GDPR Privacy Policy October 2023

I aim to be as clear as possible about how and why I use information about you and your child, so that you can be confident that your privacy is protected. This policy describes how I manage your information when you use my services.

This policy describes the information that I collect when you use my services. This information includes personal information (data) as defined in the General Data Protection Regulation (GDPR) 2016 and the subsequent UK Data Protection Bill, 2018.

The policy describes how I manage your information when you use my service, if you contact me or I contact you. I use the information I collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, I am the data controller for the information that you give to me. My contact details can be found on my website.

If another party (e.g. Social Care or the Police) has requested access to your data I will ask for your consent to share information and outline who they are, what they will do with your data and why I need to provide them with the information. There are two legal bases where I do not need to ask for your consent to share the data with a third party: if there is a risk to your child’s vital interests or if I have a legal obligation to share the data.

The GDPR requires that I identify the legal basis upon which I process your personal data. I shall provide psychological services and all associated activities on the basis of:

My contract with you

My legitimate interest to hold and process your personal data so I can determine whether it is appropriate for me to provide services to you.

What is meant by ‘The Contract’?

When an assessment or consultation is requested, the client is asked to read and sign my terms and conditions. That document describes the work I will undertake and, by signing the document, you enter into a contact with me to do the work. I will process all personal data that you share with me (for the purpose of completing an assessment or consultation) lawfully, fairly and in a transparent manner. It will be necessary for me to process your personal data in order to fulfil the contract with you.

What are my ‘legitimate interests’?

The reason that I need to process your personal data is to provide psychological services to you or your child. Inevitably, educational psychology assessments/consultations involve the processing of special category data, including information, for example about your child’s health, cognitive functioning, social and emotional issues and family history. I have a legitimate interest to collect such personal data for the purpose of forming a well-informed professional opinion. I will only collect information from you that is relevant for the process of providing the psychological services you have requested.

Why do I need to collect your personal data?

In order to carry out an effective assessment or consultation, I need to collect information about you and/or your child so that I may:

  • Communicate with you by email or phone. The legal basis for this is a legitimate interest.

  • Deliver services to you and your child, for example by preparing a relevant assessment and providing well informed psychological advice for your child. The legal basis is the contract with you.

What personal information do I collect and when do I collect it?

To provide helpful psychological services to you and your child, it is important for me to know your child’s situation and what the concerns are that led to psychological support being requested. This data is usually collected by the parent or primary caregiver completing a parental Request for Involvement form. Some parents may choose to provide additional information in writing or verbally. Information requested on the consent form includes:

  • Name and contact details of parents;

  • Name, date of birth and school history of the child;

  • A summary of the child’s current strengths and difficulties;

  • What strategies of interventions have already been tried with the pupil;

  • Why psychological services have been requested and what are you hoping to gain from my involvement?;

  • Educational information and attainments;

  • Social, emotional and behavioural observations.

I will not request data/information from your child’s school or from other professionals without written permission from as parents/carers. This permission is given by signing and returning the terms and conditions part of the parental Request for Involvement Form, or it can be given by email. Information is usually requested from the SENDCo/Head of Learning Support and or class or subject teachers. You can outline the best persons to contact on the parental form.

How do I use the information that I collect?

The information collected is used in the following ways:

  • To communicate with you so I can arrange appointments with you, discuss your concerns and arrange an appropriate course of action.

  • To prepare a relevant assessment/consultation for your child. I need the personal data to help me to decide what assessments to use and what approaches I should take with the child. Background information about the child’s situation is important so that I am aware if the child has experienced trauma or other experiences that may affect their emotional well-being or ability to learn. It is helpful for me to see previous reports from other professionals, in order to put my work in context with the child’s development over time.

Information provided by you and others (e.g. school, other professionals), when pertinent to the assessment, will be integrated into the written report. The report will only be sent to the parents of the child/young person. In some circumstances, when permission is given by parents to share the report with the school, (which they can do in the Request for Involvement form) the report will be sent to both. It might be that parents give permission for the report to be shared with someone else who is acting on their behalf, and or supporting them with the process (e.g. Head of Learning Support or Pastoral Care at a boarding school), or when the parent cannot read or has other significant challenges. In these cases the report will only be sent encrypted.

If reports are proof read by a proof reader, then reports will be transmitted to and from the psychologist by email, password protected and encrypted. In addition, the proof reader and psychologist will have an agreed ‘Data Controller and Processor Policy’, to outline procedures to keep your data safe and confidential.

Where do I keep the information?

Data is usually received by post or by email.

Paper records will be filed and kept in a locked filing box/cabinet.

When data is received by email, attachments will be saved in the pupil’s electronic file and if any personal data is included in the body of the email, a copy will be saved on the original pupil file. Parents and schools are advised to send personal data password protected or by using an encrypted email service such as Egress.

Electronic information will be stored on a MacBook at the office of Dr Elizabeth Bean, which is password protected.

All personal data relating to pupils or their parents will be backed up by being stored on an external hard drive and in iCloud/OneDrive which are GDPR compliant.

When pupil paper files are being used/worked on they will be locked in a filing box/cabinet and these files will be destroyed at the end of each term, within the three term academic year.

When the information is carried to conduct an assessment, the paper file will be kept in a travel bag. This bag will not be kept overnight in a vehicle. If left out of sight in a vehicle for a shot period during the day, the car will be locked secure. During school visits, I will keep the paper file on my person, or have it locked in a room.

If a data breach occurs, and breach is deemed to be a high risk for the rights and freedoms of the data subject, the ICO and all affected clients will be notified within 72 hours. The nature of the breach will be explained along with the steps I am taking to deal with it.

How long do I keep the information?

The report will provide a summary of my involvement. Once a report has been completed, any handwritten notes will be destroyed. Paper record forms, writing samples and other assessment materials may be kept for up to two months in case questions are raised about the process of the assessment. They will then be securely destroyed.

Electronic files (including pupil reports) will be retained for a period of six years. This is so that a record or the report remains if parents lose the copy that was sent to them. Also, the report may be referred to if the child is reassessed in the future.

Electronic versions of the parental consent form may be kept in the pupil’s electronic file on the MacBook, for up to six years. This is due to it being part of the parental information form. Paper versions of the parent Request for Involvement form version will be destroyed at the end of every 3 term year.

After a period of six years all remaining records will be securely destroyed, unless I continue to be directly involved with the case and there are strong reasons for retaining historical data (e.g. to track strategies and interventions over time or legal cases.)

Please note it is the parents’ responsibility to retain copies of the report, because I will only retain the data for six years.

Who do I send information to?

Where parents have agreed for me to contact the pupil’s school, of if the school have commissioned the report, the date of the appointment will be arranged directly between myself and the school, with the parents being informed of this date either through my communication with them or (in the case where the school has commissioned my involvement) through communication from the school. Alternatively, parents may arrange a date with me and check with the school to ensure it is a mutually convenient date.

Assessment reports are typically only sent to parents, unless the school has commissioned (i.e. paid for) the assessment, in which case a copy will also be sent to the school, using encryption.

Reports will be sent out electronically by email to the pupil’s parents. If the parents are happy to share the report, it is their responsibility to the child’s school and any other relevant professionals.

All reports will be in ‘read only’ PDF format so no changes may be made. They will also be sent encrypted.

Will I send emails and text messages to you?

I will only contact you in response to a request for psychological services that has been initiated either by you or by the school. This would usually include emails or calls to discuss your current concerns and arrange appointments. I will also email invoice or payment details to you and the assessment report.

What happens to your data if I were to die?

In the event of my unexpected death all pupil data will be confidentially destroyed by the appointed executor.

Your rights

As I possess your personal data, you have certain rights. These are rights of access, a right of rectification, a right of erasure, a right to data portability and a right to restrict processing.

You can make a subject access request (SAR) by contacting me. I may require additional verification that you are who you say you are to process this request. Please make such a request in writing or by email to me, Dr Elizabeth Bean. Please provide the following information: your name, address, telephone number, email address and details of the information you require.

I may withhold such personal information to the extent permitted by law. In practice, this means that I may not provide information if I consider that providing the information will violate your vital interests.

You may request a copy of your data at any time. If you believe any of the personal data I hold on you or your child is inaccurate or incomplete, please contact me directly and any necessary corrections to your data will be made without undue delay.

If you believe I should erase your data, please contact me, Dr Elizabeth Bean. However, there are some circumstances when I do not have to delete your data, for example if I have safeguarding obligations that override your data protection rights.

Where you have provided explicit consent for me to use your data, you have a right to withdraw this consent at any time.

If you wish to use a different educational psychologist, you have a right to have the data transferred to them.

If your questions are not fully answered by this policy, please contact me directly. If you are not satisfied with the answers I provide, you may contact the Information Commissioner's Office (ICO) https://ico.org.uk .