at Tier 1, fifteen minutes for an agency DSL during working hours, twenty-four hours for a school DSL with four-hour acknowledgement during institutional hours. Statutory windows govern Tier 4.
Where the routing engine resolves no DSL at the expected tier, the case escalates upward to Tier 1 within the standard SLA, the missing configuration emits an alert, and the institutional surface displays an off-state. Silent absorption of a missing-DSL case is impossible by design.
Concerns reach the platform through five routes: a tutor flagging a disclosure or low-level pattern; a student using the in-product reach-out affordance; a parent on the parent dashboard; an agency operator on the operator surface; and the public via the /safeguarding/report-concern form. AI classifiers raise concerns alongside the human raisers; classifier outputs are advisory and are terminated by a DSL, never auto-actioned.
The 5 R's framework — Recognise, Respond, Report, Record, Refer — scaffolds the moment of disclosure. The in-product panel renders the calm-clinical opening, the non-leading prompts drawn from NSPCC disclosure-response guidance, the one-click route into the Tier 1 queue, the structured concern row with the disclosure fragment pre-populated for tutor review, and the verbatim age-appropriate signposting.
Where a child is at acute risk — self-harm language detected in a session, suicide ideation surfaced in a message, panic attack visible on camera, active harm disclosed mid-flow — the crisis pipeline activates within one minute of confirmation. The crisis-resource panel renders verbatim helplines and emergency routes. The DSL is paged within five minutes. The tutor in session receives an in-app prompt to remain present. The case opens for at least fourteen days with review checkpoints.
The student's outbound is never silenced by the classifier. A child reaching out is heard regardless of moderation state.
Recording is per-session opt-in, never a default setting. Consent is age-tiered: parent consent for under-13, student consent with parent-aware presence for 13–15, student consent at 16+ under the maturing-minor doctrine, self consent for adults. Recordings are accessible to the tutor, the student, the age-gated parent, and the DSL with documented reason; service-role bypass is forbidden.
Session start confirms the expected student is present. Telemetry signals — unexpected voice detection, prolonged camera-off, sudden additional adult-presence — surface to the tutor with calm contextual prompts and route to the DSL pathway as a contextual signal. Chaperone rules encode by age band and are configurable per agency or school contract; deviations carry an audit-trailed rationale.
In-person sessions log venue, chaperone status, start and end check-in. Lone-worker mode sends absence alerts to the tutor's designated contact, the agency, and the TutorStudio Safeguarding Team where check-out is missed within the expected window.
Allegations against a tutor, an agency DSL, or a TutorStudio staff member route through a confidential channel. The channel does not surface in the named-person's operational view; it is restricted to the LADO-coordination role and the named investigators; it never operates on a service-role bypass. The channel writes to a tamper-evident audit log.
The LADO referral pipeline gathers the structured information — actor, action, target, dates, evidence references, audit trail extract — into a referral pack and pre-populates the LADO-format response. The suspension-or-not decision is presented against KCSIE Part 4 thresholds; the disposition is recorded with named approvers under a two-admin gate.
Fair-process protection for the accused is structural: the writer of any disposition does not also review it. The S-27 weaponisation counter-balance runs on the same substrate to surface custody-dispute context, repeated tutor-targeting from one source, or unfounded serial complaints for ethics-committee review.
Every tutor passes the vetting gate — Enhanced DBS with barred-list check, qualifications, references, identity verification, sanctions screening — before a first booking. The gate is enforced at the database layer: the booking-eligibility predicate references the tutor's vetting status, and service-role bypass is forbidden.
DBS is re-checked annually as the floor, on the Update Service where the tutor opts in for continuous reverification. Qualifications and references re-verify on contract renewal. Sanctions screening re-runs nightly. A lapsed DBS auto-pauses the tutor at the booking layer.
Every tutor completes KCSIE Part 1 training at onboarding and annually thereafter. Specialist training — KCSIE Part 2, LADO familiarity, allegation management, online-safety, contextual safeguarding, child criminal exploitation — is required for agency DSLs. Lapsed currency blocks new bookings under the same predicate.
Safeguarding records retain for a minimum of seven years per the statutory floor; low-level concerns retain per the KCSIE-aligned schedule. Deletion before the floor requires DPO sign-off recorded against the record. DPA 2018 Schedule 8 is the lawful-basis anchor for processing without consent where necessary for safeguarding.
Records of any unsuccessful tutor application, allegation, or low-level concern about an applicant are retained per safer recruitment guidance, separately from the operational platform, and accessible only to the safeguarding lane.
Every enforcement decision — suspension, account closure, restriction of feature, mandatory escalation — carries an appeals route. The submitter, the parent where relevant, and the DSL all see the same audit trail. Appeals are reviewed by a different person from the original decision-maker.
An aggregate report — number of safeguarding incidents per quarter, classification breakdown, trends, effectiveness of technical controls, near-misses — is produced quarterly and reviewed with an external advisor. The report does not name individual children or individual tutors.
The full incident-response runbook is held internally and is invoked on every report received through any channel. Severity classification (S0 imminent risk through S3 data-only) drives the response timeline. The first sixty minutes are scaffolded by the runbook: triage, evidence preservation, DSL notification, account locks where appropriate, opening of an incident record.
Where personal data of a child has been exposed, the UK GDPR Article 33 clock starts at the moment of awareness; notification to the ICO follows the seventy-two-hour rule where the threshold of risk to rights and freedoms is met. For minors the threshold is treated as low.
This policy sits alongside the AADC posture statement, the security posture, the sub-processor register, the cookie and consent notice, the acceptable-use policy, the tutor code of conduct, and the safer-recruitment policy. Each is published on the trust centre and reviewed against this policy on the same cadence.
If you have a concern about a child, reach the Designated Safeguarding Lead or use the reporting form. If you are looking for procurement evidence — DBS posture, sub-processors, AADC posture — the trust page collects it in one place.