EU data protection law (the General Data Protection Regulation, EU Regulation 2016/679, the ‘GDPR’), came into force on 25 May 2018 and replaced the Data Protection Act 1998 in its entirety. Dr Kirsten Krawczyk and Dr Janet Menna (‘the directors’) are committed to protecting and respecting your privacy. This Policy explains how the directors use your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data. Personal data is defined by the GDPR as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. This includes contact information that is used to communicate with individuals and organisations, as well as client confidential data collected or generated by the directors. Further information about data protection law can be found by contacting the Information Commissioner’s Office (ICO) https://ico.org.uk/
Why is personal information collected by the directors?
Personal information is collected to support the directors/practitioners in their assessment and formulation of a child, young person, or family. The specific types of assessment styles employed will vary according to the child/young person’s individual needs and the concerns being explored, as well as the clinician’s professional specialism and theoretical preferences.
The clinicians have a legitimate interest to collect personal information about a child/young person and where appropriate parents/carers. This information is gathered for the purpose of forming a professional opinion or psychological formulation. In so doing, the clinician only collects information that is relevant to the purpose of undertaking that work and the associated reporting and advising.
What personal information is collected?
Personal information is only obtained with written consent from parents/carers/legal guardians.
The clinician will collect personal information including name of the child/young person, date of birth, gender, contact address and telephone number. Psychological assessments often involve the processing of special category data, including information about health, educational achievements, cognitive functioning, personality, interests, and family history.
Personal information about a child/young person may be obtained from a third party including their school/education setting and other professionals/agencies (e.g. health services). This might include school reports and assessment data.
How is the information that has been collected then used and processed?
The information collected is used to form a professional opinion or psychological formulation of the child/young person’s strengths and needs, and advice on appropriate support. This is recorded in psychological report. Reports and/or letters are predominantly shared with the child/young person’s parent/carer and the school/education setting through end-to-end encrypted email (e.g. Egress). The report may also be shared with other professionals/agencies who are involved with the child/young person with parents’ consent.
How and where is personal information stored and kept safe?
Referral information and consent forms are stored securely in an electronic folder on a password protected laptop. Paper copies are then destroyed. Paper records (e.g. handwritten notes) are stored in a locked filing cabinet and are destroyed when no longer needed (e.g. when psychological formulation and reports have been completed).
Reports/summaries are stored on an encrypted password protected laptop. If transported, the laptop will remain either in a locked environment or in the personal possession of the clinician.
For how long will personal information be stored?
All personal and sensitive data will be stored securely until the child/young person turns 25 years of age. In their 25th year, the electronic folder and any remaining paper records will be deleted/destroyed. Personal data on clients is retained for 7 years, following guidelines from the British Psychological Society, Practice Guidelines, Third Edition, August, 2017.
This data is retained for the purposes of information if the client/data subject were re-referred to our service.
Your rights to access personal information
You have the right to access information and/or records that the clinician holds about you. You can make a ‘subject access request’ (SAR) by contacting the Data Protection Officers (Dr Kirsten Krawczyk and Dr Janet Menna) in writing.
Client access to records will be restricted to information about themselves, or a child where they are the parent/legal guardian. Restrictions will apply when disclosure would violate the child/young person’s vital interests.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover administrative costs in responding.
The directors will respond to your subject access request within one month of receipt. Normally, the directors will provide a complete response, including a copy of your personal information within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date received.
Under article 17 of the GDPR individuals have the right to have personal information erased. This is known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. In each situation, the directors will have to decide what information should be deleted. This will be based on the protection of the child/young person’s vital interests.
Data Breach Procedure
Any data breeches will be reported to the Information Commissioner’s Office (ICO) and the data subject(s) within 72 hours of the directors becoming aware of the breach.
To contact the directors about anything to do with your personal information and data protection, including to make a subject access request, please use the following details (for the attention of Dr Kirsten Krawczyk and Dr Janet Menna, Data Controllers):
Changes to this Policy
This Data Protection Policy is regularly reviewed. It may be necessary to update or amend this Policy from time to time, for example if the law changes or if the directors service delivery changes in a way that affects personal data protection.
Written: June 2022
Review date: June 2023