Newbury Child and Adolescent Psychology Clinic (NCAPC) aims to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected. This policy describes the information that NCAPC collects when you use our services. This information includes personal information as defined in the General Data Protection Regulation (GDPR) 2016 [and the subsequent UK Data Protection Bill that is expected to be enacted in 2018]. The policy describes how we manage your information when you use our services, if you contact us or when we contact you. NCAPC uses the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, NCAPC is the data controller; if another party has access to your data we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why we need to provide them with the information. If your questions are not fully answered by this policy, please contact our Data Controller (Dr Lucy Willetts – firstname.lastname@example.org; 07825 466874, or see our Contact page). If you are not satisfied with the answers from the Data Controller, you can contact the Information Commissioner’s Office (ICO) https://ico.org.uk.
1. Why do we need to collect your personal data?
We need to collect information about you and your child so that we can:
- a. Know who you are so that we can communicate with you in a personal way. The legal basis for this is a legitimate interest.
- b. Deliver services to you and your child. The legal basis for this is the contract with you.
- c. Process your payment for the services. The legal basis for this is the contract with you.
- d. Contact you in case there is a problem with your service. The legal basis for this is a legitimate interest.
2. What personal information do we collect and when do we collect it?
For us to provide you with services, we need to collect the following information:
- a. Your name and your child’s name.
- b. Your contact details including a postal address, telephone number(s) and electronic contact such as email address.
- c. Your child’s date of birth.
- d. Your health insurance details if appropriate.
- e. Clinical information (Your child’s presenting problem, clinical observation, education and health history, life events, family and social network).
3. How do we use the information that we collect?
We use the data we collect from you in the following ways:
- a. To communicate with you so that we can inform you about your child’s appointments with us. We use your name, your contact details such as your telephone number, email address or postal address.
- b. To create your invoice or an invoice to your health insurance company. We use your name, your child’s name, your child’s date of birth, your email address, telephone number and postal address.
- c. To create a clinical report for you and/or for your health care provider about your child. We use your child’s name, date of birth, and postal address and clinical information.
4. Where do we keep the information and for how long?
We keep your information in the stores described below.
We use our work computers/laptops, an encrypted USB storage device and/or icloud drive to store the following information:
- a. Referral form. This includes your name, your child’s name, your child’s age, your contact details and basic clinical information that you share with us at our first telephone contact with you.
- b. Patient information Sheet. This includes your name, your child’s name, your child’s age, your contact details, and your health insurance details (if appropriate).
- c. Referral letter from your health care provider (if this exists).
- d. Clinical reports.
- e. Invoices.
The computers are password protected and the hard drives are encrypted. Passwords are changed every 90 days and it is company policy that passwords are not shared. The USB storage devices are password protected and encrypted. We use two factor authentication to access iCloud drive.
We are required to retain the above information about your child for 7 years beyond your child’s 18th birthday. All data is deleted from our computers no longer than 6 months following the completion of therapy and is stored on an encrypted USB storage device and/or iCloud.
We use Google Drive to store the following data:
- a. Referral form.
- b. Patient information Sheet.
- c. Referral letter from your health care provider (if this exists).
- d. Child’s name on our diary system.
We use two factor authentication to access Google Drive. We delete all the above information on Google Drive no longer than 6 months after the completion of therapy.
We store the following data as a paper copy:
- a. Clinical information (our notes)
- b. Clinical reports
- c. Patient information sheet
- d. Referral letter
- e. Referral form
- f. Contract. We ask you to sign a contract when you decide to access our services.
- g. Invoices.
We take hand written notes when we meet you (a.). These notes are used to create the report that we provide to you. We keep a paper copy of your notes and the above documents in our locked filing cabinets. These are located at our administrative bases.
We are required to retain the above information about your child for 7 years beyond your child’s 18th birthday. All data is deleted from our computers no longer than 6 months following the completion of therapy and is stored on an encrypted USB storage device and/or as a paper copy in our locked filing cabinets.
We keep either electronic or paper invoices for 7 years as this is the required length to comply with the HMRC requirements. After 7 years we delete the invoices.
5. Who do we send the information to?
We send your clinical report to you and, only with your permission, to your health care provider (e.g. GP). All reports that are sent electronically are sent as attachments that are password protected. The patient information sheet and date of appointments will be sent to our medical billing company, Nightingales. This information will be sent via email as a password protected document.
You can make a subject access request (SAR) by contacting the Data Controller (Dr Lucy Willetts). We may require additional verification that you are who you say you are to process this request. We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your child’s vital interests.
6. What if my information is incorrect or I wish to be removed from your system?
Please contact the Data Controller. We may require additional verification that you are who you say you are to process this request. If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated information.
7. How can I have my information removed?
If you want to have your data removed we have to determine if we need to keep the data for any reason. HMRC may wish to inspect our financial records and we are required to keep these for 7 years. Clinical notes regarding a child must be kept for 7 years following their 18th birthday (as per guidance from Information Government Alliance – Records management code of practice for health and social care (2016)). However, if we decide that we are able to delete the data, we will do so without undue delay.
8. Will we send emails and text messages to you?
As part of providing our service to you we will send your report to you via email. The report will be password protected. Also, as part of this service, we need to send details of your appointments to you. We will do this via email but will only include your child’s first name and will not include other identifiable information (e.g. date of birth). We will not send emails to you that include sensitive clinical information about your child. If we need to send this type of information to you, we will do so via a password protected attachment. We would encourage you not to send us sensitive clinical information about your child via email unless you do so via a password protected attachment. For example, we require you to complete a patient information sheet and return this to us prior to your child’s assessment. We would encourage you to send this to us as a password protected attachment.
If we are in receipt of any sensitive clinical information about your child via email, we will download this to our computer, an encrypted USB storage device or retain a paper copy that will be stored in a locked filing cabinet and delete the original email.
Last updated 24 April 2018
Download a copy of this policy
This policy is available to download as a PDF