Learning Portal
Privacy & Cookie Notice
This notice explains how Morden Primary School collects, uses and protects personal information within the Learning Portal, and how we use cookies. It applies to pupils, parents and carers, and staff who use the portal.
The Learning Portal is a school-operated platform used by pupils and staff to access learning links, rewards, awards, team points, writing assessments, club registers, support tickets, pupil credentials, profile features and related school services.
Last updated: June 2026
Who Is Responsible for Your Information
Morden Primary School is the data controller for personal information processed through the Learning Portal. This means the school decides how and why personal information is used.
The school is registered with the Information Commissioner's Office (ICO). For data protection queries, please contact the school's Data Protection Officer:
DPO: SchoolPro DPO
Email: [email protected]
What Information We Collect
Depending on how the Learning Portal is used, we may collect and process the following categories of personal information:
- Names (legal first name, last name and preferred name), usernames and school email addresses.
- Year group, tutor group, class information, sex or gender where this is supplied by the MIS.
- Ethnicity description and pupil premium indicators imported from the MIS, including deprivation pupil premium, looked-after premium and early years pupil premium.
- Team or house membership.
- Profile photographs, uploaded by staff or imported from the school's management information system (MIS).
- Profile customisation choices such as background themes and colours.
- Awards, trophies, points and achievement records.
- Club membership, club attendance registers, payment/register imports and archived club summary records.
- Support tickets, ticket messages and uploaded attachments for site or IT support.
- Pupil learning credentials uploaded by authorised administrators and viewed by authorised staff.
- Learning links accessed and curriculum target records.
- Writing samples uploaded by staff for AI-assisted assessment.
- AI assessment results, scores and feedback generated from writing samples.
- Date of birth, used for pupil records.
- Login history, account security information and audit records.
- IP address and browser information collected automatically as part of session management.
Some information is imported from Bromcom, the school's management information system. Other information is entered by authorised school staff or selected by pupils within the portal. Sensitive MIS data such as ethnicity, pupil premium indicators and sex or gender is encrypted in the portal database.
Why We Use This Information and Our Legal Basis
Under UK data protection law (UK GDPR), we must have a lawful basis for processing personal information. The table below explains why we use each category of information and the legal basis we rely on.
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Providing secure access to the portal; managing user accounts and authentication | Public task (Article 6(1)(e)) — supporting the school's educational function |
| Supporting teaching and learning; providing age-appropriate learning links and curriculum records | Public task (Article 6(1)(e)) |
| AI-assisted analysis of pupil writing samples against curriculum targets | Public task (Article 6(1)(e)) — supporting assessment and teaching |
| Managing rewards, awards, team points and achievements | Legitimate interests (Article 6(1)(f)) — supporting pupil engagement and school life |
| Profile customisation features chosen by pupils | Legitimate interests (Article 6(1)(f)) |
| Maintaining audit logs, account security and protecting against unauthorised access | Legal obligation (Article 6(1)(c)) and legitimate interests (Article 6(1)(f)) |
| Importing data from Bromcom MIS to keep records accurate and up to date | Public task (Article 6(1)(e)) |
| Monitoring access to clubs and wider opportunities by group, including sex or gender, pupil premium and ethnicity | Public task (Article 6(1)(e)); for special category ethnicity data, substantial public interest (Article 9(2)(g)) with appropriate safeguards |
| Managing support tickets, attachments, room and equipment bookings, clubs and registers | Public task (Article 6(1)(e)) and legitimate interests (Article 6(1)(f)) |
| Allowing authorised staff to view and print pupil learning credentials where needed for classroom access | Public task (Article 6(1)(e)) and legitimate interests (Article 6(1)(f)) |
AI-Assisted Writing Assessment
The Learning Portal includes a writing assessment feature. Authorised staff may upload pupil writing samples, such as documents or images, for analysis against curriculum targets. These files are processed using artificial intelligence (AI) services to generate assessment scores, feedback and evidence summaries.
The AI services used are:
- Anthropic (Claude) — an AI provider based in the United States.
- OpenAI (GPT) — an AI provider based in the United States.
When a writing sample is processed, the file content and relevant assessment context, such as year group, term and curriculum targets, is transmitted to one or both of these providers. The school minimises the personal data included in AI requests and does not intentionally include direct identifiers such as pupil names, but writing content may still contain personal data.
Both Anthropic and OpenAI act as data processors on behalf of the school. The school has entered into data processing agreements with each provider. Where personal data is transferred outside the UK, this is subject to appropriate safeguards under UK data protection law, including Standard Contractual Clauses and the UK International Data Transfer Addendum (IDTA) where applicable.
AI-generated results are reviewed by school staff. Automated decisions that have significant legal or similarly significant effects are not made about pupils solely on the basis of AI outputs.
These providers may use approved subprocessors to support their services.
Who We Share Information With
The school does not sell personal information. We may share personal information with the following parties, where necessary:
- Bromcom — the school's MIS provider, from which pupil and staff data is imported into the portal.
- Anthropic — for AI processing of writing samples.
- OpenAI — for AI processing of writing samples.
- Hosting and infrastructure providers — the portal is hosted on UK-based servers; providers may have limited access to support security and operation of the service.
- Authorised school staff — access is limited to what is needed for a staff member's role.
- Any other party — where we are required to do so by law or a court order.
All third parties who process personal information on our behalf are subject to contractual obligations to protect that information in line with UK data protection law.
International Transfers of Personal Data
When writing samples are sent to Anthropic or OpenAI for AI processing, personal data is transferred to the United States. These transfers are protected using appropriate safeguards such as Standard Contractual Clauses and the UK International Data Transfer Addendum (IDTA), as provided by each supplier's data processing agreement.
All other personal data processed by the Learning Portal is stored and processed on UK-based servers.
Who Can See Information
Access to personal information within the portal is controlled by user accounts, roles and permissions. Pupils can see their own portal information. Staff with appropriate access may see the pupil information needed to manage learning links, awards, points, profiles, curriculum records and writing assessments. Stricter access controls apply to administrative and management functions. Office staff and administrators can manage club setup and imports; staff may view and print club registers. Sensitive analysis data is used in aggregate reporting to help the school understand access to opportunities.
Cookies We Use
The Learning Portal uses cookies that are strictly necessary for the site to work securely. These cookies are used for login session management, form security and the optional remember-me function.
| Cookie | Purpose | Type | Expires |
|---|---|---|---|
| learning-portal-session | Keeps a user signed in during their visit and stores encrypted session information. | Strictly necessary | Normally when the browser is closed, or after the configured session lifetime |
| XSRF-TOKEN | Protects forms and requests from cross-site request forgery attacks. | Strictly necessary | Normally when the browser is closed, or after the configured session lifetime |
| remember_web_[token] | Only set if a user selects "Remember me" when signing in. Allows the user to remain signed in across browser sessions. | Functional / optional | Up to 5 years, or until signed out |
Strictly necessary cookies do not require consent under UK law because they are essential to the operation of the site. The optional remember-me cookie is only set when a user actively chooses that option.
The Learning Portal does not currently use advertising, marketing or analytics cookies. If this changes in future, this notice will be updated and, where required by law, consent will be sought before any such cookies are set.
Keeping Information Safe
The school uses technical and organisational measures to protect personal information in the Learning Portal. These include encrypted connections (HTTPS), encrypted session data, encryption for sensitive pupil data and credentials, private file storage for attachments, access controls by role and permission, two-factor authentication options for staff, login throttling and audit logging of account activity.
Users should keep their passwords private, use a strong and unique password, and report any concerns or suspected security issues to the school immediately.
How Long We Keep Information
We keep personal information for as long as it is needed for the purpose for which it was collected, and in line with the school's data retention policy and any legal requirements. The portal has an automated retention command scheduled to run daily. Administrators can preview cleanup using a dry run before applying policy changes.
| Data | Current retention |
|---|---|
| Pupil and staff account data, profile photos, MIS photo references, pupil credentials, pupil sensitive data and pupil writing files | Kept while the person remains active in Bromcom, then purged or anonymised after a 14 day grace period once no longer imported. |
| Writing assessment results and history | Kept while the pupil is active at the school. New uploads are limited to the current academic year. |
| Closed support tickets and ticket attachments | Deleted after 24 months, unless retained longer for an investigation, legal requirement or security incident. |
| Detailed club registers | Deleted after 12 months. A summary archive is kept with the club name, number of attendees and price charged. |
| Audit logs | Deleted after 12 months, unless needed for an ongoing investigation, legal requirement or security incident. |
| Retention and deletion evidence logs | Kept as non-identifying compliance records showing that retention rules were applied. These records use internal IDs, reference hashes, deletion reasons and category counts, not names or uploaded content. |
| Old sessions and failed jobs | Old session rows are deleted after 7 days. Failed jobs are deleted after 90 days. |
When retention periods are reached, information is securely deleted or anonymised. The school reviews its retention periods in line with the IRMS Records Management Toolkit for Schools and its own data protection policy.
Your Rights
Under UK data protection law, individuals have the following rights, although some rights apply only in certain circumstances:
- Right of access — you can ask for a copy of the personal information held about you.
- Right to rectification — you can ask us to correct inaccurate or incomplete information.
- Right to erasure — you can ask us to delete personal information in certain circumstances.
- Right to restriction — you can ask us to limit how we use your information in certain circumstances.
- Right to object — you can object to processing based on legitimate interests or for direct marketing.
- Right to data portability — in certain circumstances, you can ask for your information in a machine-readable format.
- Rights related to automated decision-making — you have the right not to be subject to solely automated decisions that have a significant effect on you.
Requests should be made through the school's normal data protection contact process. We will respond within one month. There is no charge for most requests.
Right to complain
If you are not satisfied with how we handle your information, you have the right to complain to the Information Commissioner's Office (ICO):
ico.org.uk · Helpline: 0303 123 1113
Children's Privacy
This portal is designed for use by school-age children and staff in a controlled school environment. Pupil accounts are created and managed by the school. Pupils do not register themselves, and the portal does not allow children to share personal information publicly or with other users beyond what is necessary for school activities.
Parents and carers may exercise data protection rights on behalf of their child. Please contact the school office to do so.
Further Information
You can read the data processing agreements for the AI providers used by this portal:
- Anthropic — Data Processing Addendum
- OpenAI — Data Processing Addendum
Contact
For questions about this notice or how personal information is used in the Learning Portal, please contact:
School office: Morden Primary School
Data Protection Officer: SchoolPro DPO
Email: [email protected]