Linda Coyle assumes the function of data controller and supervises the compliance with General Data Protection Regulation (GDPR) within the business. This document covers the following:
- Information I collect
- Where I get my information
- How I use the information I collect
- Information I share
- How long I keep your data.
- How and when consent is obtained
- How I protect your data
- Protecting your rights to data
- Security of your personal data
1. Information I collect
Linda Coyle holds personal data as part of conducting a professional service. The data falls under the following headings: healthcare records, educational records, clinical records, general administrative records, and financial records.
1.1 Healthcare records
A healthcare record refers to all information collected, processed and held both in manual and electronic formats pertaining to the service user and their care. Speech and language problems can be complex, and a wide range of information may be collected in order to best meet the needs of the client, and to maintain a high quality service which meets best practice requirements. In order to provide a high quality service, a range of information may be collected.
Examples of data collected and held on all current and active clients include the following:
- Contact details: Name, address, phone numbers, e-mail address.
- Personal details: Date of birth.
- Other contacts: Name and contact details of GP and any other relevant healthcare professionals involved.
For child services:
- Parent/guardian details
- Description of family
- Educational placements
- Pre- and post-natal history: This includes information relating to mother’s pregnancy, in addition to the child’s birth.
- Developmental data: developmental milestones, feeding history, audiology history.
- Medical details: any relevant illnesses, medications, and relevant family history.
- Reports from other relevant allied health professionals such as: Audiology, Psychology, CAMHS (Child & Adolescent Mental Health Services), Occupational therapy, Physiotherapy, Ophthalmology.
For adult services:
- Medical history
- Employment/vocational history
- Educational background
- Social history: including past and present social relationships.
- Past developmental history: For example, history of reading difficulties.
- Mental health
- Significant life events: accidents, loss, or any event which has had a marked impact on the individual.
1.2 Educational records
For child services:
Relevant Individual Educational Plans (IEPs), progress notes from educational staff and school reports may be held.
1.3 Clinical records
Specific data in relation to communication skills may be collected and held, such as assessment forms, reports, case notes, e-mails, text messages and transcripts of phone. Audio and video files may also be collected and stored.
1.4 General administrative records
Linda Coyle may hold information regarding attendance reports and accident report forms.
1.5 Financial records
A financial record pertains to all financial information concerning the practice, e.g. invoices, receipts, information for Revenue. Linda Coyle may hold data in relation to: on-line purchasing history, card payments, bank details, receipts and invoices. Information will include name of bill payer, client name, address and record of invoices and payments made.
2. Where I get my information
Personal data will be provided by the client, or in the case of a child (under 16 years), their parent(s)/guardian(s). This information will be collected as part of a case history form prior to, or on the date of first contact.
Information may also be provided directly from relevant third parties such as schools, medical professionals and allied health professionals, with prior consent from the parent(s)/guardian(s).
3. How I use the information that I collect
I use the information I collect to provide assessment and therapy as per the relevant professional guidelines, as well as to maintain the general running of the business, such as running my electronic booking system, keeping my accounts and updating you of any changes in policies or fees.
Information may also be used for research purposes, with the written consent of the client or parent/guardian.
4. How long I keep your data
4.1 Clinical Records
Linda Coyle keeps both physical and electronic records of clinical data in order to provide a service.
- Clinical data is stored in both paper and electronic forms.
- Clinical data is deleted/confidentially destroyed after 2 years from last invoiced session. (Usually post discharge).
- Clinical data used for research purposes, may be kept for longer than 2 years, but only if explicit consent has been given.
- Video records/ voice recordings relating to client care/videoconferencing records may be recorded with consent, analysed and then destroyed.
- If written consent is provided to use recordings for training purposes, the client will have the option to withdraw consent at any time.
4.1.1 Clinical Records for medico-legal services
- Clinical records related to medico-legal services will be kept until i) there has been written confirmation that the case has been settled, and/or ii) there is a specific request by the client or their legal representative for the data to be destroyed.
4.2 Financial Records
Linda Coyle keeps electronic records of financial data from those who use her services.
Section 886 of the Direct Tax Acts states that the Revenue Commissioners require records to be retained for a minimum period of six years after the completion of the transactions, acts or operations to which they relate. These requirements apply to manual and electronic records equally.
- Financial Data is kept for 6 years to adhere to Revenue guidelines.
- Financial Data (including non-payment of bills) can be given to Revenue at Revenue’s request.
4.3 Contact Data
Contact Data is kept for 6 years to allow processing of Financial Data if required. This may be retained for longer for safety, legal request, or child protection reasons.
If under investigation or if litigation is likely, files must be held in original form indefinitely, otherwise files are held for the minimum periods set out above.
5. Information I share
I do not share personal information with companies, organisations and individuals outside of my business unless one of the following circumstances apply:
5.1 With your consent:
I will only share your Personal Identifying Information (PII) to third parties when I have express written permission by letter or email to do so. I require opt-in consent for the sharing of any sensitive information.
Third parties may include: Hospitals, GPs, other allied health professionals, educational facilities.
5.2 For legal reasons:
I will share personal information with companies or organisations outside of Linda Coyle’s services if disclosure of the information is reasonably necessary to:
- Meet any applicable law, regulation, legal process or enforceable governmental request.
- Meet the requirements of the Children First Act 2015.
- To protect against harm to the rights, property or safely of (name of business), our service users or the public as required or permitted by law.
5.3 To meet financial requirements
Linda Coyle also is required to share Financial data with her accountant in order to comply with local tax laws. Linda Coyle has obtained a copy of her accountant’s own data protection policy.
5.4 For processing by third parties/external processing
The following third parties are engaged for processing data:
|Who||Type of data||Purpose||GDPR compliant?|
|Accountant||Financial||Processing financial accounts||Yes|
Getting basic client information
5.4.1 Transfer of personal data outside the European Economic Area (EEA)
In certain instances, personal data may be transferred outside the EEA, e.g. to the US or other countries. This would be for specific purposes such as web-based appointment scheduling. In such instances, Linda Coyle will use third parties which meet the privacy standards of GDPR.
Companies which Linda Coyle uses are:
|Name||Type of Data||Purpose||GDPR compliant?|
|Client contact details.|
Basic client information,
inputted by client directly.
6. How and when I obtain consent
If appointments are not arranged through the online booking system, then prior to the initial assessment or consultation, a copy of the data protection policy will be provided to clients. Prior to the appointment, specific consent needs to be provided by either completing a consent form, or acknowledgement in writing by e-mail or written correspondence.
Should a client wish to withdraw their consent for data to be processed, they can do so by contacting Linda Coyle.
7. How I protect your data
In accordance with the General Data Protection Regulation (GDPR), I will endeavour to protect your personal data in a number of ways:
7.1 By limiting the data that we collect in the first instance
All data collected by me will be collected solely for the purposes set out at 1 above and will be collected for specified, explicit and legitimate purposes. The data will not be processed any further in a manner that is incompatible with those purposes save in the special circumstances referred to in section 5.1. Furthermore, all data collected by me will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected which include, inter alia, the assessment, diagnosis and treatment of speech, language and communication disorders.
7.2 By transmitting the data in certain specified circumstances only
Data will only be share and transmitted, be it on paper, electronically or over the phone, only as is required, and as set out in section 3.
7.3 By keeping only the data that is required,
when it is required and by limiting its accessibility to any other third parties.
7.4 By disposing of/destroying the data once the individual has ceased receiving treatment
Within 2 years of the completion of this treatment apart from the special categories of personal data as set out in section 4 above. Where data is required to be held by me for longer than the period of 2 years, I will put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These may include measures such as the encryption of electronic devices, pseudonymisation of personal data, and/or safe and secure storage facilities for paper/electronic records.
7.5 By retaining the data for only as long as is required
which in this case is 2 years except for circumstances in which retention of data is required in circumstances set out in section 4above or in certain specific circumstances as set out at Article 23(1) of the GDPR.
7.6 By destroying the data securely and confidentially after the period of retention has elapsed.
This would include the use of confidential shredding facilities or, if requested by the individual, the return of personal records to the individual.
7.7 By ensuring that any personal data collected and retained is both accurate and up-to-date.
8. Protecting your Rights to Data
8.1 Adult clients
Adults have the right to request data held on them as per article 15 of GDPR. A request must be made in writing. Further information regarding accessing your personal data are available in the document ‘Rights of Individuals under the General Data Protection Regulation’, downloadable from: www.gdprandyou.ie
For children under the age of 16, data access requests are made by their guardians. When a child turns 16, then they may make a request for their personal data. However, this is subject to adherence with the Children First Act.
Linda Coyle, as with most providers of healthcare services, is aware of the need for privacy. As such, I aim to practice privacy by design as a default approach, and only obtain and retain the information needed to provide you with the best possible service.
All persons working in, and with Linda Coyle in a professional capacity are briefed on the proper management, storage and safekeeping of data.
All data used by Linda Coyle, including personal data, may be retained in any of the following formats:
- Electronic Data
- Physical Files
The type of format for storing the data is decided based on the format the data exists in. Where applicable, Linda Coyle may convert physical files to electronic records to allow her to provide a better service to clients. Linda Coyle understands that the personal data used in order to provide a service belongs to the individuals involved. The following outlines the steps which Linda Coyle uses to ensure that the data is kept safe.
9.1 Electronic Data
Storage systems for holding electronic data have been reviewed in order to ensure optimum security. Should you require more details regarding this, please contact me at firstname.lastname@example.org.
E-mail providers have been reviewed to ensure adherence with GDPR requirements. Please contact me should you require further information.
9.2 Physical Files
All physical data is located in my office. Only Linda Coyle, and persons assigned to provide administrative support to Linda Coyle’s services have access to these records. These records are kept in a container secured with a lock and key.
9.3 Security Policy
Linda Coyle understands that requirements for electronic and physical storage may change with time and the state of the art. As such, Linda Coyle, the data controller reviews the electronic and physical storage options available to Linda Coyle’s every year.
All physical devices used by Linda Coyle which may contain any identifiable PII have encryption software or remote wipe software enabled.
Linda Coyle is aware and reviews the requirements for good data hygiene every year. This includes, but is not limited to:
- Awareness of client conversations in unsecure locations.
- Enabling auto-lock on devices when leaving them unattended, even within Linda Coyle’s office.
- Use of non-identifiable note taking options. (initials, not names).
Any data breaches will be reported to the appropriate authorities within 72 hours of a data breach.
Date of document:
Review Date: May 2019
Speech & Language Therapist, MA, BSc, MIASLT, MISTI.