We are aware that we are dealing with information which is personal and sensitive to you. We are keen to ensure that this is kept safely and you are aware of what happens to the information that you give us.
What information do we collect?
In order for us to accurately assess and treat your child, we ask you to provide us with some background information about their development, relevant medical history, concerns you may have about your child and what support is currently in place. Alongside this we ask for their date of birth along with relevant contact details. This may include details of their school, if this is deemed appropriate.
During our assessment we will record our observations and complete a variety of tests (applicable to your child’s perceived therapeutic needs). If you provide us with written consent, we may also take a photo of your child’s pencil grasp and sitting posture whilst writing.
How do we store this?
Handwritten information and copies of reports are kept securely in a locked filing cabinet. Whilst the case is active, reports/emails are also stored on a laptop which is backed up by online backup software and an encrypted storage device. When your case is no longer active, we delete the information on the laptop and it is kept on the encrypted storage device.
How long do we keep it?
Currently health records need to be kept until your child reaches 25 years of age. If your child is 17 when we first assess them, then we will keep the records until they reach 26 years of age. At this stage the records will be destroyed.
Do we share your information?
We do not share your information unless we have your written consent to do so and we will contact you on each occasion. This is part of the initial contract that we make with you. If we receive your consent, then there are occasions when we will send the report and relevant advice to the school.
Following assessment, we will email you a draft copy of our report. This will be password encrypted and a password will be arranged individually with you. Once you have agreed the report and we have received payment, then we will email you with a finalised encrypted report. If you would prefer to have this report sent by post then this is also possible.
If you want to access your records?
There is a procedure in place if you would like to see our notes and reports held on file about your child. This is compliant with procedures recommended by the Royal College of Occupational Therapists and ICO.
We are members of ICO and have processes in place to be GDPR compliant.
Hands Up Data Breach Policy
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
Recital 85 of the GDPR. Source: ICO
As Controllers of your and/or your child’s data, we have responsibilities to use and store data lawfully.
Unforeseen circumstances may arise where a breach of the controls we have set in place occurs. Examples may be that emails, with or without attachments are sent incorrectly; information may be disclosed to third parties without your consent; data may be deleted prematurely.
Some personal data breaches may not lead to risks beyond possible inconvenience to those who need the data. However, other breaches can significantly affect individuals whose personal data has been compromised.
We view all these potential risks seriously and in the event of any compromise of data relating to you or your child, we will act in the following manner:
- You will be informed of any breaches involving your data within 72 hours.
- Immediate steps will be taken to “contain” the breach, ie to ensure the data is not further viewed, stored or used without your consent.
- Serious breaches will be reported to the ICO within 72 hours. An example may be a laptop being stolen or accessed unlawfully.