Kate Biss assumes the function of data controller and supervises the compliance with General Data Protection Regulation (GDPR) within the business.
Section 1. Information we collect
Kate Biss Speech and Language Therapist holds personal data as part of conducting a professional service. The lawful basis for processing and storing personal information is oneof legitimate interest. The data falls under the following headings: healthcare records, educational records, clinical records, general administrative records and financial records.
1.1. Healthcare records
A healthcare record refers to all information collected, processed and held both in manual and electronic formats pertaining to the service user and their care. Speech and language problems can be complex; therefore, a wide range of information may be collected in order tobest meet the needs of the client and to maintain a high quality service which meets bestpractice requirements. Examples of data collected and held on all current and active clients include the following:
- Contact details: Name, address, phone numbers, e-mail addresses
- Personal details: date of birth
- Family details
- Employment/vocational history/educational placement
- Other contacts: name and contact details of GP and any other relevant healthcareprofessionals involved
- Medical details: such as any relevant illnesses, medications, and relevant family history
- Reports from other relevant allied health professionals such as: Audiology, Psychology,CAMHS (Child & Adolescent Mental Health Services), Occupational therapy,Physiotherapy, Ophthalmology.
1.2. Educational records
Relevant Individual Educational Plans (IEPs), progress notes from educational staff and school reports may be held.
1.3. Clinical records
Specific data in relation to communication skills may be collected and held, such asassessment forms, reports, therapy plans, case notes, e-mails, text messages and transcripts ofphone. Audio and video files may also be collected and stored.
1.4. General administrative records
Kate Biss Speech and Language Therapist may hold information regarding attendance reportsand accident report forms.
1.5. Financial records
A financial record pertains to all financial information concerning the practice, e.g. invoices, receipts, information for Revenue. Kate Biss Speech and Language Therapist may hold datain relation to the following: card payments, bank details, receipts and invoices. Information will include name of bill payer, client name, address and record of invoices and payments made.
Section 2. Where we get our information
Personal data will be provided by the client, or in the case of a child (under 16 years), theirparent(s)/guardian(s). This information will be collected as part of a case history form priorto, or on the date of first contact.
Information may also be provided directly from relevant third parties such as schools,medical professionals and allied health professionals, with prior consent from theparent(s)/guardian(s).
Section 3. How we use the information that we collect
We use the information we collect to provide assessment and therapy as per the relevantprofessional guidelines, as well as to maintain the general running of the business, keepingour accounts and updating you of any changes in policies or fees.Information may also be used for research purposes, with the written consent of the client or parent/guardian.
3.1. Data retention periods
The retention periods are the suggested time periods for which the records should be heldbased on the organisation’s needs, legal and/or fiscal precedence or historical purposes. Following the retention deadline, all data will be destroyed under confidential means.
Section 4. Client Records
4.1. Clinical Records
Kate Biss Speech and Language Therapist keeps both physical and electronic records ofclinical data in order to provide a service.
- Clinical data is deleted/confidentially destroyed after 7 years from last invoicedappointment (usually post-discharge).
- Clinical data used for research purposes may be kept for longer than 7 years.
- Video records/ voice recordings relating to client care/video conferencing records may berecorded with consent, analysed and then destroyed. If written consent is provided to userecordings for training purposes, the client will have the option to withdraw consent at anytime.
4.2. Financial Records
Kate Biss Speech and Language Therapist keeps electronic/paper records of financial data from those who use our services.Legislation states that the Revenue Commissioners require records to be retained for aminimum period of six years after the completion of the transactions, acts or operations to which they relate. These requirements apply to manual and electronic records equally.
- Financial Data is kept for 6 years to adhere to Revenue guidelines (Section 886 of the DirectTax Acts).
- Financial Data (including non-payment of bills) can be given to Revenue at Revenue’srequest.
4.3. Contact Data
Contact Data is kept for 6 years to allow processing of Financial Data if required. (This maybe retained for longer for safety, legal request, or child protection reasons.)
If under investigation or if litigation is likely, files must be held in original form indefinitely, otherwise files are held for the minimum periods set out above.
Section 5. Information we share
We do not share personal information with companies, organisations and individuals outside unless one of the following circumstances apply:
5.1. With your consent:
We will only share your Personal Identifying Information (PII) to third parties when we have express written permission by letter or email to do so. I require opt-in consent for the sharingof any sensitive information. Third parties may include: hospitals, GPs, other allied health professionals, educationalfacilities.
5.2. For legal reasons:
We will share personal information with companies or organisations outside of Kate BissSpeech and Language Therapist if disclosure of the information is reasonably necessary to:
- Meet any applicable law, regulation, legal process or enforceable governmental request.
- Meet the requirements of the Children First Act 2015.
- To protect against harm to the rights, property or safely of Kate Biss Speech and Language Therapist, our service users or the public as required or permitted by law.
5.3. To meet financial requirements:
Kate Biss Speech and Language Therapist also is required to share Financial data with Leggatts Financial Services in order to comply with local tax laws. Kate Biss Speech andLanguage Therapist has obtained a copy of Leggatts Financial Services’ own Data protection policy.
Section 6. Transfer of personal data outside the European Economic Area (EEA)
In certain instances, personal data may be transferred outside the EEA, e.g. to your residence abroad. This would be for specific purposes such as web-based appointments. In such instances, Kate Biss Speech and Language Therapist will obtain written consent from clients. Processes which Kate Biss Speech and Language Therapist uses are:
||Type of Data
Client contact details
Basic client information, inputted by the client directly
|Appointment scheduling client details
|Web-based therapy session
Section 7. How and when we obtain consent
Should a client wish to withdraw their consent for data to be processed, they can do so bycontacting Kate Biss Speech and Language Therapist.
Section 8. How we protect your data
While we will use all reasonable efforts to safeguard your personal data, you acknowledgethat the use of the internet is not entirely secure and for this reason we cannot guarantee thesecurity or integrity of any personal data that are transferred from you or to you via theinternet.
In accordance with the General Data Protection Regulation (GDPR), we will endeavour toprotect your personal data in a number of ways:
8.1. By limiting the data that we collect in the first instance
All data collected by us will be collected solely for the purposes set out at Section 1 aboveand will be collected for specified, explicit and legitimate purposes. The data will not beprocessed any further in a manner that is incompatible with those purposes save in the specialcircumstances referred to in Section 5 above. Furthermore, all data collected by us will beadequate, relevant and limited to what is necessary in relation to the purposes for which it iscollected which include, inter alia, the assessment, diagnosis and treatment of speech,language and communication disorders.
8.2. By transmitting the data in certain specified circumstances only
Data will only be shared and transmitted, be it on paper, electronically or by postal mail, only as is required, and as set out in Section 5.
8.3. By keeping only the data that is required
when it is required and by limiting its accessibility to any other third parties.
8.4. By disposing of/destroying the data once the individual has ceased receiving treatment
Within 8 years of the completion of this treatment apart from the special categories ofpersonal data as set out below. Where data is required to be held by us for longer than theperiod of 8 years, we will put in place appropriate technical and organisational measures toensure a level of security appropriate to the risk. These may include measures such as theencryption of electronic devices, pseudonym of personal data, and/or safe and secure storagefacilities for paper/electronic records.
8.5. By retaining the data for only as long as is required
Information must not be retained longer than needed for purpose (General Data ProtectionRegulation (Rec 39 Art 5)) and this protects the rights for the individual to request theirpersonal data is erased (Art 17) under certain circumstances, although the right to erasure isusually not applicable to health records.
8.5.1. Records should be retained for:
- Children and young people: up until their 25th birthday, or, till their 26th birthday, if 17 atconclusion of their treatment.
- School records for children with special educational needs: 35 years from the date ofclosure.
- Mentally disordered person (within the meaning of the Mental Health Act 1983): 20 yearsafter the last entry.
- Everyone else: eight years.
8.5.2. Type of record to be retained:
- Speech and language records: for the period of time appropriate to the patient/speciality asabove)
- Parent advice and information regarding educational needs: for 12 years from closure
- Pupil Action Plans: for three years from date of plan
- Individual Education Plans: Until 25 years of age, minimum
- Statement maintained under the Education Act 1996: Until 30 years of age
- Employee records: for six years after leaving service
- Payee records: for six years
- Medical photographs, illustrations, audio and video records (including tale-medicine): fortime appropriate to speciality
- Scanned records: for amount of time appropriate to speciality
- Clinical audit records: for five years
- Occupational health records: for three years after termination of employment
- Diaries: for two years after the year the diary relates to
- Records/documents related to litigation: as advised by an organisations legal adviser
- Research records: for a minimum of five years after the conclusion of the trial, or for aslong as they have relevance to the original or other research teams
- Risk assessment records: until a new one replaces it
- Agendas of meetings: for two years; board meetings for 30 years
- Complaints: for eight years from completion of action
- Patient information leaflets: for six years after leaflet suspended
- Equipment records and logs: for 11 years
8.6. By destroying the data securely and confidentially after the period of retention has elapsed.
This could include the use of confidential shredding facilities or, if requested by theindividual, the return of personal records to the individual.
8.7. By ensuring that any personal data collected and retained is both accurateand up-to-date.
Section 9. Protecting your Rights to Data
9.1. Adult Clients
Adults have the right to request data held on them as per article 15 of GDPR. A requestshould be made in writing.
Further information regarding accessing your personal data is downloadable from the ICO'swebsite.
For children under the age of 16, data access requests are made by their guardians. When a child turns 16, then they may make a request for their personal data. However, this is subject to adherence with the Children First Act.
Section 10. Security
Kate Biss Speech and Language Therapist, as with most providers of healthcare services is aware of the need for privacy. As such, we aim to practice privacy by design as a default approach, and only obtain and retain the information needed to provide you with the bestpossible service.
All persons working in, and with Kate Biss Speech and Language Therapist in a professionalcapacity are briefed on the proper management, storage and safekeeping of data.
All data used by Kate Biss Speech and Language Therapist, including personal data may beretained in any of the following formats:
- Electronic Data
- Physical Files
The type of format for storing the data is decided based on the format the data exists in.
Where applicable, Kate Biss Speech and Language Therapist may convert physical files toelectronic records to allow us to provide a better service to clients.
Section 11. Data Security
Kate Biss Speech and Language Therapist understands that the personal data used in order toprovide a service belongs to the individuals involved. The following outlines the steps which Kate Biss Speech and Language Therapist use to ensure that the data is kept safe.
11.1. Electronic Data
All electronic data is contained in the following systems: email - iCloud, Namesco email; document storage: iCloud, directly on PC, external hard drive and time capsule. All of these systems are password protected.
- This system is physically located in Scotland.
- This system provider is aware of their requirements for GDPR compliance.
- The data controller is Kate Biss
- The system has an internal administrator namely Kate Biss.
- This system has a Live Update for security enabled.
- Kate Biss requires a Log on and Password in order to access the records.
- Kate Biss has read, write and delete access to records.
- A copy of the files are made on the users’ computer when in use.
11.2. Data on PC
Kate Biss Speech and Language Therapist understands that the personal data used in order toprovide a service belongs to the individuals involved. The following outlines the steps whichKate Biss Speech and Language Therapist use to ensure that the data is kept safe.
- Data is encrypted with password protection on PC.
- Data is backed up with an external drive which is also encrypted and password protectedand only visible to Kate Biss Speech and Language Therapist.
- Emails to and from clients are held within iCloud and Namesco email applications.
- Desktop PC itself is password protected.
11.3. Data on iPad
- iPad is locked with password and/or fingerprint ID.
- Emails are kept within mail application.
11.4. Written files
- Written files are photographed or scanned and added to electronic folder. Paper copies arethen confidentially destroyed where possible and practical.
- Other written documents are kept in a fireproof container within a locked cabinet.
- Documents are kept in accordance with the HCPC and RCSLT regulations.
- Mobile phone contains data of clients' phone numbers, emails and email addresses.
- Phone is locked with passcode and/or fingerprint ID.
11.6. Working off site
- All items may be taken off site as required e.g. to therapy sessions, meetings etc.
- Fingerprint ID or passcode in use at all times.
Section 12. Security Policy
Kate Biss Speech and Language Therapist understands that requirements for electronic andphysical storage may change with time and the state of the art. As such, Kate Biss, the datacontroller in Kate Biss Speech and Language Therapist reviews the electronic and physicalstorage options available every 12 months.
12.1. Physical devices used by persons working in Kate Biss Speech and Language Therapist which may contain any identifiable PII are enabled with loss theft tracking and remote wipeabilities.
12.2. All persons working in Kate Biss Speech and Language Therapist are aware, briefed on and refresh the requirements for good data hygiene every 12 months. This compliancebriefing is monitored by Kate Biss, data controller and includes, but is not limited to:
- Awareness of client conversations in un-secure locations.
- Enabling auto-lock on devices when leaving them unattended, even within Kate Biss Speech and Language Therapist locations.
- Use of non-identifiable note taking options (initials, not names).
- The awareness of Kate Biss Speech and Language Therapist procedure, should a possibledata breach occur, either through malicious (theft) or accident (loss) of devices or physical files.
12.3. Routine followed in the event of a data breach
- Risk assessment undertaken to identify the risk of data that is leaked
- Police informed as appropriate
- Clients informed if there is a significant risk to their personal data
- ICO informed as appropriate
Date of document:13th March 2019
Review Date:13th March 2020