GDPR AND PRIVACY POLICY
PURPOSE
When you use Young Communicators Speech and Language Therapy, you trust me with your information. This privacy policy is meant to help you understand what data I collect, why I collect it, and what I do with it. I have tried to make it as simple as possible but if you have any questions, please contact me. I am registered as a data controller with the Information Commissioners Office (ICO).
SCOPE
This document provides information regarding the following:
1. Information I collect
2. Where I get information
3. How I use the information I collect
4. Information I share
5. How and when consent is obtained
6. How I protect your data
7. Your rights regarding your data
8. Security of your personal data
9. How to make a complaint
1. Information I collect
I hold personal data as part of conducting a professional service. Under UK data protection law, I must have a ‘lawful basis’ for collecting and using your personal information. You can find out more about lawful bases on the ICO’s website (https://ico.org.uk/).
My lawful basis for the collection and use of your data is one of ‘legitimate interest’ as this data is necessary in order for me to provide a service to you.
1.1 Healthcare records
A healthcare record refers to all information collected, processed and held both in manual and electronic formats pertaining to the service user and their care. Speech, language, and communication problems can be complex, and a wide range of information may be collected in order to best meet the needs of the client, and to maintain a high-quality service which meets best practice requirements. In order to provide a high-quality service, a range of information may be collected. Examples of data collected and held on all current and active clients include the following:
• Contact details: Name, address, phone numbers, e-mail address
• Personal details: date of birth
• Other contacts: name and contact details of GP and any other relevant healthcare professionals involved
• Parent(s)/guardian(s): names, addresses, phone numbers, e-mail addresses
• Description of family and family history of speech, language, communication, and learning needs as applicable
• Educational placements
• Pre- and post-natal history: This can include information relating to mother’s pregnancy, and child’s birth
• Developmental data: developmental milestones, feeding history, audiology history
• Medical details: such as any relevant illnesses, medications, and relevant family history. Reports from other relevant allied health professionals such as: Paediatricians, school staff, Audiology, Psychology, CAMHS (Child & Adolescent Mental Health Services), Occupational therapy, Physiotherapy, Ophthalmology.
1.2 Educational Records
Relevant Educational Health Care Plans (EHCPs), and any other relevant records or reports from educational staff and school may be held.
1.3 Clinical records
Specific data in relation to communication skills may be collected and held, such as assessment forms, reports, case notes, e-mails, text messages and transcripts/summaries of phone calls.
Audio and video recordings may also be collected for clinical purposes. Parental consent will be obtained for these recordings.
1.4 General administrative records
I will hold information regarding attendance at therapy and assessment sessions.
1.5 Financial records
A financial record pertains to all financial information concerning the practice, e.g. invoices, receipts, information for HMRC. I may hold data in relation to: on-line purchasing history, card payments, bank details, receipts and invoices. Information will include name of bill payer, client name, address and record of invoices and payments made.
2 How I collect information
Personal data will usually be provided by the parent(s)/guardian(s) of the child, and by the child directly. This information will be collected as part of a case history form/discussion prior to, or on the date of first contact. Information may also be provided directly from relevant third parties such as schools, medical professionals and allied health professionals, with prior consent from the parent(s)/guardian(s).
Personal information is also collected when you use the contact form on my website.
3 How I use the information that I collect
I use the information I collect to provide assessment and therapy as per the relevant professional guidelines, as well as to maintain the general running of the business, such as running the electronic booking system, keeping financial accounts and updating you of any changes in policies or fees.
3.1 Data retention periods
The retention periods are the suggested time periods for which the records should be held. Following the retention deadline, all data will be destroyed. In accordance with law, all client records will be kept securely until your child is 25 years old or if still receiving treatment at the age of 17, until they are 26 years old. After this time all records relating to your child will be destroyed.
When information is submitted via the contact form on my website, this will be transferred to the client record should you choose to use my services. If you do not, this information will be deleted following our initial consultation, or after the enquiry is otherwise completed.
3.2 Client Records
3.2.1 Clinical Records
Young Communicators keeps electronic records of clinical data in order to provide a service.
I use a secure electronic cloud-based system for clinical records, which is compliant with general data protection regulations. Other electronic records may be stored within e-mail or secure cloud storage, accessible only by me.
Video records/voice recordings relating to client care/videoconferencing records may be recorded with consent. These will be stored temporarily on a password protected electronic device, before they are analysed and then destroyed.
3.2.2 Financial Records
I keep electronic records of financial data when you use my services.
• Financial records are kept for 5 years after the tax submission deadline of the relevant financial year to adhere to HMRC guidelines.
• Financial records (including unpaid invoices) can be given to HMRC at HMRC’s request.
3.2.3 Contact Data
Contact Data is kept for the period of time as set out in 3.1. This may be retained for longer for safety, legal request, or child protection reasons.
3.3 Exceptions
If under investigation or if litigation is likely, files must be held in original form indefinitely, otherwise files are held for the periods set out above.
4 Information sharing
To protect my personal safety, the location and time of visits is stored in an Outlook calendar which is shared with a member of my family. This may include clients’ home addresses. No other personal information is stored in this calendar. Addresses will be deleted from the calendar following the visit.
I do not otherwise share your personal information with companies, organisations and individuals outside Young Communicators unless one of the following circumstances apply:
4.1 With your consent:
I will only share your personal information with third parties when I have express written permission by email to do so. Third parties may include: hospitals, GPs, other allied health professionals, educational facilities.
4.2 For legal reasons
I will share personal information with companies or organisations outside of Young Communicators if I have a legal obligation to share it, for example regarding safeguarding concerns.
4.3 To meet financial requirements:
I may share financial data with an accountant in order to meet my financial obligations.
5 How and when I obtain consent:
Prior to initial assessment or consultation, a copy or link to this policy will be provided to clients along with a consent form. A consent form will need to be completed by the child’s parent/guardian before a service can be provided.
6 How I protect your data
In accordance with the General Data Protection Regulation (GDPR), I will endeavour to protect your personal data in a number of ways:
6.1 By limiting the data that I collect in the first instance - all data collected will be collected solely for the purposes set out at 1 above and will be collected for specified, explicit and legitimate purposes. The data will not be processed any further in a manner that is incompatible with those purposes save in the special circumstances referred to in section 4. Furthermore, all data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected.
6.2 By transmitting the data in certain specified circumstances only. Data will only be shared and transmitted as is required, and as set out section 4.
6.3 By keeping only the data that is required when it is required and by limiting its accessibility to any other third parties.
6.4 By retaining the data for only as long as is required.
6.5 By destroying the data securely and confidentially after the period of retention has elapsed.
6.6 By ensuring that any personal data collected and retained is both accurate and up-to-date.
6.7 By ensuring that systems and services I use to store personal data are secure, and regularly reviewing guidance and updates from the ICO.
7 Your rights regarding your data
You can find out more information about your data protection rights on the ICO’s website (https://ico.org.uk/).
You have the right to request a copy of the data I hold about you and your child (known as a Subject Access Request). If you would like to make a request, please contact me using the contact details above.
You have the right to request that incorrect information I hold about you is corrected (e.g. a change in address or school). Due to legal obligations to store certain kinds of data (e.g. for financial obligations or provision of health care) I am unable to erase parts of your data once it is provided to me.
8 Security
I am aware of the need for privacy. As such, I aim to practice privacy by design as a default approach, and only obtain and retain the information needed to provide you with the best possible service.
8.1 Data Security
I understand that the personal data used in order to provide a service belongs to the individuals involved. The following outlines the steps which I use to ensure that the data is kept safe.
8.1.1 Electronic Data
Electronic data is contained in secure cloud based systems, accessible only by me. For further information about these services, please contact me on the details above.
Reports will be sent via e-mail and password protected.
All digital devices and computers used to store electronic data are password protected.
8.1.2 Physical Data
I do not routinely keep paper records. In the event that paper information is shared with me (e.g. a report from a third party such as a school), this will be scanned and uploaded to the electronic record, then destroyed securely.
9. How to make a complaint
If you have any concerns about my use of your personal data, you can make a complaint to me using the contact details above. If you remain unhappy with how I’ve used your data after raising a complaint, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
ADMINISTRATION
I may amend this policy from time to time at my sole discretion. I will inform current clients when updates are made.
QUESTIONS
Any questions regarding this policy should be directed to Rachel Brindle-Tomkinson.
This policy was last reviewed on 1st October 2024.