Data protection background
The new EU data protection law, called the General Data Protection Regulation (EU Regulation 2016/679) (the ‘GDPR’), came into force on 25 May 2018 and replaced the Data Protection Act 1998 in its entirety. Dr Kait Baxter (‘the educational psychologist’) is committed to protecting and respecting your privacy and is the data controller for the information collected. My contact details can be found on my website, fireflyeducationalpsychology.com. This Policy explains how the educational psychologist uses your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data. Personal data is defined by the GDPR as, ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. This includes contact information that is used to communicate with individuals and organisations, as well as client confidential data collected or generated by the educational psychologist. Further information about data protection law can be found by contacting the Information Commissioner’s Office (ICO) https://ico.org.uk/
Why is personal information collected by the educational psychologist?
Personal information is collected to deliver an educational psychology service that has been commissioned by a parent, school, or other education setting. Informed consent will be obtained before any data is collected, processed or stored. The specific work carried out will vary according to the child/young person’s individual needs and the concerns being explored.
The educational psychologist has a legitimate interest to collect personal information about a child/young person and where appropriate parents/carers. This information is gathered for the purpose of forming a professional opinion or psychological formulation. In so doing, the educational psychologist only collects information that is relevant to the purpose of undertaking that work and the associated reporting and advising.
What personal information is collected?
Personal information is only obtained with written consent from parents/carers/legal guardians.
The educational psychologist will collect personal information including the name of the child/young person, date of birth, gender, contact address and telephone number. Educational psychology assessments often involve the processing of special category data, including information about health, educational achievements, cognitive functioning, personality, interests, and family history.
Personal information about a child/young person may be obtained from a third party, including their school/education setting and other professionals/agencies (e.g. health services). This might include school reports and assessment data.
How is information collected, processed, stored, and shared?
- Data is usually received in person or via email.
- Paper notes and records are kept in a locked filing cabinet until a report is written and then destroyed within three months using a certified shredding service.
- Electronic information will be stored on an encrypted, password-protected laptop.
- When data is received via email, attachments will be saved in the child’s electronic file and the email will then be deleted. If sensitive information is within the body of the email, the email will be saved to their electronic file and deleted from the email inbox. School staff and other parties are advised to send data password protected or via an encrypted service such as Egress.
- When information is carried to conduct an assessment, the paper file will be always kept in the possession of the educational psychologist. If travelling with a laptop, the laptop will be turned off and logged out of electronic storage services for the duration.
- Reports and other written records are typically shared with school and/or parents via email. All written records are sent as PDFs, with either a personalised password or via an encryption service such as Egress. If it is not possible to share the written record via email, an individual arrangement will be made with you.
- Individual cases may be discussed on an anonymised basis as part of professional supervision sessions, as required by the professional regulatory body (HCPC).
For how long will personal information be stored?
All personal and sensitive data will be stored securely until the child/young person turns 25 years of age. In their 25th year, the electronic folder and any remaining paper records will be deleted/destroyed.
Will you share data with anyone else?
If another party (e.g., the police, social care) has requested access to your data, I will ask for your consent to share information and outline who they are, what they will do with your data, and why they have asked for it. You have the right to say no to this request. In two specific situations, I do not need to ask permission to share your data. These are: if there is a risk to your child’s vital interests, or if I have a legal obligation to share the data.
What happens to data if I were to die?
In the event of my unexpected death, all pupil data will be confidentially destroyed by the appointed executor.
Your rights in relation to your data
You have the right to access information and/or records that the educational psychologist holds about you. You can make a ‘subject access request’ (SAR) by contacting the Data Protection Officer (Dr Kait Baxter) in writing.
Client access to records will be restricted to information about themselves, or a child they are the parent/legal guardian of. Restrictions will apply when disclosure would violate the child/young person’s vital interests.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover administrative costs in responding.
The educational psychologist will respond to your subject access request within one month of receipt. Normally, the educational psychologist will provide a complete response, including a copy of your personal information within that time. In some cases, however, particularly if your request is more complex, more time may be required, up to a maximum of three months from the date received.
Under article 17 of the GDPR, individuals have the right to have personal information erased. This is known as the ‘right to be forgotten’. This right is not absolute and only applies in specific circumstances. In each situation, the educational psychologist will decide what information should be deleted and what data may need to be retained, for example to defend professional practice or meet other regulatory requirements. This will be based on the protection of the child/young person’s vital interests.
Data breach procedure
Any data breaches will be reported to the Information Commissioner’s Office (ICO) and the data subject(s) within 72 hours of the educational psychologist becoming aware of the breach.
To contact the educational psychologist about anything to do with your personal information and data protection, including to make a subject access request, please use the following email address firstname.lastname@example.org and include the following: For the attention of Dr Kait Baxter, Educational Psychologist / Data Controller)
Changes to this policy
This Data Protection Policy is regularly reviewed. It may be necessary to update or amend this policy from time to time, for example if the law changes or if the educational psychology service delivery changes in a way that affects personal data protection.
Written: August 2023
Next review date: August 2024
Get in touch
If you would like to get in touch about working with us, please fill in an enquiry form by clicking the button below