General Data Protection Regulation (2018)
Data protection policy and retention schedule
Data protection officer
- Dr Leona Black
- Email: [email protected]
Introduction
Dr Leona Black aims to be as clear as possible about how and why information about you is used so that you can be confident that your privacy is protected. This policy describes the information that Dr Leona Black collects when you use her Educational Psychology service. This includes personal and sensitive information as defined by the General Data Protection Regulation (GDPR) 2018 and the UK Data Protection Bill 2018.
The policy describes how your information is managed when you use the service. Dr Leona Black uses the information collected in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2018.
If you have any queries about this policy, please contact the data controller directly. If you are not satisfied with the answers provided, or if you require any further information, you can contact the Information Commissioner's Office (ICO) at www.ico.org.uk.
Why is personal information collected?
- To conduct consultations with key staff and parents/ carers
- To conduct observations in class
- To conduct a psychological assessment of the child or young person.
- To communicate with you, send reports to you, contact you regarding appointments, provide feedback after an assessment or consultation or to send invoices.
- To carry out and deliver a service we have been contracted to do, either by yourself or by your child’s school, nursery or educational setting. This is primarily an educational psychology service.
- In the case of child protection / case conference, etc.
- If an initial enquiry has been made about a potential referral, from either a parent or school, information is collected while the client decides whether to use the service. NB. In initial discussion with schools, prior to parental consent being granted, the full names of children are not used.
Consent
Consent is an ongoing process and can vary depending on the time, place and activity.
If consent is not given, then no educational psychology involvement will take place.
If the parent/carer has given consent, this is for the initial piece of work (consultation or assessment) and also the review consultation and any subsequent pieces of work.
If a parent/carer or school requests educational psychology involvement more than one year after initial involvement, then explicit verbal consent will be requested from parents/carers for involvement, so long as there is evidence of signed consent. This is to ensure that consent is still valid and provided. Consent-givers are also able to withdraw their consent at any time by contacting the data holder (Dr Leona Black).
Guidance from the Department for Education states that, for the sake of efficiency, only one adult with parental responsibility needs to provide consent. However, if there is another adult who shares parental responsibility, whether they are in the family home or not, and there is a suspicion that they would refuse consent, then they must be given an opportunity to do so. If all adults with parental responsibility are not in agreement, then psychological involvement cannot proceed until the position has reached a resolution or there had been a determination of the issue by the Family Court. This is accepted practice across the UK.
What types of information and data are collected?
Legitimate Interest
Given the context and nature of our relationship, the intended purpose for collecting and processing your personal data isis for educational psychology support and to consider what support is required to remove barriers to learning. Therefore, there is a legitimate interest to collect your relevant data for the purpose of forming a professional opinion.
In so doing, the only information collected from you will be relevant to the purpose of undertaking that consultation, assessment and the associated and expected reporting, profiling and advising. This can include:
- All background information and information that can be used to identify someone e.g. family name, date / place of birth, address, phone numbers, area of strengths and need, medical conditions, other services involved.
- Special category data e.g. race, ethnic origin, religious beliefs, physical or mental health conditions, or criminal convictions
- Psychological reports for children and young people.
- Assessment materials.
- Email enquiries – to maintain confidentiality schools are asked not to use a child or young person’s name in their emails and only use initials.
Lawful basis for processing data
- Signed consent forms by parent/carers.
- All data is collected from children and young people with full parental consent.
- Data needs to be processed to comply with a legal obligation of the data holder
- Data needs to be processed in order to save someone’s life
- Processing of data is necessary to perform a task in the public interest or to carry out some official function.
How is the information that has been collected then used and processed?
- To carry out consultation meetings with key staff and parents/carers and then report this in the consultation records / advice.
- To carry out the service requested, the collected information is used to interpret, hypothesis and score test information and then compiled into a record of involvement. This might be in the form of a written report, verbal feedback.
- These written records and/or reports are stored on a computer and shared with relevant parties such as parents, school and other professionals involved with the child or young person. Consent to share this data is gained prior to this.
- Assessment materials are held in paper copies (destroyed after the assessment and report have been completed) and results held in electronic copies.
- Hard copies of reports are sent via post to multi-agency professionals (e.g. Community Paediatricians / Speech and Language Therapists).
- Electronic copies of reports are sent to schools or parents using an encrypted PDF report system. All schools or parents have the password provided to them separately.
How personal and sensitive information is stored and kept safe:
Data security
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. This is done by:
- Assessment materials, notes and consent forms are in a locked filing cabinet or held electronically in an encrypted file.
- Computer has an encrypted drive where electronic reports are kept.
- Firewall and anti-virus software on computer.
- Electronic data is backed up and password protected.
Data Breach Procedure
- The Information Commissioner’s Office will be contacted within a reasonable time frame as soon as Dr Leona Black is made aware of a data breach. This will be within 72 hours.
- Schools and parent/carers will be contacted within a reasonable time frame as soon as Dr Leona Black is made aware of a data breach.
Please be aware that once the report is sent to the school, it is then their responsibility to protect the document using their own GDPR policy.
Please be aware that once the parent / carer has received the report it is then their responsibility to look after it or share it as they see fit.
How long is the information kept for?
Data retention schedule
- All hand written notes from observations and the consultation with parent / carers and / or school staff will be shredded after the report is completed because all of this information is in the report itself.
- All paper copies of assessment materials used and school focus forms will be destroyed after the involvement and report has been completed because the information is in the report itself.
- All electronic copies of reports will be deleted after 10 years from the final date of my involvement with the child / young person.
- All parent / carer signed consent forms will be destroyed after 5 years from the final date of my involvement with the child / young person.
- In the event of the data controller’s death or ceasing to trade in educational psychology services, all data will be deleted by a trusted third party who has DBS clearance.
How can collected information be viewed, deleted or changed?
Subject Access Request Procedure
- Should a subject request information on the data held about them, then they can request this by contacting the Data Protection Officer (Dr Leona Black) within the limitations of the data retention schedule.
- Additional verification that you are who you say you are may be asked for to process this request. Personal information may be withheld to the extent permitted by law. In practice, this means that information may not be provided if it is considered that providing the information will violate the child or young person’s vital interests
- If you want to have your data removed, a decision will need to be made as to whether it should be kept. If it is decided that the data should be deleted, it will be without undue delay. Information will only need to be kept if there is a child protection concern, if the data may be needed for demonstrating professional accountability and defending legal claims or it is requested by law.
- If it is decided that the data should be deleted, it will be without undue delay. This will be all reports held electronically and consent forms shared.
Complaints
- Any complaints should first be directed to Dr Leona Black to resolve. If unsatisfied, then please contact the ICO.
Date of current policy and review period
- Data policy created April 2018
- Data policy amended April 2023
- Data policy will be next reviewed in April 2024