Data policy

This data policy statement is issued by LearningBook Ltd, the Data Processor, registration number ZA052105 who are bound by the terms and conditions stated in the Data Protection Act 1998.


LearningBook is the collective term used to describe the hardware and software that allows the school or nursery to capture an observation and track the progress of each individual child through the EYFS curriculum. The observation data is used in reports which detail the progress of the child against early learning goals. The same data is also used in an electronic learning journey book that can be accessed by the child’s parent or carer through a web browser.

What data is stored?

We store the following details for each child:

  •   Surname
  •   Forename
  •   Date of birth
  •   Key Person
  •   Room Name
  •   Date of Entry

Categorisation :

  • • PP (Eligibility for Pupil Premium);
  • • EAL (English as an Additional Language);
  • • SEND (Special Educational Needs and Disability);
  • • EB (Emotional Behaviour)
  • • SLT (Speech & Language Therapy)
  • • Birth Term (Autumn, Spring, Summer)
  • • CFC (Cared for Child)
  • • GT (Gifted and Talented)
  • • Funded (Nursery funded child)

For Parents / Carers:

  •   Forename
  •   Surname
  •   Parental Responsibility
  •   Username & Password

For School or Nursery:

  •   Name
  •   Code
  •   Room Names
  •   Administration Username and Password

For Staff:

  •   Forename
  •   Surname
  •   Room Names

For Observations:

  •   Date and time and Staff name
  •   Media (Photo, Audio, Video, Text)
  •   EYFS CEL or Aspect and Area Statement Links
  •   For media gallery:
  •   Media image

Security principles

Security of data is of upmost importance to us. The system and business have been designed with the following fundamental security principles at front of mind:

  • to safeguard and protect client information within its custody, ensuring the preservation of the confidentiality, integrity and availability of the data;
  • to establish safeguards to protect information resources from theft, abuse, misuse or any form of damage;
  • to establish responsibility and accountability for Information Security;
  • to encourage the LearningBook’s staff to maintain an appropriate level of awareness, knowledge and skill to allow them to minimise the occurrence and severity of security incidents;
  • to ensure that LearningBook is able to continue its commercial activities in the event of significant Information Security incidents;
  • to ensure regulatory and legislative requirements are met.

Who controls the data?

Initially we enter the school or nursery name, code and room names as part of the set-up process and nothing else. The rest of the data is entered and manipulated (add, delete or modify) entirely under the control of the school or nursery (in this reference formally known as the Data Controller). We may aid the school or nursery in entering the initial data (for example an import from SIMs or other data source) upon their request.The data or part thereof is never released without the express and written permission of the data controller namely the head teacher or nursery manager.We do not delete any data without express permission from the school or nursery and only when the child has left the school or transfers to another school and their learning journey record has been either printed or exported.


Data is backed up daily and stored off-site (away from the original source) in a secure document vault manned 24/7 by security guards. This helps to guarantee that in any event, data is never completely lost and can be recovered up to a worst case scenario point in time of 24 hours, our Recovery Point Objective.


Data is stored in two stages. When an observation is initially taken it is stored in an encrypted format on the tablet. Once transferred, it is stored securely on our servers in the Data Centre. Once the data has been transferred it is deleted from the tablet. All data is encrypted and protected by firewalls using enterprise level infrastructure. All servers and systems are regularly patched and updated upon release by the respective vendors.

We carry out regular penetration and vulnerability tests on both the infrastructure and code base and act to rectify any threats discovered as a matter of urgency.

Each member of staff that requires a logon is assigned a complex password that protects access to the system. Parent access to the electronic learning journey is controlled by the school by enabling or disabling their access and issuing a complex password. Access can be removed at any time. LearningBook reserves the right to suspend or revoke access at anytime if we detect suspicious activity or find any abuse of our Acceptable Use Policy.

If a member of staff forgets their administration password LearningBook will reset the password and re-issue a new one. An e-mail is sent to the registered e-mail address notifying of the change and your new password will be sent out via a secure, tamper-proof envelope to the registered address. We keep the username and passwords separate at all times. The school or nursery control a similar process for parental access and we ask that you contact us for any help and support in this area to ensure you follow sound security principles.

We purposely only ever give out high-level information on the type of hardware, software and systems we use.

More technical information

  • The observation capture software runs on an Android Tablet. We support Android version 4.0 and API v14 or higher.
  • The administration software runs as a Single Page Architecture (SPA). It is accessed through a standard browser so no software is installed on any PC in the school or nursery.
  • Complex or Strong passwords mean at least 8 characters long, no real names, at least one number and at least one special character (!# etc.)
  • All access is controlled via a username and password. These are encrypted and therefore cannot be read or viewed in plain text and no access is granted without these.
  • Data is encrypted to 128-bit SSL and digitally signed to confirm the authenticity of the provider and stop any man-in-the-middle attacks. No data is sent as plain text and image data and details are stored independently. Tablets, Staff and Parent usernames and passwords can be revoked at anytime, preventing any access to that school or nursery’s data. The tablet and school administration access can only be re-instated by LearningBook staff and the parental access can only be re-instated by the school or nursery administrator user. If the administrator user is compromised
  • LearningBook can revoke and re-instate this under the written request of the Data Controller, namely the head teacher or nursery manager.
  • Data is stored securely in data centres located in UK with daily backups with a seven year retention period.

Data Protection and Privacy Policy

LearningBook is committed to compliance with all national and, where appropriate, international laws relating to the protection of personal data and individual privacy.

The Managing Director is LearningBook’s Data Controller. Personal data is classified as Restricted, and is available only to those who need to deal with it.

The policy applies to all personal data held by LearningBook, including on wireless notebook computers, and mobile telephones etc.

All staff will be provided with training to ensure that they understand the LearningBook’s policy and the procedures it has put into place to implement that policy.

The disciplinary process will be invoked in circumstances where this policy may have been transgressed.

Technical Highlights

Support infrastructure

  • • 08:00-18:00 (GMT/BST) UK Helpdesk
  • • Industry Certified Engineers

Client infrastructure

  • • HTTPS Application Access
  • • 256-bit Capable Client to Server SSL Encryption

Server infrastructure

  • • Hosted Messaging & Collaboration Framework
  • • Clustered E-Mail and Database Server
  • • Smart Access Technology
  • • Snapshot and Off-site Backups

Data centre infrastructure

  • • Two Independent Locations
  • • VESDA Fire Detection Systems
  • • N+1 UPS with Standby Diesel Generator
  • • CCTV 24/7 Manned Security
  • • High Capacity Air Conditioning

Internet infrastructure

  • • Triple Independent Load Balanced Data Feeds
  • • Clustered Firewall Protection with Deep Content Inspection
  • • Advanced Intrusion Detection Systems

Our customer applications run on our own fully resilient infrastructure, securely accessed over the Internet.

The server and access infrastructure is hosted in a UK-based data centre. The data centre provider is ISO 27001 compliant and operates the data centre under these controls.

Every single component within the infrastructure is duplicated, from dual-redundant power supplies, network cards and memory mirroring to full-server duplication using hardware and software clustering technologies.

The entire infrastructure is duplicated in a second recovery centre with hourly off-site data shipping replication. This means that even in the highly unlikely event of a disaster where the data centre is unavailable, you can continue working as if nothing had happened.

The Internet feeds are all provided by independent carriers using diverse routing. We of course utilise Intrusion Detection Systems (IDS) and other classified diversionary tactics to stop unauthorised attacks.

In summary, we put the security, performance and resilience of your data at the highest priority and everything we do is focussed on achieving this. Our hosted infrastructure cannot be detailed for security reasons but we are happy to answer any questions or concerns you may have.