GDPR Privacy Policy Jan 2019

I aim to be as clear as possible about how and why I use information about you/your child, so that you can be confident that your privacy is protected. This policy describes how I manage your information when you use my services.

This policy describes the information that I collect when you use my services. This information includes personal information (data) as defined in the General Data Protection Regulation (GDPR) 2016 and the subsequent UK Data Protection Bill, 2018.

The policy describes how I manage your information when you use my service, if you contact me or when I contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use my website (such as cookies). If you look on my website, information can be found regarding the use of cookies in the Cookie Policy. This outlines information about the type of cookies that my website uses and how you may disable those cookies, if you choose to do so.

I use the information I collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, I am the data controller for the information that you give to me. My contact details can be found on my website

If another party (eg Social Care, the Police) has requested access to your data I will ask for your consent to share information and outline who they are, what they will do with your data and why I need to provide them with the information. There are two legal bases where I do not need to ask for your consent to share the data with a third party: if there is a risk to your child’s vital interests or if I have a legal obligation to share the data.

The GDPR requires that I identify the legal basis upon which I process your personal data. I shall provide occupational therapy services and all associated activities on the basis of:

My contract with you

My legitimate interest to hold and process your personal data so that I can determine whether it is appropriate for me to provide services to you.

What is meant by ‘The contract’?

When an assessment or consultation is requested, the client is asked to read and sign my terms and conditions. That document describes the work that I will undertake and, by signing the document, you enter into a contract with me to do the work. I will process all personal data that you share with me (for the purpose of

completing an assessment or consultation) lawfully, fairly and in a transparent manner. It will be necessary for me to process your personal data in order to fulfil the contract with you. What are my ‘legitimate interests’? The reason that I need to process your personal data is to provide occupational therapy services to you/your child. Inevitably, occupational therapy assessments/consultations involve the processing of special category data, including information, for example, about your child’s health, cognitive functioning, social and emotional issues and family history. I have a legitimate interest to collect such personal data for the purpose of forming a well-informed professional opinion. I will only collect information from you that is relevant for the process of providing the occupational therapy services that you have requested.

1. Why do I need to collect your personal data? In order to carry out an effective assessment or intervention, I need to collect information about you and / or your child so that I may:

 Communicate with you by email or phone. The legal basis for this is a legitimate interest.

 Deliver services to you/your child, for example by preparing a relevant assessment and providing well informed occupational advice for your child. The legal basis for this is the contract with you.

2. What personal information do I collect and when do I collect it? To provide helpful occupational therapy services to you/your child, it is important for me to know your child’s situation and what the concerns are, that led to occupational therapy support being requested. This data is usually collected by the parent or primary carer completing a Parental Information and Booking form. Some parents may choose to provide additional information in writing or verbally. Information requested on the consent form includes:

 Name and contact details of parents

 Name, date of birth and school history of the child

 A summary of the child’s current strengths and difficulties

 What strategies / interventions have already been tried with the pupil

 Why occupational therapy services have been requested

 Family history of learning difficulties and/or other challenges

 Information about other factors that may impact on the child’s situation including early development, medical issues, home life, social & emotional skills and behavioural observations. In order to gain a holistic picture of the child it is also helpful to receive information from the child’s school and other professionals that have been involved. This information includes:

 Name, date of birth and school of the child

 A summary of the child’s current strengths and difficulties

 What strategies / interventions have already been tried with the pupil

 Why psychological services have been requested

 Educational information and attainments

 Social, emotional and behavioural observations

 For pupils approaching GCSEs or other public exams the school may need to send a document called Form 8, if it is thought that the pupil may need Access Arrangements (e.g. additional time) as managed by the Joint Council for Qualifications (JCQ). I will not request data/information from other professionals without written permission from you as client/parents/carers. This permission is given by signing and returning the terms and conditions as part of the Information and Booking form, or it can be given by email. Information is usually requested from your GP, the SENDCo/Head of Learning Support and/or class or subject teachers or your wider family. You can outline the best person/s to contact on the referral form.

3. How do I use the information that I collect?

The information collected is used in the following ways:

 To communicate with you so that I can arrange appointments with you, discuss your concerns and arrange an appropriate course of action.

 To prepare a relevant assessment / consultation for you or your child. I need the personal data to help me to decide what assessments to use and what approaches I should take with you or the child. Background information about the child’s situation is important so that I am aware if the child has experienced trauma or other experiences that may affect their emotional well-being or ability to learn. It is helpful for me to see previous reports from other professionals, in order to put my work in context with the child’s development over time.

 Information provided by you and others (e.g. school, other professionals), when pertinent to the assessment, will be integrated into the written report. The report will only be sent to you or parents of the child/young person. In some circumstances, when permission is given by parents to share the report with school,(which they can do in the booking and terms and conditions form) the report will be sent to both. It might be that parents give permission for the report to be shared with someone else who is acting on their behalf and/or supporting them with the process eg the Head of Learning Support or Pastoral Care at a boarding school, or when the parent cannot read or has other significant challenges. In these circumstances the report will only be sent encrypted.

 If reports are proof read by a proof reader, then the reports will be transmitted to and from the occupational therapist by email, password protected and encrypted. In addition, the proof reader and psychologist have an agreed ‘Data Controller and Processor Policy’ (this may be seen on request) to outline procedures to keep your data safe and confidential.

 Immediately after the assessment, feedback can be shared in a meeting with yourself and your carers/family or with parents and/or relevant involved teachers at school, following yours’ or parents’ permission to share results with school staff.

4. Where do I keep the information?

 Data is usually received by post or by email.

 Paper records will be filed and kept in a locked filing box/cabinet.

 When data is received by email, attachments will be saved in the pupil’s electronic file and then the email will be deleted. If any personal data is included in the body of the email, a copy will be saved in the pupil file and then the original deleted from my inbox. Parents and schools are advised to send personal data password protected or by using an encrypted email service, such as Egress.

 Electronic information will be stored on a PC at the office of Laura Quick, which is password protected. The report itself is also password protected.

 All personal data relating to you, pupils or their parents will be backed up by being stored on an external hard drive and in iCloud/OneDrive which are GDPR compliant.

 When pupil paper files are being used/worked on they will be locked in a filing box/cabinet and these files will be destroyed at the end of each term, within the 6-term academic year.

 When the information is carried to conduct an assessment, the paper file will be kept in a travel bag. This bag will not be left overnight in a vehicle. If left out of sight in a vehicle for a short period during the day, the car will be locked securely. During school visits, I will keep the paper file on my person, or have it locked in a room.

 If a data breach occurs, and the breech is deemed to be a high risk for the rights and freedoms of the data subject, the ICO and all affected clients will be notified within 72 hours. The nature of the breech will be explained along with the steps I am taking to deal with it. More information is outlined in the Data Breech Procedure Policy.

5. How long do we keep the information?

 The report will provide a detailed summary of my involvement. Once a report hasbeen completed, any handwritten notes will be securely destroyed by using a shredder. Paper record forms, writing samples and other assessment materials may be kept for up to two months in case questions are raised about the process of the assessment. They will then be securely destroyed by shredding.

 Electronic files (including pupil reports) will be retained for a period of six years. This is so that a record of the report remains, if parents lose the copy that was sent to them. Also, the report may be referred to, if the pupil is reassessed in the future.

 Electronic versions of the referral /parental consent form may be kept in your or the pupil’s electronic file on the PC, password protected, for up to six years. This is due to it being part of your or the parental information form. Paper versions of the booking form version will be shredded at the end of every 6-term year.

 After a period of six years all remaining records will be securely destroyed, unless I continue to be directly involved with the case and there are strong reasons forretaining historical data, e.g. to track strategies and interventions over time, legal cases.

 Please note it is you or the parents’ responsibility to retain copies of the report, because I will only retain the data for six years.

6. Who do we send the information to?

 Where parents have agreed for me to contact the pupil’s school, or if the school have commissioned the report, the date of the appointment will be arranged directly between myself and the school, with the parent/s being informed of this date through my communication with them. Alternatively, parents may arrange a date with me and then check with school to ensure it is a mutually convenient date.

 School staff are may be invited to join a feedback meeting with parents where the assessment is discussed, with parental permission.

 Family and carers of an adult may be invited to join a feedback meeting where the assessment is discussed with the adult’s permission.

 Assessment reports are typically only sent to the adult or child the report is about, and an encrypted copy will be sent to the person who has commissioned the work (i.e. paid for it) with the knowledge of the adult, the child and their parents.

 Reports will be sent out electronically by email. If you or the parents are happy to share the report, it is your/their responsibility to forward it to the child’s school and any other relevant professionals.

 All reports will be in ‘read only’ PDF format so no changes may be made. They will also be sent encrypted.

7. Will we send emails and text messages to you?

 I will only contact you in response to a request for occupational therapy services that has been initiated either by you or the school. This would usually include emails or phone calls to discuss your current concerns and arrange appointments. I wil also email invoice/payment details to you and the assessment report.

8. What happens to your data if I were to die?

 In the event of my unexpected death all data will be confidentially destroyed by the appointed executor.

9. Your rights

As I process your personal data, you have certain rights. These are a right of access, a right of rectification, a right of erasure, a right to data portability and a right to restrict processing.

 You can make a subject access request (SAR) by contacting the Data Protection Officer. I may require additional verification that you are who you say you are to process this request. Please make such a request in writing or by email to me, Laura Quick, the Data Protection Officer. Please provide the following information: your name, address, telephone number, email address and details of the information

you require.

 I may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.

 You may request a copy of your data at any time. If you believe any of the personal data hold on you/your child is inaccurate or incomplete, please contact me directly and any necessary corrections to your data will be made without undue delay.

 If you believe I should erase your data, please contact me, Laura Quick. However, there are some circumstances when I do not have to delete your data, for example if I have safeguarding obligations that over-ride your data protection rights.

 Where you have provided explicit consent for me to use your data, you have a right to withdraw this consent at any time.

 If you wish to use a different Occupational Therapist, you have a right to have the data transferred to them. If your questions are not fully answered by this policy, please contact me directly in my role as Data Protection Officer for Laura Quick, Mind Matters Gloucestershire. If you are not satisfied with the answers I provide, you may contact the Information