As a sole trader operating Swansea Speech and Language, I, Sioned McBride, am committed to protecting your privacy and ensuring that your personal information is handled in accordance with the General Data Protection Regulation (GDPR). This statement explains how I collect, use, and store your personal data. Please read it carefully to understand your rights and how I protect your information. What Information I Collect:When you access the services of Swansea Speech and Language, I may collect the following types of personal data:
Personal Details: Full name, date of birth, contact information (address, phone number, email).
Health Information: Medical history, speech and language assessment data, therapy notes, progress reports.
Billing Information: Payment details for services provided. Please note that I do not store credit or debit card details. All payments are processed via BACS (Bankers' Automated Clearing Services), and the necessary bank account details are shared with you for payment.
Where I Gather InformationPersonal data will be provided by the child's Parents or Guardians, or in the case of a young person over 18 years old, the client. This information will be collected as part of a case history form prior to, or on the date of first contact. Information may also be provided directly from relevant third parties such as schools, medical professionals and allied health professionals, with prior consent from the parent(s)/guardian(s). How I Use Your Information:I use your personal data, or your child's personal data, for the following purposes:
To assess, diagnose, and treat your or your child's speech and language needs.
To communicate with you regarding your or your child's appointments, therapy progress, and any important updates. Likely modes of communication are: face to face, email, telephone call, standard text message and WhatsApp.
To manage billing and payments for the services provided.
To comply with legal or regulatory obligations relevant to healthcare and professional standards.
To manage the general running of the business including a diary of appointments.
Clinical Records. Swansea Speech and Language keeps electronic records of clinical data in order to provide a service. The preferred format for clinical data is electronic via a secure electronic cloud-based system called WriteUpp, which is compliant with general data protection regulations. Alongside this system larger documents such as SLT reports or reports provided by parents from other professionals may be stored on an encrypted device, which is only accessible via a password held by Sioned McBride.
Email data. Email addresses and emails are stored within Outlook (Hotmail), which is GDPR compliant and password protected.
Starling Business Toolkit. Your data (name, address, email address, telephone number) is stored securely within the Starling Business Toolkit for invoicing purposes. Copies of invoices sent to you are held within the Starling Business Toolkit and contain your child's name and the dates of their appointments. A record of your BACS transaction when paying your invoice will be recorded as per Starling Bank's own systems.
Handwritten notes from a session are stored on a Remarkable device which is password protected. The information is used to write the clinical records and these records are regularly reviewed and deleted when no longer required.
Occasionally a paper-based record is created e.g. an assessment form. These are scanned on to WriteUpp and the paper-based record held securely in a locked filing cabinet at 79 Rhondda Street, Swansea, SA1 6ET until securely shredded.
Video records/ voice recordings relating to client care may be recorded, analysed and then destroyed.
Updates to parents from sessions where the parent is not present will be provided via WhatsApp, which is end-to-end encrypted. This may be via text, voice note or video. You may add or remove consent for these updates at any time.
I will only share your personal data with other healthcare professionals or third parties where necessary (e.g. referrals to a doctor or collaborating with other therapists) and always with your explicit consent, unless in the following special circumstances:
For legal reasons: I will share personal information with companies or organisations outside of if disclosure of the information is reasonably necessary to:
Meet any applicable law, regulation, legal process or enforceable governmental request.
Meet the requirements of the Children's Act 1989.
Your Rights Under the GDPR:Under the GDPR, you have the following rights in relation to your personal data:
Right of Access: You can request access to the data I hold about you.
Right to Rectification: You can request that I correct any inaccurate or incomplete information. A note of the revision will be kept and it will be made clear that this has been requested.
Right to Erasure: You can ask for your data to be deleted. This would include saved information kept for invoicing purposes and saved email addresses or telephone numbers. However, please note that medical records must be retained in accordance with the retention guidelines set by the Royal College of Speech and Language Therapists and other regulatory bodies. These records will be kept for the prescribed retention period before they can be safely erased. For more information on retention timescales, please refer to the Royal College of Speech and Language Therapists' retention guidelines. Following the retention deadline, all data will be destroyed under confidential means. In accordance with law, for children, all records will be kept securely until your child is 25 years old or if still receiving treatment at the age of 17, until they are 26 years old. After this time all records relating to your child will be destroyed. For adults receiving treatment, the retention period is 8 years after treatment has ended. Please note that your contact details form part of the medical record and as such would be securely stored according to the retention period.
Right to Restrict Processing: You can request that I limit how I use your data under specific circumstances e.g. removing consent to speak with named services or specific people, or requesting communications via specific means. Please make restrictions known to me in writing via email.
Right to Object: You can object to the processing of your personal data, however please note that holding data is inherently necessary in order for me to provide a service. Objection to or removal of consent to store data will lead to cessation of my services to you and/or your child and any notes to date will be stored as per the Royal College of Speech and Language Therapists retention policy.
Right to Data Portability: You can request a copy of your data in a machine-readable format to transfer to another provider.
Exceptions: If under investigation or if litigation is likely, files must be held in original form indefinitely, otherwise files are held for the minimum periods set out above.
How Your Data is ProtectedIn accordance with the General Data Protection Regulation (GDPR), Swansea Speech and Language will protect your personal data in a number of ways:
By limiting the data that is collected in the first instance - all data collected will be collected solely for the purposes set out above and will be collected for specified, explicit and legitimate purposes. The data will not be processed any further in a manner that is incompatible with those purposes save in the following special circumstances
For legal reasons: We will share personal information with companies or organisations outside of if disclosure of the information is reasonably necessary to:
Meet any applicable law, regulation, legal process or enforceable governmental request.
Meet the requirements of the Children's Act 1989.
Furthermore, all data collected by us will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected which include for the assessment, diagnosis and treatment of speech, language, communication or learning difficulties.
By transmitting the data in certain specified circumstances only. Data will only be shared and transmitted, be it on paper or electronically, only as is required, and as set out above.
By keeping only the data that is required when it is required and by limiting its accessibility to any other third parties.
By disposing of/destroying the data once the individual has passed the ages as per the retention guidelines.
There are appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include measures such as the password protection of electronic devices, pseudonymisation of personal data, and safe and secure storage facilities for paper/electronic records.
By destroying the data securely and confidentially after the period of retention has elapsed. This could include the use of confidential shredding facilities or, if requested by the individual, the return of personal records to the individual.
By ensuring that any personal data collected and retained is both accurate and up-to-date.