Get Spark free

Legal

Platform Data Sharing Agreement

Version 1.0 · Last updated: June 2026

Spark Home Education Ltd
Furlong House, 2 Kings Court, Willie Snaith Road, Newmarket, Suffolk, CB8 7SG

This Agreement is entered into between:

(1) Spark Home Education Ltd, a company incorporated in England and Wales (company number 15695980), whose registered office is at Furlong House, 2 Kings Court, Willie Snaith Road, Newmarket, Suffolk, CB8 7SG (“Spark”); and

(2) the tutor or local authority that registers for, accesses or uses the Platform and accepts the terms of this Agreement (the “Recipient”).

Each a “Party” and together the “Parties”.

1. Background

(A) Spark operates an online platform (the “Platform”) through which parents and guardians of home-educated children may share personal data with tutors and local authorities for the purposes of facilitating home education.

(B) The Recipient has registered an account on the Platform and, in doing so, will access personal data relating to parents, children and families (“Shared Data”), as more particularly described in Schedule 1 (Description of Shared Data).

(C) The Parties have agreed to enter into this Agreement to record their respective roles and responsibilities in relation to the Shared Data and to ensure compliance with applicable data protection legislation.

2. Definitions and interpretation

2.1 In this Agreement, the following terms have the meanings given below:

  • “Applicable Data Protection Law” means the UK General Data Protection Regulation (as defined in section 3(10) of the Data Protection Act 2018, as supplemented by section 205(4) of that Act) (“UK GDPR”), the Data Protection Act 2018, the Data (Use and Access) Act 2025 (to the extent in force and applicable), and any other applicable legislation or statutory instrument relating to the processing of personal data and privacy in the United Kingdom, as amended or replaced from time to time;
  • “Children's Code” means the ICO's Age Appropriate Design Code of Practice for Online Services issued under section 123 of the Data Protection Act 2018;
  • “Data Subject” has the meaning given to it in the UK GDPR;
  • “ICO” means the Information Commissioner's Office;
  • “Personal Data Breach” has the meaning given to it in the UK GDPR;
  • “Purpose” means the purpose(s) set out in Schedule 1 for which the Recipient is permitted to process Shared Data;
  • “Shared Data” means the personal data described in Schedule 1 that Spark makes available to the Recipient through the Platform; and
  • “Special Category Data” has the meaning given to it in the UK GDPR.

2.2 Capitalised terms not defined in this clause 2 have the meanings given to them elsewhere in this Agreement.

2.3 Any reference to a statute or statutory provision includes a reference to that statute or provision as amended, extended, re-enacted or consolidated from time to time.

2.4 The Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement.

3. Roles of the parties

3.1 For the purposes of Applicable Data Protection Law:

  • Spark is an independent data controller in respect of the Shared Data at the point of collection and at the point of disclosure to the Recipient;
  • the Recipient is an independent data controller in respect of the Shared Data upon and following receipt from the Platform, and is solely responsible for its own processing of the Shared Data; and
  • the Parties are not joint controllers for the purposes of Article 26 UK GDPR unless separately agreed in writing.

3.2 Each Party shall comply with Applicable Data Protection Law in relation to its own processing activities. Nothing in this Agreement is intended to, or shall, relieve either Party of its own independent obligations under Applicable Data Protection Law.

3.3 Spark shall ensure it has a valid lawful basis under Article 6 UK GDPR (and, where the Shared Data includes Special Category Data, a condition under Article 9 UK GDPR) for making the Shared Data available to the Recipient through the Platform, and shall record that basis in its own records of processing.

4. Permitted use of Shared Data

4.1 The Recipient shall process the Shared Data only for the Purpose and only to the extent necessary to achieve the Purpose.

4.2 The Recipient shall not process the Shared Data for any purpose that is incompatible with the Purpose without first obtaining the consent of the relevant Data Subject or identifying another lawful basis under Applicable Data Protection Law.

4.3 The Recipient shall not sell, rent, licence or otherwise make available the Shared Data to any third party, except where strictly necessary for the Purpose and subject to clause 5 (Onward Disclosure).

5. Onward disclosure

5.1 The Recipient shall not disclose Shared Data to any third party except where strictly necessary for the Purpose and permitted under Applicable Data Protection Law.

5.2 Before making any such onward disclosure, the Recipient shall:

  • satisfy itself that the third party has a valid lawful basis to receive and process the Shared Data; and
  • put in place a written agreement with the third party imposing data protection obligations that are no less protective than those in this Agreement, including in relation to security, purpose limitation, special category and children's data, and onward disclosure.

5.3 The Recipient shall maintain a record of all third parties to which it discloses Shared Data and the categories of Shared Data disclosed, and shall provide that record to Spark on reasonable written request. The Recipient remains responsible to Spark for any processing of the Shared Data carried out by such third parties.

6. Data protection obligations of the Recipient

6.1 The Recipient shall, in respect of the Shared Data:

  • process the Shared Data lawfully, fairly and in a transparent manner, and document its lawful basis for processing;
  • ensure the Shared Data is accurate and, where necessary, kept up to date;
  • retain the Shared Data only for as long as is necessary for the Purpose, and thereafter securely delete or anonymise it in accordance with its own documented retention schedule;
  • implement appropriate technical and organisational measures to protect the Shared Data against unauthorised access, disclosure, alteration, loss or destruction, having regard to the nature of the data and the risks involved;
  • not transfer the Shared Data outside the United Kingdom unless an appropriate safeguard under Chapter V UK GDPR is in place; and
  • maintain records of its processing activities in relation to the Shared Data as required by Article 30 UK GDPR.

6.2 Where the Shared Data includes Special Category Data (including, without limitation, data relating to a child's health, disability or special educational needs), the Recipient shall additionally identify and document an appropriate condition for processing under Article 9 UK GDPR and shall apply heightened security measures proportionate to the sensitivity of the data.

6.3 Where the Shared Data relates to children, the Recipient shall:

  • treat the best interests of the child as a primary consideration in all decisions relating to the processing of that data;
  • apply appropriate safeguards having regard to the child's age, vulnerability and reasonable expectations of privacy; and
  • comply with any requirements of the Children's Code that apply to the Recipient's own services or processing activities.

6.4 Each Party is responsible for providing the Data Subjects with the information required by Articles 13 and 14 UK GDPR in respect of its own processing of the Shared Data. Spark shall ensure that, at the point of collection, parents and guardians are informed that their personal data and that of their children may be shared with tutors and local authorities through the Platform for the Purpose. The Recipient shall provide, or make readily available, its own privacy information to Data Subjects in respect of the Recipient's processing of the Shared Data, and shall ensure that information is consistent with the basis on which the Shared Data was originally collected.

7. Data subject rights

7.1 Each Party is independently responsible for handling requests from Data Subjects to exercise their rights under Applicable Data Protection Law in relation to the personal data that Party controls.

7.2 Where the Recipient receives a request from a Data Subject that relates to Shared Data that Spark controls, the Recipient shall promptly (and in any event within three (3) business days) forward the request to Spark at [email protected].

7.3 Where Spark receives a request from a Data Subject that relates to Shared Data processed by the Recipient, Spark shall promptly notify the Recipient and the Recipient shall cooperate with Spark and the Data Subject to the extent necessary to fulfil the request within the applicable statutory time limit.

8. Personal data breaches

8.1 The Recipient shall notify Spark without undue delay (and in any event within twenty-four (24) hours) upon becoming aware of any Personal Data Breach affecting the Shared Data. The notification shall include, to the extent then known:

  • a description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected;
  • the likely consequences of the breach; and
  • the measures taken or proposed to address the breach and mitigate its effects.

8.2 The Recipient shall provide Spark with such further information and assistance as Spark reasonably requires in connection with any regulatory investigation or notification to the ICO or affected Data Subjects arising from a Personal Data Breach affecting the Shared Data.

8.3 Nothing in this clause 8 shall prevent or delay the Recipient from complying with its own obligations under Articles 33 and 34 UK GDPR. Where the Recipient is required to notify the ICO or any Data Subject of a Personal Data Breach affecting the Shared Data, it shall (to the extent practicable and lawful) notify Spark in parallel and consult with Spark on the content of any such notification, but the Recipient shall not be required to delay any notification it must make within the statutory time limit in order to do so.

9. Cooperation and audit

9.1 The Recipient shall, upon reasonable written notice, provide Spark (or its nominated representative) with such information, records and assistance as Spark reasonably requires to verify the Recipient's compliance with this Agreement and Applicable Data Protection Law in relation to the Shared Data.

9.2 The Recipient shall cooperate with Spark in carrying out any data protection impact assessment required under Article 35 UK GDPR that relates to the Shared Data or the processing contemplated by this Agreement.

10. Indemnity

10.1 The Recipient shall indemnify, defend and hold harmless Spark and its officers, employees, agents and contractors (together, the “Indemnified Persons”) against all losses, liabilities, costs, expenses (including reasonable legal fees), fines, penalties and damages suffered or incurred by any Indemnified Person arising out of or in connection with:

  • any breach by the Recipient of its obligations under this Agreement;
  • any breach by the Recipient of Applicable Data Protection Law in relation to the Shared Data;
  • any misuse, unauthorised disclosure, or unlawful processing of the Shared Data by the Recipient or any person to whom the Recipient has disclosed the Shared Data;
  • any claim brought by a Data Subject against an Indemnified Person arising from the Recipient's processing of the Shared Data; or
  • any regulatory action, fine or penalty imposed on Spark by the ICO or any other supervisory authority arising directly from the Recipient's acts or omissions in relation to the Shared Data.

10.2 The indemnity in clause 10.1 shall not apply to the extent that the relevant loss, liability, cost, expense, fine, penalty or damage is caused by the negligence or wilful default of an Indemnified Person.

10.3 Spark shall take reasonable steps to mitigate any loss in respect of which it seeks to rely on the indemnity in clause 10.1. Spark shall notify the Recipient promptly upon becoming aware of any claim or circumstances that may give rise to an indemnity claim under clause 10.1.

11. Limitation of liability

11.1 Nothing in this Agreement shall limit or exclude either Party's liability for:

  • death or personal injury caused by negligence;
  • fraud or fraudulent misrepresentation; or
  • any other liability that cannot be limited or excluded by law.

11.2 Neither Party shall be liable to the other for any indirect, consequential, special or punitive loss or damage arising under or in connection with this Agreement.

12. Term and termination

12.1 This Agreement shall commence on the date on which the Recipient first accepts this Agreement (whether by registering for an account, accessing the Shared Data, or otherwise using the Platform) and shall continue until terminated in accordance with this clause 12.

12.2 Either Party may terminate this Agreement on written notice to the other or via the deletion of the Recipient's account by the Recipient.

12.3 Either Party may terminate this Agreement with immediate effect by written notice if the other Party commits a material breach of this Agreement that is incapable of remedy; Termination of this Agreement shall not affect any accrued rights or liabilities of either Party.

12.4 The Recipient is solely responsible for the retention and deletion of Shared Data it has obtained through the Platform. On termination of this Agreement, the Recipient shall cease to access the Platform but may continue to retain and process Shared Data already obtained only for so long as is necessary for the Purpose or as required by law, after which it shall securely delete or anonymise that Shared Data in accordance with clause 6.1(c) and its own documented retention schedule. The Recipient shall, on Spark's reasonable written request, confirm in writing the steps it has taken to comply with this clause.

13. Changes to Shared Data

13.1 Spark shall notify the Recipient if there is a material change to the nature or categories of Shared Data made available through the Platform.

14. Confidentiality

14.1 Each Party shall keep confidential all information received from the other Party in connection with this Agreement and shall not disclose it to any third party without the prior written consent of the disclosing Party, except where disclosure is required by law, regulation or a binding order of a court or regulatory authority.

15. General

15.1 Entire agreement: This Agreement and the Schedules constitute the entire agreement between the Parties in relation to the processing of the Shared Data and supersede all prior arrangements, understandings and representations between them in respect of the same subject matter.

15.2 Variation: No variation of this Agreement shall be effective unless it is in writing and signed by authorised representatives of both Parties.

15.3 Waiver: A failure or delay by a Party to exercise any right or remedy under this Agreement shall not constitute a waiver of that right or remedy.

15.4 Severance: If any provision of this Agreement is found to be invalid, illegal or unenforceable, the remaining provisions shall continue in full force and effect.

15.5 Notices: Any notice under this Agreement shall be in writing and delivered by email (with read receipt) or by post to the address of the recipient Party set out in this Agreement (or such other address as that Party may notify in writing). Notices sent by email shall be deemed received on the date of transmission (if transmitted before 17:00 on a business day) or on the next business day (if transmitted at or after 17:00 or on a non-business day). Notices sent by post shall be deemed received [two (2)] business days after posting.

15.6 Governing law: This Agreement and any dispute or claim arising out of or in connection with it (whether contractual or non-contractual) shall be governed by and construed in accordance with the law of England and Wales.

15.7 Jurisdiction: Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement.

Acceptance

By registering for an account on the Platform, accessing the Shared Data, or otherwise using the Platform, the Recipient confirms that it has read, understood and agrees to be bound by the terms of this Agreement, and that the individual accepting this Agreement is duly authorised to do so on behalf of the Recipient. No physical signature is required for this Agreement to be binding on the Recipient.

Spark Home Education Ltd has agreed to the terms of this Agreement, which apply to all tutors and local authorities accessing Shared Data through the Platform.

Schedule 1 — Description of Shared Data

1. Categories of Data Subjects

1.1 The Shared Data relates to the following categories of Data Subjects:

  • parents and guardians of home-educated children registered on the Platform;
  • home-educated children; and
  • [any other family members as applicable].

2. Categories of personal data

2.1 The Shared Data comprises the following categories of personal data:

  • identity and contact details of parents and guardians (including name, address, telephone number and email address);
  • name, date of birth and year group of the child;
  • educational records, learning preferences and progress information;
  • [special educational needs or disability information (Special Category Data)]; and
  • [any other categories as applicable].

3. Purpose

3.1 The Recipient may process the Shared Data only for the following purpose(s):

  • facilitating home education services provided by the Recipient to the child;
  • carrying out the Recipient's statutory functions in relation to home-educated children as required by law; and
  • completing any reporting requirements as required by law.

4. Lawful basis

4.1 The Recipient shall, before processing any Shared Data, identify, document and maintain a valid lawful basis for that processing under Article 6 UK GDPR.

4.2 Where the Shared Data includes Special Category Data, the Recipient shall, before processing, additionally identify, document and maintain an appropriate condition for processing under Article 9 UK GDPR (and, where relevant, Schedule 1 to the Data Protection Act 2018).

4.3 The Recipient shall, on request, provide Spark with confirmation of the lawful basis and (where applicable) Article 9 condition on which it relies.