Learning Directions Ltd. aims to be as clear as possible about how and why we use information about you, the client, so that you can be confident that your privacy is protected.
This policy describes the information that Learning Directions Ltd. collects when you use our services. This information includes personal information as defined in the General Data Protection Regulation (GDPR) 2016 [and the subsequent UK Data Protection Bill that is expected to be enacted in May 2018].
This policy describes how we manage your information when you use our services, if you contact us or when we contact you.
Learning Directions Ltd. uses the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. In accordance with these laws, Dr Ruth Lubel, Director of Learning Directions Ltd is the data controller; if another party has access to your data we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why we need to provide them with the information.
If your questions are not fully answered by this policy, please contact our Data Protection Officer, the Director.
If you are not satisfied with the answers from the Data Protection Officer, you can contact the Information Commissioner’s Office (ICO) https://ico.org.uk.
Background to the business
Learning Directions Ltd. was formed in June 2013 and is a small company owned and operated by Dr Ruth Lubel, who is the sole Director of the company. Learning Directions Ltd. business is run from the home office of the company director. Dr Ruth Lubel is registered as a practitioner psychologist with the Health and Care Professions Council (HCPC), the UK’s regulatory body for qualified psychologists. There are currently no other employees; associate psychologists may provide services through Learning Directions Ltd and would be subject to an agreement to comply by this policy agreement. The company provides psychological assessment and consultation services, which relate to a wide variety of learning and behavioural needs. Our clients include: adults commissioning a private psychological assessment / consultation; adults commissioning a private psychological assessment / consultation for their children / children in their care; Local Authorities.
1. Why do we need to collect your personal data?
We need to collect information about you so that we can:
- Know who you are so that we can communicate with you in a personal way. The legal basis for this is a legitimate interest in providing services to you, your child, or a child in your care, as requested by you.
- Deliver psychological and educational services to you, your child, or a child in your care, as requested by you. The legal basis for this is the contract or agreed arrangement with you.
- Send you an invoice to seek payment for our services. The legal basis for this is the contract or agreed arrangement with you.
- Contact you in case there is a problem. The legal basis for this is a legitimate interest.
- Provide you with a useful and relevant website. The legal basis for this is legitimate interest.
2. What personal information do we collect?
Private Psychological Assessments
- Informed consent has to be provided before an educational psychologist will work with the child or young person or adult. The parents or legal guardian sign a consent agreement form issued by Learning Directions Ltd before the psychologist works with the child.
- Scanned copies of the signed consent form are kept in the child’s folder. This folder is anonymized for the child by using a particular code. Any paper copies of the consent form are shredded.
2.2 Information Collected
For us to provide you with services, we need to collect the following information:
- Your name.
- Where relevant, the name, address and date of birth or your child or child in your care.
- Your contact details including a postal address, telephone number(s) and electronic contact such as email address.
- Details about any other professionals (such as Speech and Language Therapist, Occupational Therapist, Physiotherapist, Clinical Psychologist, Social Worker etc.), who are involved with your child or child in your care including their names and contact details. We may need to share personal information about your child or child in your care with these professionals.
- Details about the key contact members of staff in the school (such as Special Needs Co-ordinator etc.) who are involved with your child or child in your care including their names and contact details.
2.3 EP report
After working with an individual child / young person / adult the educational psychologist will produce a report. This will include personal and confidential information related to the child/ young person and their family. A copy of this report is kept in the child/ person’s electronic folder.
2.4 Related Documentation
Any additional documents provided to Learning Directions Ltd about the child or young person such as school attendance data, school reports are initially viewed as part of the work and then all paper copies are shredded.
Working with Local Authorities and Data Protection
Learning Directions Ltd sells educational psychology services to Local authorities and schools. The following explains what data is held in relation to the delivery of EP services.
2.5 School Planning Notes
The Director of Learning Directions Ltd holds a planning meeting with the school where a child or young person may be discussed. The school contact is asked to confirm that verbal consent has been given by the parents or legal guardian of the child or young person before specifically naming the child. Children are referred to by their initials or first name on the school planning record. The planning record is kept in the school electronic folder held by the local authority and they send a copy to the school primary contact. An electronic copy is kept in the school folder held by the psychologist on the company PC. Paper copies are not kept by Learning Directions Ltd.
2.6 Informed Consent
Informed consent has to be provided for the psychologist to work with the child or young person. The parent or legal guardian must sign a consent form issued by the local authority before the psychologist can work with the child. The local authority scans copies of this consent form into the Child’s folder. Paper copies are shredded within Learning Directions Ltd.
2.7 Educational Psychologist Report
After working with an individual child the psychologist produces a report. This will include personal and confidential information related to the child or young person and their family. A copy of this report is kept in the local authority’s child’s electronic folder. The local authority sends a copy to the school and the parents or legal guardians.
2.8 Other Documentation
Other documentation sent to Learning Directions Ltd such as the child or young person’s Education and Health Care Plans, Individual Education Plans, school attendance data etc. are all shredded by Learning Directions Ltd after the child’s report has been written by the educational psychologist.
2.9 Paper records
3. How do we use the information that we collect?
We use the data we collect from you in the following ways:
- To communicate with you so that we can inform you about your appointments with us we may use your name, your child’s name (where relevant) your contact details such as your telephone number, email address or postal address.
- To liaise with other professionals (such as Speech and Language Therapist, Occupational Therapist, Physiotherapist, Clinical Psychologist, Social Worker etc.), who are involved with your child or child in your care. We may need to share personal information about your child or child in your care with these professionals.
- To liaise with key contact members of staff in the school (such as Special Needs Co-ordinator etc.) who are involved with your child or child in your care. We may need to share personal information about your child or child in your care with this teacher.
- To create your invoice we include just your name and your child’s first name. Your child’s full name or date of birth (if relevant) is not included in our invoicing.
4. Where do we keep the information and what is stored there?
We keep your information on:
- A PC which is password protected;
- Apple smartphone and tablet devices which requires a PIN or fingerprint ID to access;
Note: The Apple smartphone and tablet devices hold only emails which are shared through iCloud. Apple is compliant with GDPR (see https://www.apple.com/legal/privacy/en-ww/governance/).
iCloud’s servers are located in Denmark within the EU, and information is encrypted in transit and at rest (source: GDPR SME).
4.1 Referral/ consent forms
We obtain referral/ consent forms which provide us with basic details and signed parental permission to work with a child. These give details of name, date of birth, postal address, email address and phone number and are stored in electronic form in the child’s electronic file. For our work with Local authorities the referral/ consent forms are stored on the Local Authorities individual child electronic folder.
4.2 Written reports
Following our assessment or consultation work we create a typed report, which will usually provide a summary of matters discussed, assessment outcomes, conclusions and recommendations. This report will also contain personal information about you or your child including name, address and date of birth. This report is stored in the child’s electronic folder on the company PC. The title of this electronic folder has a specified code rather than using the child/ young person’s full name. This folder is stored in Dropbox which provides a secure cloud-based backup. Dropbox will meet the requirements of the GDPR by 25th May 2018. We now use Protonmail which is a highly secure encrypted secure email and data sharing service which uses a data centre in Swizerland to store encrypted emails.
Details of appointments with you are held in paper form in the paper diary. This is kept securely by the Director.
4.4 Our assessment software
We use an assessment package called GL Assessment Test wise when working with adults and children, for the purpose of assessing their cognitive skills and educational attainments. It is accessed via computer devices 1 and 4 listed above. The data which is stored securely with GL Assessment, who is GDPR compliant, includes the client’s name and date of birth and test scores. The GL Education Group complies fully with the ISO/IEC 270013 international standard regarding data security management, the highest standard in industry specifically for data security. At the GL Education Group, this standard is maintained for all online resources which includes Testwise, the GL Education Group’s online testing system and the Testwise Reporting System (“Testwise”).
4.5 Handwritten/ Paper Notes
Handwritten notes may be taken when we meet. These notes are used to create the report that we provide to you. These notes tend not to be extensive and tend to record details of the conversation with clients rather than personal information in terms of identification. They are almost never required after the report is compiled. These notes are kept in a client’s paper file in a locked filing cabinet at the Director’s home office. The paper file contains just a name on the cover (no date of birth, or address).
4.6 Payment Details
Please note that we do not store our payment card details in any of our systems as payments are (apart from a few cash and cheque payments) sent by clients through bank transfer following invoicing. We therefore do not require any card details.
5. Who do we send the information to?
We will send the written report to you and, on extremely rare occasions, anyone we are required by law to inform. All of the work undertaken by Learning Directions Ltd is confidential. Information is only shared with the specific consent of the child or young person’s parent or legal guardian.
If disclosure of information is deemed necessary, psychologists will aim to obtain specific informed consent from their clients, making the consequences of disclosure as clear and unbiased as possible. There are a number of circumstances where this might not be possible or may not apply: for example where the health, safety, security or welfare of the client may otherwise be put at risk, and if there are legal or safeguarding responsibilities. Further information regarding confidentiality can be found in the British Psychological Society, Practice Guidelines, August 2017.
- All reports that are sent electronically are sent as attachments that are encrypted and password protected:
- In the case of Local Authority reports for children, these are sent by the admin team located within the local authority using their secure systems.
- From 25th May, we will be moving towards the use of the Egress Switch, a secure email encryption and data sharing service, for which we pay a yearly subscription. Egress uses a data centre in the UK to store encrypted emails. https://supportcentre.egress.com/hc/en-gb/articles/203173931-Where-is-myencrypted-data-held-)
- We may also make arrangements with you using email, which is provided from our end by Gmail. Email is not considered to be as safe as other end-to-end encrypted forms of electronic communication, so it is important to avoid sharing personal information in this way. Whilst this is outside of our own GDPR remit, we expect that organisations we work with are GDPR compliant and hence would need then to password any documents sent to us via email.
6. How long do we keep the information?
GDPR makes it clear that we should not keep personal information for any longer than is useful and meaningful. The company’s view is that it is in the client’s best interest, in terms of GDPR legislation, for information to be permanently destroyed after these periods of time stated below. The company holds the view that data should not be kept for many years simply for the very remote chance of being requested for this information many years into the future. For such data to be kept for up to 25 years may well be valid for much larger educational and health organisations – however, it is not felt to be appropriate on the basis of the work undertaken by Learning Directions Ltd. (which is not primarily to inform legal institutions).
- Handwritten notes in paper files will be securely shredded: (1) for children or young adults aged under 18 years, when they reach reaches 25 years of age; (2) for adults (over 18 years age), after 7 years.
- We keep referral forms electronically and these will be deleted: (1) for children or young adults aged under 18 years when they reach reaches 25 years of age; (2) for adults (over 18 years age) after 7 years.
- We keep written reports electronically and these will be deleted: (1) for children or young adults aged under 18 years when they reach reaches 25 years of age; (2) for adults (over 18 years age) after 7 years.
- Email communication with you will be deleted from the email server after three years, but copies may be archived with the paper or electronic notes as above.
7. How can I see all the information you have about me?
You can simply contact the Director or make a subject access request (SAR) by contacting the Data Protection Officer. We may require additional verification that you are who you say you are to process this request. We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests.
8. What if my information is incorrect or I wish to be removed from your system?
Please contact the Director. If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated information in the same format at the subject access request in section 7.
9. How can I have my information removed?
If you want to have your data removed we have to determine if we need to keep the data, for example in case HMRC wish to inspect our records. If we decide that we should delete the data, we will do so without undue delay.
10. Will we send emails and text messages to you?
As part of providing our service to you we will send your report to you either in person or via email. The report will be encrypted, and password protected, as described in Section 6 of this policy document. We may also send you text messages for the purpose of arranging meetings or assessments, for example.
11. Will I receive ongoing/ subscribed communication?
Learning Directions Ltd. does not hold onto emails or mobile numbers for the purpose of any ongoing/ subscribed communication. You will not receive information such as advertisements or special offers.
12. Changes to this Policy
This GDPR policy may be subject to change, for the purpose of further updates in pursuit of securing your data. Please check at www.educationalpsychologistcardiff.co.uk or www.dyslexiacardiff.com for the most current version of this document.
Date of publication: 20th May 2018