Shropshire Autism Service Ltd Privacy Notice
(Version 1 - June 2019)
This notice has been written for children, as they are the main users of our service and should be involved in decisions about sharing personal data with us. Parents should also read this notice as they tend to make referrals for their children and because they are sometimes responsible for exercising their child’s data protection rights on their behalf (e.g. if the child is young).
Shropshire Autism Service Ltd collects and uses personal data about you. Personal data is any information that identifies you. You have a right by law to be informed about why we use your data and how we process it. It is important that you understand the risks and implications of sharing information with us, as well as the security measures we have in place to protect your privacy. You can then decide if you want to share personal data with us.
This notice describes what information we collect about you, where we get it from, what we use it for and how we store it. It also lists your data protection rights. If you have any questions about our processing of data, please phone Dr Lisa Williams on 0300 303 0667 or you can contact us via our contact form.
What type of information do we have?
We currently collect and process the following data about you:
- Your contact details
- Summary of each contact we have with you
- Clinical information relevant to our assessment and/or therapeutic work
- Details of payments you have made for services
- Information about how you use our website
How do we get the information and why do with have it?
Most of the data we get about you is provided directly by you or your parents. We also sometimes need to speak to other people who know you, such as teachers or social workers. We collect this information so that we can provide the service you have asked for (or advise you about available services). This is known as a “contractual obligation” under law and this allows us to process your personal data legally.
There are some situations when a contractual obligation is not the most appropriate lawful basis for processing; for example ‘contracts’ with older children may not be valid. We therefore rely on a different reason to process your data, which is known as “legitimate interests”. This means that there is a benefit to the processing that justifies any impact. More often than not, the benefit is that you get the help or support that has been recommended by a healthcare professional.
We take on extra responsibility for protecting your rights when using legitimate interests as the lawful basis.
Because we process data related to your health, which is known as “special category data” because it is highly sensitive and requires more protection, we are required by law to identify a further condition for collecting information about you. Under law, we can process this information because it is necessary for the provision of health care and treatment.
What do we do with the information we have?
We use the information that you have given us in order to:
- Contact you about our services
- Provide you with services
- Maintain accurate and identifiable clinical records
- Create written reports
- Generate invoices and record payments
- Improve the usefulness of our website
- Improve our practice through clinical supervision
We may share personal information about you with other professionals, such as your GP. Your permission would be obtained before we did this. The only exception would be if we were worried about your or another person’s safety; in which case we can share information without your permission.
Our clinical supervisors and accountant will also see some information. This is on a need-to-know basis; so our accountant, for example, will only see your postal address that is recorded on invoices.
How do we store your information?
Your personal data is stored securely on a number of different systems:
|Storage||Type of information||Retention period|
Secure cloud-based computing software (accessed on company smartphones and laptops only)
Emails and calendar – minimal personal data will be transmitted or stored in this form
Clinical records and reports (backup)
Relevant information will be extracted and put in clinical record and then the email will be deleted or entry anonymised (and the record removed from the system within 180 days of this)
Copy will be kept until the child’s 25th birthday – or 26th birthday if child was 17 when contact ended – or eight years after death (and the record removed from the system within 180 days of this)
Encrypted company smartphones
Contact details and log
Text messages and voicemails – minimal personal data will be transmitted or stored in this form
Entry will be deleted once contact is complete
Relevant information will be extracted and put in clinical record and then the message will be deleted
Encrypted company laptops
Clinical records and reports
Photography and video recordings
Copy will be kept until the child’s 25th birthday (or 26th birthday if the child was 17 when contact ended) or eight years after death
Entry will be deleted once contact is complete
Lockable filing cabinets
Handwritten clinical records
Notes will be scanned and uploaded to an encrypted laptop once contact is complete, and the originals destroyed securely
Destroyed securely after report has been written and agreed with family
Secure cloud-based accounting software
Invoices and payment record
Copy will be kept for a minimum of six years from the end of the last company financial year
The security measures that we have in place include:
- Staff training in general security awareness and cyber security
- Policies concerning the use of email and company equipment, and mobile working
- Laptops have encryption and anti-virus software installed, and this software is kept up-to-date
- Use of cloud-based software that is secure
- Backup system for personal data
- Portable equipment, including handwritten clinical records, is stored in locked cabinets, in a locked room/building when not in use
- Secure disposal of personal data
Whilst these security measures will help to protect your personal data, we cannot guarantee that the information you share with us is 100% secure.
What are you data protection rights?
Under data protection law, you have rights including:
- The right to ask us for copies of your personal information
- The right to ask us to rectify information you think is inaccurate, or to complete information you think is incomplete
- The right to ask us to erase your personal information
- The right to ask us to restrict the processing of your information
- The right to object to the processing of your personal data
- The right to ask that we transfer the information you gave us to another organisation, or to you
Some of these rights only apply in certain circumstances. Please contact us on the number or email address above if you would like to make a request. You are not required to pay a fee for exercising your rights, unless the request is excessive, and if you make a request, we have one month to respond to you.
How can I make a complaint?
If there are any issues you would like to discuss in relation to the way we have used your personal data, please contact us. Alternatively, you can contact the Information Commissioner’s Office (ICO). The ICO’s address is: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Their contact number is: 0303 123 1113.