Introduction:

​

The new EU data protection law, called the General Data Protection Regulation (EU Regulation 2016/679) (the ‘GDPR’), came into force on 25 May 2018.  The Data Protection Act 2018 is the UKs implementation of GDPR and replaces the Data Protection Act 1998.    Mosaic Psychology directors, Dr Sarah Modi and Dr Craig Allen (‘the educational psychologists’) are committed to protecting and respecting your privacy.

​

Purpose:

​

This Privacy Notice explains how the educational psychologist uses your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.

Personal data is defined by the GDPR as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. This includes contact information that is used to communicate with individuals and organisations, as well as client confidential data collected or generated by the educational psychologist. Guidance from the British Psychological Society (BPS) has also been used when developing this Privacy Notice. Further information about data protection law can be found by contacting the Information Commissioner’s Office (ICO) https://ico.org.uk/

​

Scope:

​

This Privacy Notice applies to any personal data collected by Mosaic Psychology Limited.

​

Why is personal information collected by the educational psychologist?

​

Personal information is collected to deliver an educational psychology service that has been commissioned by a parent, school or other setting. The specific work carried out will vary according to the child/young person’s individual needs and the concerns being explored.

​

The educational psychologists have a legitimate interest to collect personal information about a child/young person and where appropriate parents/carers. This information is gathered for the purpose of forming a professional opinion or psychological formulation.  In so doing, the educational psychologists only collect information that is relevant to the purpose of undertaking that work and the associated reporting and advising.

​

What personal information is collected?

​

Personal information is only obtained with written consent from parents/carers/legal guardians.

The educational psychologists will collect personal information including name of the child/young person, date of birth, gender, contact address and telephone number. Educational psychology assessments often involve the processing of special category data, including information about health, educational achievements, cognitive functioning, personality, interests, and family history.

​

Personal information about a child/young person may be obtained from a third party including their school/education setting and other professionals/agencies (e.g. health services). This might include school reports and assessment data.

​

How is the information that has been collected then used and processed?

​

The information collected is used to form a professional opinion or psychological formulation of the child/young person’s strengths and needs, and advice on appropriate support. This is recorded in an educational psychologist report or other summary of involvement.

​

Reports and/or letters are predominantly shared with the child/young person’s parent/carer and the school/education setting through end-to-end encrypted email (e.g. Egress). The report or summary may also be shared with other professionals/agencies who are involved with the child/young person with parents’ consent.

​

How and where is personal information stored and kept safe?

​

We take the storage of personal data and special category data very seriously and have safeguards in place to protect against unlawful or unauthorised processing or accidental loss or damage.

​

Referral information and consent forms are stored securely in an electronic folder on a password protected laptop, an online cloud, and most recently an online platform. Paper copies are then destroyed.

​

Paper records (e.g., handwritten notes and test forms) are stored in a locked filing cabinet and are securely destroyed when no longer needed (e.g. when psychological formulation and reports have been completed).

​

Reports/summaries are stored on an encrypted password protected laptop, and an online cloud and platform.

If transported, the laptop will remain either in a locked environment or in the personal possession of the educational psychologists.

​

For how long will personal information be stored?

​

Personal data on clients is retained for 7 years, following guidelines from the British Psychological Society, Practice Guidelines, Third Edition, August 2017. During the 7th year, any electronic information and remaining paper records will then be deleted/destroyed.

​

This data is retained for the purposes of information if the client/data subject were re-referred to our service.

You have the right to access information and/or records that the educational psychologist holds about you. You can make a ‘subject access request’ (SAR) by contacting the Data Protection Officers (Dr Sarah Modi and/or Dr Craig Allen) in writing.

 

Client access to records will be restricted to information about themselves, or a child where they are the parent/legal guardian. Restrictions will apply when disclosure would violate the child/young person’s vital interests.

​

There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover administrative costs in responding.

The educational psychologists will respond to your subject access request within one month of receipt. Normally, the educational psychologists will provide a complete response, including a copy of your personal information within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date received.

​

Under article 17 of the GDPR individuals have the right to have personal information erased. This is known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. In each situation, the educational psychologist will have to decide what information should be deleted. This will be based on the protection of the child/young person’s vital interests.

​

Use of Artificial Intelligence (AI):

At Mosaic Psychology we sometimes use secure AI tools to help with our work. This may include drafting and improving written reports, summarising information, exploring possible strategies, or supporting administrative tasks.

​

We do not upload identifiable client details such as names, addresses, or dates of birth into AI systems. Any information we use is anonymised or carefully edited to protect confidentiality. All AI outputs are always reviewed and refined by a qualified psychologist before being shared.

​

We use AI to save time on routine tasks and to improve the clarity and quality of our written communication. AI never replaces professional judgement or decision-making.

​

Data Breach Procedure:

​

Any data breeches will be dealt with as recommended by the Information Commissioner’s Office (ICO). Where appropriate a breach will be reported to the data subject(s) within 72 hours of the educational psychologist becoming aware.

​

Contact Details:

​

To contact the educational psychologists about anything to do with your personal information and data protection, including to make a subject access request, please use the following details (for the attention of Dr Sarah Modi/Dr Craig Allen Educational Psychologists/Data Controllers).

Email address: info@mosaicpsychology.co.uk

​

Changes to this Privacy Notice:

​

This Privacy Notice is regularly reviewed. It may be necessary to update or amend this Notice from time to time, for example if the law changes or if the educational psychology service delivery changes in a way that affects your privacy.

Revision History :

Notice published May 2021

Notice reformatted V4 August 2024

Changes issued August 2025

Next review date August 2026

Please contact us for a copy of our Data Protection Policy at info@mosaicpsychology.co.uk