The new EU data protection law, called the General Data Protection Regulation (EU Regulation 2016/679) (the ‘GDPR’), came into force on 25 May 2018. The Data Protection Act 2018 is the UKs implementation of GDPR and replaces the Data Protection Act 1998. Mosaic Psychology directors, Dr Sarah Modi and Dr Craig Allen (‘the educational psychologists’) are committed to protecting and respecting your privacy.
This Privacy Notice explains how the educational psychologist uses your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.
Personal data is defined by the GDPR as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. This includes contact information that is used to communicate with individuals and organisations, as well as client confidential data collected or generated by the educational psychologist. Guidance from the British Psychological Society (BPS) has also been used when developing this Privacy Notice. Further information about data protection law can be found by contacting the Information Commissioner’s Office (ICO) https://ico.org.uk/
This Privacy Notice applies to any personal data collected by Mosaic Psychology Limited.
Why is personal information collected by the educational psychologist?
Personal information is collected to deliver an educational psychology service that has been commissioned by a parent, school or other education setting. The specific work carried out will vary according to the child/young person’s individual needs and the concerns being explored.
The educational psychologists have a legitimate interest to collect personal information about a child/young person and where appropriate parents/carers. This information is gathered for the purpose of forming a professional opinion or psychological formulation. In so doing, the educational psychologists only collect information that is relevant to the purpose of undertaking that work and the associated reporting and advising.
What personal information is collected?
Personal information is only obtained with written consent from parents/carers/legal guardians.
The educational psychologists will collect personal information including name of the child/young person, date of birth, gender, contact address and telephone number. Educational psychology assessments often involve the processing of special category data, including information about health, educational achievements, cognitive functioning, personality, interests, and family history.
Personal information about a child/young person may be obtained from a third party including their school/education setting and other professionals/agencies (e.g. health services). This might include school reports and assessment data.
How is the information that has been collected then used and processed?
The information collected is used to form a professional opinion or psychological formulation of the child/young person’s strengths and needs, and advice on appropriate support. This is recorded in an educational psychologist report or other summary of involvement.
Reports and/or letters are predominantly shared with the child/young person’s parent/carer and the school/education setting through end-to-end encrypted email (e.g. Egress). The report or summary may also be shared with other professionals/agencies who are involved with the child/young person with parents’ consent.
How and where is personal information stored and kept safe?
We take the storage of personal data and special category data very seriously and have safeguards in place to protect against unlawful or unauthorised processing or accidental loss or damage.
Referral information and consent forms are stored securely in an electronic folder on a password protected laptop and online cloud. Paper copies are then destroyed.
Paper records (e.g., handwritten notes and test forms) are stored in a locked filing cabinet and are securely destroyed when no longer needed (e.g. when psychological formulation and reports have been completed).
Reports/summaries are stored on an encrypted password protected laptop and online cloud.
Electronic information is backed up and stored securely on an external hard drive.
If transported, the laptop will remain either in a locked environment or in the personal possession of the educational psychologists.
For how long will personal information be stored?
Personal data on clients is retained for 7 years, following guidelines from the British Psychological Society, Practice Guidelines, Third Edition, August 2017. During the 7th year, any electronic information and remaining paper records (e.g., test forms) will then be deleted/destroyed.
This data is retained for the purposes of information if the client/data subject were re-referred to our service.
You have the right to access information and/or records that the educational psychologist holds about you. You can make a ‘subject access request’ (SAR) by contacting the Data Protection Officers (Dr Sarah Modi and/or Dr Craig Allen) in writing.
Client access to records will be restricted to information about themselves, or a child where they are the parent/legal guardian. Restrictions will apply when disclosure would violate the child/young person’s vital interests.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover administrative costs in responding.
The educational psychologists will respond to your subject access request within one month of receipt. Normally, the educational psychologists will provide a complete response, including a copy of your personal information within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date received.
Under article 17 of the GDPR individuals have the right to have personal information erased. This is known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. In each situation, the educational psychologist will have to decide what information should be deleted. This will be based on the protection of the child/young person’s vital interests.
Data Breach Procedure
Any data breeches will be reported to the data subject(s) within 72 hours of the educational psychologist becoming aware of the breach. Where appropriate, the Information Commissioner’s Office (ICO) will also be informed of the breach.
To contact the educational psychologists about anything to do with your personal information and data protection, including to make a subject access request, please use the following details (for the attention of Dr Sarah Modi/Dr Craig Allen Educational Psychologists/Data Controllers).
Email address: firstname.lastname@example.org
Telephone number: 07818991738
Changes to this Privacy Notice
This Privacy Notice is regularly reviewed. It may be necessary to update or amend this Notice from time to time, for example if the law changes or if the educational psychology service delivery changes in a way that affects your privacy.
Next review date – May 2022
Please contact us for a copy of our Data Protection Policy at email@example.com