Sensitive (Special Category) Data Retention Policy

Protecting Your/Your Child’s Information

Your Integrated Treatment Services therapist works in accordance with professional guidelines from the Royal College of Speech and Language Therapists, The Health and Care Professionals Council and The Association of Speech and Language Therapists in Independent Practice. Your therapist also abides by the laws of The Data Protection Acts 1998 and 2003 and the General Data Protection Regulations (GDPR) 2018.

The name and address of the Data Controller for Integrated Treatment Services is:

Sarah Davis, Integrated Treatment Services, Brooklyn House, 44 Brook Street, Shepshed, LE12 9RG. The Data Controller will be registered with the Information Commissioner’s Office (ICO) from May 2018 as required by law.

Information/data can include:

  • The consent form that you have signed to give us consent to see you or your child – by providing your contact information you are giving us consent to contact you with regards to the service we are providing should we need to. You are also consenting to us processing the resultant data in line with the the conditions for processing of special category / sensitive data as listed in Article 9(2) of the GDPR.
  • Any reports that have been written about you or your child.
  • The notes that are written at the end of each therapy session.
  • Any reports or information regarding you or your child that you have shared with ITS or other professionals have shared with us.
  • Any emails sent or received regarding you or your child – emails will only be sent to the school, the therapist or yourself – no third parties are involved. The email system (GSuite for business) is secure and compliant with GDPR.
  • Your contact details and email address (This is shared with our accounting company ‘MNE accounting’ and their proprietary software providers Xero accounting and Stripe Payments are purely for the purposes of invoicing.
  • Any payment information eg credit card is not held by Integrated Treatment Services.
  • Any photographs you have provided for us to make individualised resources for you child. These are made with software provided by a company called ‘Boardmaker’.
  • Your telephone number may be stored on your named therapist’s mobile phone under ‘parent of (child’s first name) or your name’, this phone is password protected.

Why does your therapist collect and store this information?

Any information gathered is done so with your child’s best interests in mind so that Integrated Treatment Services can provide an efficient and effective service.

Your therapist has legal and professional obligations to keep accurate records relating to any treatment they provide.

The information gathered will be relevant and not excessive; adequate to meet the specified purpose of providing a good quality service for your child.

How long will the information be kept for? The Royal College of Speech and Language Therapists (RCSLT) provide guidelines stating that it is good practice to ‘retain records for children and young people: up until their 25th birthday, or, until their 26th birthday if 17 at conclusion of their treatment’.

The RCSLT also advise that records are disposed of according to legal requirements and local policy as appropriate. Recent law: General Data Protection Regulations (GDPR) 2018 states that ‘personal data should not be kept in a form which permits identification of data subjects (child and parent) for longer than is necessary’. The GDPR also states that the data subject (child/parent) has the right to request erasure of personal data/information concerning him. Integrated Treatment Services must comply with this request if the data is no longer necessary in relation to the purposes for which it was collected if there are no overriding legitimate grounds for storing the data/information.

Integrated Treatment Services will destroy your child’s information after their 25th birthday, or their 26th birthday if 17 at conclusion of their treatment’. In the case of adults we will destroy your information 6 years after your last therapy input.


What are the conditions for processing special category data?


The conditions are listed in Article 9(2) of the GDPR:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by  the data subject;

(f)  processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i)  processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j)  processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Some of these conditions make reference to UK law, and the GDPR also gives member states the scope to add more conditions. The Data Protection Bill includes proposals for additional conditions and safeguards, and we will publish more detailed guidance here once these provisions are finalised and passed into UK law.

Integrated Treatment Services have elected to process SPECIAL CATEGORY DATA under section h) as stated above

Security

The security provisions taken by Integrated Treatment Services are listed below:

  • Case note – all notes are held electronically within a secure Google Drive cloud based system and only accessible by the named therapist and the data controller and her deputy.
  • Parents telephone numbers / address – this data is held securely within the accountancy database and the google drive record of your consent form
  • Laptops and mobile phones used are password protected and the GSuite service has two factor authentication in place
  • Reports are written and stored within the cloud based system Google Drive. Passwords are not stored on the same device as the reports. Printed, reports are deleted from the laptop when it is considered appropriate to do so (not retained longer than necessary).
  • Historical paper files and notes are securely locked away in fire proof and locked cabinets at the administrative office
  • Information sent by email is limited to what is absolutely necessary. For example, where possible a child’s first name or initials only will be used and Integrated Treatment Services will send reports to you either by secure email or hard copy in the post – you can express your permission for either option on the consent form
  • Some parents are happy to scan reports from other professionals and email them to Integrated Treatment Services. Please be aware that this is done at your own risk and consider the sensitivity of the information you are sending before deciding to do so.