WMSLT Ltd Privacy notice (updated May 2018)
1 Who we are?
Welcome, we are a team of qualified speech and language therapists working within the independent sector. We use employed staff to provide a service to children and young adults and their families with the aim of improving communication skills, resulting in improved educational social and emotional outcomes. We work within educational settings, clinics and occasionally home settings to provide our services.
The company operates from Park Business Centre, Hastingwood Industrial Park, Wood Lane, Birmingham B249QR. The data controller and officer role is held by the company directors, Helen Langbourne and Michelle Turner who can be contacted at firstname.lastname@example.org
This privacy notice sets forth our policy with respect to information that can be associated with or which relates to a person and/or could be used to identify a person (personal data) that is collected from users through our service provision. The limitations and requirements of this policy relate to our collection, use, disclosure, transfer, storage, and retention of personal data.
3 Data collected
WMSLT initiate the collection of service user data following on from a referral in which either the service user (if 19-25 years) or parent/career of the service user provides written consent. This includes consent to share data with relevant professionals involved In the case management. Service users may also consent to photographic data (single images and video) being collected and should specify how this data can be used, e.g. baseline measure, for training, promotional material etc. This privacy notice can be found on the company website, within the school service level agreement and a condensed notice for service users is printed on the reverse of the consent form.
|Personal data : name, address, date of birth||Obtained at point of referral with written client/ parental consent obtained||To support identification, communication and accurate interpretation of any clinical testing result and resulting clinical diagnosis||Consent|
|Medical/Health data including diagnosis relating to SLCN||Obtained from service users and health authorities with given consent||To support clinical decisions and facilitate appropriate clinical interventions||Consent|
|Statistical Data relating to educational attainment inc EHCP||Obtained from education partners with given consent||To support clinical decisions and facilitate appropriate clinical interventions||Consent|
|SLCN data (qualititative and statistical data)||Obtained regularly throughout service provision||To demonstrate measurable progress, document change and evidence clinical decision making||Consent|
|Familial data , e.g. family history of related conditions||Obtained from service users, and health authorities with given consent||To support clinical decisions and facilitate appropriate clinical interventions||Consent|
|Photographic data (audio, image video)||Obtained with specific consent only via consent form||For use within therapy interventions. To provide evidence of baselines measures and progress made. To use within promotional materials.
To use within training presentations.
4 How we store data
4.1 data from current service users: data may be stored in paper format within folders marked RESTRICTED DATA/ STRICTLY CONFIDENTIAL by the relevant professional involved in the case management. This is particularly the case with written case notes documenting all contacts and non-contact duties in relation to care. It may also include medical and educational correspondence relating to the individual. It is regularly necessary for staff to move data between work locations, service users can be assured that all reasonable measures will be taken to ensure data is consistently stored in secure locations within the work space, in between work stations and not left in an unattended vehicle or accessed in public places. Data is also stored electronically on mobile devices taken between work locations. Data is either stored on GDPR compliant cloud platforms, stored on password protected devices or encrypted memory devices including external hard drives and USB sticks. Additionally, individual documents stored are also encrypted with passwords to ensure security. Photographic data recorded on mobile devices will be processed as soon as it is possible to do so, stored securely and deleted from the mobile device.
4.2 Data from service users no longer receiving a service (discharged): Paper data is securely stored within the company office address and accessible by employed staff only. Any electronic data is transferred to paper files prior to discharge and electronic data is deleted.
5 Access to data. WMISLT is fully compliant with GDPR and service users can access their data by making a written request to the data controller at the company address/email. Service users have to the right to have inaccurate data amended within the guidelines set out by GDPR. Service users may withdraw consent at any time in writing to email@example.com
6 Transmission of Data
6.1 Electronic transmission of data: WMISLT uses GDPR compliant web hosting and email platforms to ensure that the information shared with us and our consenting partners is secure. Documents are password protected and this password will not be contained within the communication in which it is being transmitted. Individual documents should contain the wording RESTRICTED DATA/STRICTLY CONFIDENTIAL and should only be sent to an individual email address not a generic address.
6.2 Transmission of paper data via post is limited, where this occurs, data will be marked CONFIDENTIAL and appropriate measures to ensure its contents cannot be easily removed without intention.
7 Retention of Data
7.1 WMSLT is a provider of SLT services and as such is considered to be in the business of processing data in relation to health and therefore is subject to the legal/regulatory period of retention of data specific to health. This retention period is 7 years beyond the end of care (discharge) or 7 years after the age of 18 years if the data subject is a child when discharged. Following the necessary retention period, data will be securely destroyed.
8.1 WMSLT is committed to maintaining the security and confidentiality of our service user’s data and will therefore conduct regular audits and risk assessments to ensure we remain compliant. A Breach register is maintained and where a breach is likely to result in ‘a risk to the rights and freedom of an individual’ the Information Commissioners Office (ICO) will be informed within 72 hours of the data controller becoming aware. Where the breach is serious, and the risk is high the data subject (service user) will also be informed.
Data Protection Officer: Helen Langbourne/Michelle Turner (Company Directors) firstname.lastname@example.org
ICO reg. no. : ZA009731