top of page
GDPR Statement

For a full copy of our GDPR statement please email -


Book in a Box aims to ensure that all personal data collected about pupils and schools is collected, stored and processed in accordance with the General Data Protection Regulation (GDPR) and the expected provisions of the Data Protection Act 2018 (DPA 2018) as set out in the Data Protection Bill. This policy applies to all personal data, regardless of whether it is in paper or electronic format.


2. Legislation and guidance

This policy meets the requirements of the GDPR and the expected provisions of the DPA 2018. It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPR and the ICO’s code of practice for subject access requests. In addition, this policy complies with regulation 5 of the Education (Pupil Information) (England) Regulations 2005, which gives parents the right of access to their child’s educational record.

The Data collected will be processed so that Book in a Box can fulfil an agreement with an individual school where by the school has asked Book in a Box to provide a service.

The data is processed to ensure Book in a Box can comply with a legal obligation.                                                                 The guardian of the individual child has freely given consent for information to be shared with Book in a Box.                   Book in a Box will only collect data for specified reasons – sending monthly book parcels to individual children.               Book in the Box will never share personal information with anyone else.


Data Security and Storage of Data

All records are provided electronically. Laptops where information is stored on will be kept under lock and key when not in use.                                                                                                                                                                                               Passwords are needed to access the devices with personal information on.                                                                    Personal information is not stored of other personal devices.                                                                                                     Staff of Book in a Box only use associated email addresses ( to conduct all data requests.


Disposal of Records

Once a school has asked for their subscription to end all data will be deleted from the system. This will happen in the month after the request to end the agreement has been made. Book in a Box will make all reasonable endeavors to ensure there are no personal data breaches. In the unlikely event of a suspected data breach, we will follow the procedure set out in Appendix 1.


Data Protection Controller - The data protection controller (DPC) is responsible for the day-to-day implementation of this policy in our business. The DPC for Book in a Box is also the first point of contact for individuals whose data the school processes. 

bottom of page