Privacy Notice: How we use client information
The categories of client information that we collect, hold and share include:
• Personal information (such as name and address)
• Characteristics (such as ethnicity, language, nationality)
• Special educational needs information (such as category and description of SEN) and information about medical and developmental history and disabilities.
• Assessment information (such as results of tests administered, information collected during interviews, standardised and non standardised assessment information, such as children’s drawings and completed checklists.
Why We Collect and Use This Information
We use the pupil data:
• To complete psychological assessments and consultations
• To monitor the effectiveness of our service
• To comply with the law regarding data sharing
The Lawful Basis on Which We Use This Information
We collect and use pupil information under on the following lawful bases:
• Consent- The client has given clear consent to process data for a specific purpose (completion of educational psychology assessments and consultations). In the case of children, consent has been given by the child’s parent or legal guardian.
• Contract- The processing is necessary for the contract with clients to be fulfilled.
• Legal Obligations- The processing is necessary to comply with the law.
• Legitimate Interests- The processing is necessary for our own legitimate interests or those of a third party.
Storing Client Data
The completed educational psychology report will be stored electronically on a computer for a period of four years (for the purpose of any future re-assessment), accessed by password and only by the author of the report. It is the responsibility of those commissioning the report to keep the electronic copy safe once received. In order to adhere to data protection, reports are emailed to the school or parent who commissioned the report, with password protection. The password will be sent in a separate email to the report.
Background forms, any hard copies of reports and assessment booklets will be shredded after assessment.
Who We Share Client Information With
For work commissioned by parents: Information is only shared with parents. It will not be shared with schools or other professionals, unless specific parental consent (written or verbal) has been obtained.
For work commissioned by schools: Information is shared with the commissioning school and, in the case of individual pupil assessments and consultations, with the parents or legal guardians of the child.
We will share information without consent if it required by law, directed by a court of if the benefits to a child that will arise from sharing the information outweigh both the public and individual’s interest in keeping the information confidential.
Requesting Access to Your Personal Data
Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact: Amanda Furness, Educational Psychologist.
You also have the right to:
• object to processing of personal data that is likely to cause, or is causing, damage or distress
• prevent processing for the purpose of direct marketing
• object to decisions being taken by automated means
• in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
• claim compensation for damages caused by a breach of the Data Protection regulations
If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/.
If you would like to discuss anything in this privacy notice, please contact:
Amanda Furness, Educational Psychologist
Data protection Policy
Statement of intent
Aspire Educational Psychology Services is required to keep and process certain information about its clients, associates and suppliers in accordance with its legal obligations under the General Data Protection Regulation (GDPR). Aspire Educational Psychology Services, from time to time, be required to share personal information about its clients, associates and suppliers. This policy is in place to outline how we comply with the core principles of the GDPR. Organisational methods for keeping data secure are imperative, and Aspire Educational Psychology Services believes that it is good practice to keep clear practical policies. This policy complies with the requirements set out in the GDPR, which came into effect on 25 May 2018.
The data processor and data controller is: Amanda Furness.
This policy has due regard to legislation, including, but not limited to the following:
• The General Data Protection Regulation (GDPR)
• The Freedom of Information Act 2000
• The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004
• The School Standards and Framework Act 1998
This policy will also have regard to the following guidance:
• Information Commissioner’s Office (2017) ‘Overview of the General Data Protection Regulation (GDPR)’
• Information Commissioner’s Office (2017) ‘Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now’
For the purpose of this policy, personal data refers to information that relates to an identifiable, living individual, including information such as an online identifier, such as an IP address. The GDPR applies to both automated personal data and to manual filing systems, where personal data is accessible according to specific criteria, as well as to chronologically ordered data and pseudonymised data, e.g. key-coded. Sensitive personal data is referred to in the GDPR as ‘special categories of personal data’, which are broadly the same as those in the Data Protection Act (DPA) 1998. These specifically include the processing of genetic data, biometric data and data concerning health matters.
In accordance with the requirements outlined in the GDPR, personal data will be:
• Processed lawfully, fairly and in a transparent manner in relation to individuals.
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Accurate and, where necessary, kept up-to-date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods, insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The GDPR also requires that “the controller shall be responsible for, and able to demonstrate, compliance with the principles”.
Aspire Educational Psychology Services will implement appropriate technical and organisational measures to demonstrate that data is processed in line with the principles set out in the GDPR and will provide clear and transparent privacy policies.
Records of activities relating to higher risk processing will be maintained, such as the processing of special categories data (e.g. SEN information)
Internal records of processing activities will include the following:
Name and details of the organisation
Purpose(s) of the processing
Description of the categories of individuals and personal data
Categories of recipients of personal data
Description of technical and organisational security measures
Details of transfers to third countries, including documentation of the transfer mechanism safeguards in place.
Aspire Educational Psychology Services will implement measures that meet the principles of data protection by design and data protection by default, such as:
• Data minimisation.
• Continuously creating and improving security features. Data protection impact assessments will be used, where appropriate.
The legal basis for processing data will be identified and documented prior to data being processed. Under the GDPR, data will be lawfully processed under the following conditions:
• The consent of the data subject has been obtained.
• Processing is necessary for compliance with a legal obligation.
• The processing is necessary for the contract with clients to be fulfilled.
The processing is necessary for our legitimate interests of those of a third party.
Sensitive data will only be processed under the following conditions:
• Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law.
• Processing relates to personal data manifestly made public by the data subject.
• Processing is necessary for: Carrying out obligations under employment, social security or social protection law, or a collective agreement, protecting the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent, the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity, reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards, reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
Signed consent is obtained from clients, who are required to sign the Aspire Educational Psychology Services terms and conditions agreement. In the case of children, signed consent is required from their parent or legal guardian. Commissioning schools are also required to sign a terms and conditions document, which indicates consent. Consent can be withdrawn by the individual at any time.
The Right to be Informed
The privacy notice supplied to individuals in regards to the processing of their personal data will be written in clear, plain language which is concise, transparent, easily accessible and free of charge. This is available on the Aspire Educational Psychology Services website. If services are offered directly to a child, Aspire Educational Psychology Services will ensure that the privacy notice is written in a clear, plain manner that the child will understand. In relation to data obtained both directly from the data subject and not obtained directly from the data subject, the following information will be supplied within the privacy notice:
• The identity and contact details of the controller.
• The purpose of, and the legal basis for, processing the data.
• The legitimate interests of the controller or third party.
• Any recipient or categories of recipients of the personal data.
• The retention period of criteria used to determine the retention period.
• The existence of the data subject’s rights, how to lodge a complaint with a supervisory authority.
The Right of Access
Individuals have the right to obtain confirmation that their data is being processed. Individuals have the right to submit a subject access request (SAR) to gain access to their personal data in order to verify the lawfulness of the processing. Aspire Educational Psychology Services will verify the identity of the person making the request before any information is supplied. A copy of the information will be supplied to the individual free of charge; however, Aspire Educational Psychology Services may impose a ‘reasonable fee’ to comply with requests for further copies of the same information.
Where a SAR has been made electronically, the information will be provided in a commonly used electronic format. Where a request is manifestly unfounded, excessive or repetitive, a reasonable fee will be charged. All fees will be based on the administrative cost of providing the information. All requests will be responded to without delay and at the latest, within one month of receipt. In the event of numerous or complex requests, the period of compliance will be extended by a further two months. The individual will be informed of this extension, and will receive an explanation of why the extension is necessary, within one month of the receipt of the request. Where a request is manifestly unfounded or excessive, Aspire Educational Psychology Services holds the right to refuse to respond to the request. The individual will be informed of this decision and the reasoning behind it, as well as their right to complain to the supervisory authority and to a judicial remedy, within one month of the refusal. In the event that a large quantity of information is being processed about an individual, Aspire Educational Psychology Services will ask the individual to specify the information the request is in relation to.
The Right to Rectification
Individuals are entitled to have any inaccurate or incomplete personal data rectified. Where the personal data in question has been disclosed to third parties, Aspire Educational Psychology Services will inform them of the rectification where possible. Where appropriate, Aspire Educational Psychology Services will inform the individual about the third parties that the data has been disclosed to. Requests for rectification will be responded to within one month; this will be extended by two months where the request for rectification is complex. Where no action is being taken in response to a request for rectification, Aspire Educational Psychology Services will explain the reason for this to the individual, and will inform them of their right to complain to the supervisory authority and to a judicial remedy.
The Right to Erasure
Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Individuals have the right to erasure in the following circumstances:
• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
• When the individual withdraws their consent
• When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
• The personal data was unlawfully processed
• The personal data is required to be erased in order to comply with a legal obligation
• The personal data is processed in relation to the offer of information society services to a child
Aspire Educational Psychology Services has the right to refuse a request for erasure where the personal data is being processed for the following reasons:
• To exercise the right of freedom of expression and information
• To comply with a legal obligation for the performance of a public interest task or exercise of official authority
• For public health purposes in the public interest
• For archiving purposes in the public interest, scientific research, historical research or statistical purposes
• The exercise or defence of legal claims
As a child may not fully understand the risks involved in the processing of data when consent is obtained, special attention will be given to existing situations where a child has given consent to processing and they later request erasure of the data, regardless of age at the time of the request.
Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. Where personal data has been made public within an online environment, Honeybee Psychology will inform other organisations who process the personal data to erase links to and copies of the personal data in question.
The Right to Restrict Processing
Individuals have the right to block or suppress Aspire Educational Psychology Services' processing of personal data. In the event that processing is restricted, Aspire Educational Psychology Services will store the personal data, but not further process it, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future.Aspire Educational Psychology Services will restrict the processing of personal data in the following circumstances:
• Where an individual contests the accuracy of the personal data, processing will be restricted untilAspire Educational Psychology Services has verified the accuracy of the data
• Where an individual has objected to the processing and Aspire Educational Psychology Services is considering whether their legitimate grounds override those of the individual
• Where processing is unlawful and the individual opposes erasure and requests restriction instead
• Where Aspire Educational Psychology Services no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim
If the personal data in question has been disclosed to third parties, Aspire Educational Psychology Services will inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so. Aspire Educational Psychology Services will inform individuals when a restriction on processing has been lifted.
The Right to Data Portability
Individuals have the right to obtain and reuse their personal data for their own purposes across different services. Personal data can be easily moved, copied or transferred from one IT environment to another in a safe and secure manner, without hindrance to usability. The right to data portability only applies in the following cases:
• To personal data that an individual has provided to a controller
• Where the processing is based on the individual’s consent or for the performance of a contract
Personal data will be provided in a structured, commonly used and machine-readable form. Aspire Educational Psychology Services will provide the information free of charge. Where feasible, data will be transmitted directly to another organisation at the request of the individual. Aspire Educational Psychology Services is not required to adopt or maintain processing systems which are technically compatible with other organisations. In the event that the personal data concerns more than one individual, Aspire Educational Psychology Services will consider whether providing the information would prejudice the rights of any other individual.. Aspire Educational Psychology Services will respond to any requests for portability within one month. Where the request is complex, or a number of requests have been received, the time frame can be extended by two months, ensuring that the individual is informed of the extension and the reasoning behind it within one month of the receipt of the request. Where no action is being taken in response to a request, Aspire Educational Psychology Services will, without delay and at the latest within one month, explain to the individual the reason for this and will inform them of their right to complain to the supervisory authority and to a judicial remedy.
The Right to Object
Aspire Educational Psychology Services will inform individuals of their right to object at the first point of communication, and this information will be outlined in the privacy notice and explicitly brought to the attention of the data subject, ensuring that it is presented clearly and separately from any other information.
Privacy by Design and Privacy Impact Assessments
Aspire Educational Psychology Services will act in accordance with the GDPR by adopting a privacy by design approach and implementing technical and organisational measures which demonstrate how we have considered and integrated data protection into processing activities. Data protection impact assessments (DPIAs) will be used to identify the most effective method of complying with our data protection obligations and meeting individuals’ expectations of privacy.
The term ‘personal data breach’ refers to a breach of security which has led to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Amanda Furness is aware of what constitutes a data breach. Where a breach is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed. All notifiable breaches will be reported to the relevant supervisory authority within 72 hours of Aspire Educational Psychology Services becoming aware of it. The risk of the breach having a detrimental effect on the individual, and the need to notify the relevant supervisory authority, will be assessed on a case-by-case basis. In the event that a breach is likely to result in a high risk to the rights and freedoms of an individual, Aspire Educational Psychology Services will notify those concerned directly. A ‘high risk’ breach means that the threshold for notifying the individual is higher than that for notifying the relevant supervisory authority.
Confidential paper records will be kept in a locked filing cabinet, drawer or safe, with restricted access. When travelling, these will be kept in the boot of a locked car. Confidential paper records will not be left unattended or in clear view anywhere with general access. Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed up off-site. Where data is saved on removable storage or a portable device, the device will be kept in a locked filing cabinet, drawer or safe when not in use. Memory sticks will not be used to hold personal information unless they are password-protected and fully encrypted. All electronic devices are password-protected to protect the information on the device in case of theft. Where reasonable, identifying information such as names and addresses will not be disclosed in emails. Reports will be sent out by password protected email (in pdf format) or as a paper document, by post in an envelope marked confidential.
Data will not be kept for longer than is necessary. Unrequired data will be deleted as soon as practicable. Reports are retained in electronic format for four years, after which they are deleted. Paper documents such as test sheets, questionnaires and notes are shredded once the report is issued. It is the responsibility of clients to keep their report safe.
All data provided by the DBS will be handled in line with data protection legislation; this includes electronic communication. Data provided by the DBS will never be duplicated. Copies of DBS certificates will be verified but will not be held on file.