GENERAL DATA PROTECTION REGULATION (GDPR)
The Principles of GDPR require that TeentalkScotland (TTS) keep all client personal information safely and securely and that the sole use of that information is expressly for the purpose that it was provided to us for.
We are fully aware and compliant with Current Data Protection Regulation including General Data Protection Regulation (EU/2016/679) (the GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Your privacy and security are important to us. We are committed to being responsible and sensitive in the handling of your personal information. We aim to be concise, transparent, intelligible and easily accessible. Our policies and procedures are written in clear and plain language, particularly if addressed to a child and should support you to make informed choices.
About Us: –
TTS is a private Limited company registered at 20 Alpin Drive, Dunblane, United Kingdom, FK15 0FQ. Company number is SC607772. Directors are Gwen Murray: BACP Reg No: 79264, and Julia Nimmins: BACP Reg No 83951. We are ICO Registered, ICO Registration Number CSN0641097. Sole traders are qualified Counsellors, Art Therapists, Drama Therapists and Play Therapists providing therapy within primary and secondary schools.
If you have any queries about this privacy notice or about any aspect of our data management, please contact our Data Protection Lead email@example.com We will update this privacy notice regularly to ensure it continues to comply with the latest regulations and best practice. This privacy notice was last amended on 17th February 2021.
How we use your information: –
We receive referrals from pupil support teachers within the school who gain consent from the pupil for their information to be shared with us on our referral form. Information we receive includes name, date of birth, address, school, GP details, telephone number, reason for referral and if parents are aware of referral.
The capacity to give consent is determined by the Age of Legal Capacity (Scotland) Act 1991. In Scotland there is no specific age when children and young people are considered able to give consent. Instead those under the age of 16 may give consent where, in the opinion of the qualified practitioner assessing the client, they are capable of understanding the nature and possible consequences of the therapy. Legislation ensures additional safeguards are in place when a person aged under 18 is receiving treatment in relation to their mental health.
TTS ensures that all Therapists and Counsellors work where possible with a young person to involve their parent/caregiver in the therapy. Our work, after all, is about supporting and improving communication and relationships.
All referrals are stored in a locked filing cabinet within the school. This enables us to efficiently store any information about our clients in a way that ensures adequate security and only allows people who have the right level of authority to access personal information. It also simplifies our responsibilities for data retention and subject access requests. Record Keeping of sessions are always anonymised and stored separately to referral forms.
While Counselling is being accessed:
Everything discussed with us is confidential. That confidentiality will only be broken if there is a Child Protection risk where the child or young person (client) or someone else is at risk of coming to harm. We will always try to speak to client about this first, unless there are safeguarding issues that prevent this. We will keep a record of each client’s personal details to help the Counselling services run smoothly. These details are kept securely in a locked filing cabinet and are not shared with any third party. We will keep written or typed notes of each session, these are kept in a locked cabinet or saved in an encrypted password protected device.
For security reasons we do not retain text messages for more than one day. If there is relevant information contained in a text message, we will copy the content into our client notes. Likewise, any email correspondence will be deleted after two weeks, if it is not important. If necessary, we will print and store message content with the confidential referral form. Once Counselling has ended your records will be kept for seven years from the end of our contact with each other and are then securely destroyed. If you want me to delete your information sooner than this, please tell me.
Our GDPR policy is available on our website.
Sharing your information: –
At the beginning of therapy on the referral form there is a Confidentiality and Information Sharing part to be completed which states: “I understand the limits of confidentiality: that the Counsellor will not share my information with any other individual or agency unless he or she has spoken to me about it first or unless I or someone else is at risk of harm. The Counsellor will always put my interests first and will keep me informed of any information shared”. This will be signed and dated usually with the referring teacher and revisited with the Counsellor during the first appointment.
Job Applicants, current and former Sole Traders: –
We will not share any information you provide during the application process with any third parties for marketing purposes. The information you provide will be held securely by us or our data processors, whether the information is in electronic or physical format. We may use third parties to help us find the right candidates. This includes Indeed and S1 Jobs. We will use the contact details you provide to contact you to progress your application and for no other purpose. We will use the other information you provide to assess your suitability for the role you have applied for. You do not have to provide the information we ask for, but it might affect your application if you don’t. We do not collect more information than we need
to fulfil our stated purposes and will not retain it for longer than is necessary (this is currently a 6-month period for unsuccessful candidates). If we make a conditional offer of work, we’ll ask you for information so that we can carry out pre-checks. You must successfully complete these checks to progress to a final offer. We are required to confirm the identity of sole traders and their right to work in the UK, and to seek assurance as to their trustworthiness, integrity and reliability. Refer to the governments guidance on right to work checks at https://www.gov.uk/check-job-applicant-right-to-work Therefore, you must provide: proof of your identity – we’ll ask you for original documents and will take copies, proof of your qualifications – we may ask you for original documents and will take copies. We will contact your referees directly, using the details you provide in your application, to obtain references. If we make a final offer, we will also ask you for the following: bank details – to process salary payments, emergency contact details – so we know who to contact if you have an emergency at work If you accept a final offer from us. Some of your personnel records will be held on our internal HR records system. During your work as a sole trader we may need to share your information with third party processors who provide elements of our ongoing employment service, that is employment law advice and payroll. We have contracts in place with all of our third-party processors. This means we have restricted what they can use your information for and who they can share it with. They hold it securely and retain it for the period we instruct. The information you provide will be retained as part of your employee file for the duration of your employment and for six years afterwards. Please be aware that some information may be kept for longer if there is a legal reason to do so.
Audit and regulatory requirements: –
We may share any data about our operations with: our Auditors, Councils, HMRC – see the HMRC personal information charter, the Charity Commission – see the Charity Commission personal information charter, the Information Commissioner’s Office – see the ICO privacy notice, Companies House – see the Companies House personal information charter and other regulatory bodies, should this be necessary to complete our statutory audit and regulatory requirements. We use several law firms to provide advice and guidance on a range of topics and we may share personal data with them at times. We ensure that we have appropriate data protection agreements with them.
We may use text communication from our work phones to arrange appointments with clients. It is made clear from first appointment that this is not an emergency service and the phone is only turned on during office hours 9 – 5pm. We use the service to send text appointments to clients and parents of clients’ mobile phones. Responses can be sent and received using the service. This service will be used to communicate with clients to keep the business running in certain circumstances (e.g. in response to severe weather conditions or COVID-19 outbreak).
Complaints and queries: –
We try to meet the highest standards when collecting and using personal information, and we take any complaints about this very seriously. We encourage you to let us know if you think that our collection or use of information is unfair, misleading or inappropriate. We also welcome any suggestions for improving our procedures. This privacy notice does not provide exhaustive details of all aspects of our collection and use of personal information. However, we’re happy to provide any additional information or explanation needed. Please send any requests for this to our Data Protection Lead – firstname.lastname@example.org. If you want to make
a complaint about the way we’ve processed your personal information, you can contact the ICO as the statutory body which oversees data protection law – see ICO concerns.
Your rights: –
Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018), you have rights as a data subject which you can exercise in relation to the information we hold about you. You can read more about these rights on the ICO’s website.
Access to your information: –
We try to be as open as we can in terms of giving people access to their personal information. You can find out if we hold any personal information about you by making a ‘subject access request’ under GDPR. If we do hold information about you, we will: give you a description of it, tell you why we are holding it, tell you who it could be disclosed to, let you have a copy of the information in an intelligible form. If you agree, we’ll try to deal with your request informally, for example by providing you with the specific information you need over the telephone. Please be aware that we may withhold information from you or provide you with redacted documents in line with exemptions in appropriate legislation.
Correcting mistakes: –
You can ask us to correct any mistakes in any factual information we hold about you, such as your address, date of birth, contact details etc.
The GDPR also gives you the right to have the data we hold about you deleted in some circumstances. This is called the ‘right to erasure’ or the ‘right to be forgotten’. The right applies in the following circumstances: We no longer need your data, you originally provided consent and have now withdrawn consent, you have objected to the use of your data and your interests outweigh ours, we have collected your data unlawfully, we have a legal obligation to erase your data. Please be aware that we are unlikely to delete financial transactional data, core membership data, declarations you have made to us or any conduct related information that is being retained in the public interest.
Making a request:
If you would like to exercise your above rights, please contact our Data Protection Lead at email@example.com With details of your request.
Disclosure of personal information: –
In most circumstances we will not disclose personal data without consent, but there are circumstances where we might do so. The list below provides some scenarios in which we may disclose personal data. Please be aware that this is not a complete list but serves as an example.
When we investigate a complaint, we will need to share personal information with the individuals or organisations involved. We may share data with other regulatory bodies or associations that you are a member of. During our applications process, or any assessments we undertake, we collect personal data about individuals. If we are concerned about unsafe practice, we may share that data internally within TTS so appropriate action can be taken. We will share personal data with external legal professionals if we need legal advice. We may
share personal data with law enforcement agencies or government departments where appropriate. We will only share information that we consider to be necessary and proportionate.
Data security: –
We recognise that the information you provide may be sensitive and we will respect your privacy. This means we store it securely and control who has access to it. We sometimes share personal data with third parties where we have contracted them to carry out specific tasks for us. In such cases we carefully select which partners we work with. We take great care to ensure that we have a contract with the third party that states what they are allowed to do with the data we share with them. We will only share personal data with other organisations where we are satisfied that the other organisation is entitled to receive it. Where relevant, we carry out due diligence checks on other organisations and ensure we have appropriate data protection agreements in place. We’re committed to holding all personal data on secure systems. We keep any paper-based personal data in locked cabinets to which only appropriate staff have access. We monitor email and filtering on an ongoing basis