General Data Protection Regulation (2018)
Data protection policy and retention schedule
Data protection officer
- Dr Leona Black
- Email: [email protected]
Contents
- Introduction
- Why is personal information collected?
- Consent
- What types of information and data are collected?
- Lawful basis for processing data
- How is the information that has been collected then used and processed?
- How personal and sensitive information is stored and kept safe 7.1 Data security 7.2 Data breach procedure
- How long is the information kept for? (Data retention schedule)
- How can collected information be viewed, deleted or changed? (Subject Access Request procedure)
- Complaints
- Date of current policy and review period
1. Introduction
Dr Leona Black (and all Associate Educational Psychologists) aim to be as clear as possible about how and why information about you is used so that you can be confident that your privacy is protected. This policy describes the information that Dr Leona Black (and all Associate Educational Psychologist) collects when you use her Educational Psychology service. This includes personal and sensitive information as defined by the General Data Protection Regulation (GDPR) 2018 and the UK Data Protection Bill 2018.
The policy describes how your information is managed when you use the service. Dr Leona Black (and all Associate Educational Psychologist) uses the information collected in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2018.
If you have any queries about this policy, please contact the data controller directly. If you are not satisfied with the answers provided, or if you require any further information, you can contact the Information Commissioner's Office (ICO) at www.ico.org.uk.
2. Why is personal information collected?
- To conduct consultations with key staff and parents/carers
- To conduct observations in class
- To conduct a psychological assessment of the child or young person
- To communicate with you, send reports to you, contact you regarding appointments, provide feedback after an assessment or consultation, or to send invoices
- To carry out and deliver a service we have been contracted to do, either by yourself or by your child’s school, nursery or educational setting. This is primarily an educational psychology service
- In the case of child protection/case conference, etc.
- If an initial enquiry has been made about a potential referral, from either a parent or school, information is collected while the client decides whether to use the service. NB. In initial discussion with schools, prior to parental consent being granted, the full names of children are not used.
3. Consent
Consent is an ongoing process and can vary depending on the time, place and activity.
If consent is not given, then no educational psychology involvement will take place.
If the parent/carer has given consent, this is for the initial piece of work (consultation or assessment) and also the review consultation and any subsequent pieces of work.
If a parent/carer or school requests educational psychology involvement more than one year after initial involvement, then explicit verbal consent will be requested from parents/carers for involvement, so long as there is evidence of signed consent. This is to ensure that consent is still valid and provided. Consent-givers are also able to withdraw their consent at any time by contacting the data holder (Dr Leona Black).
Guidance from the Department for Education states that, for the sake of efficiency, only one adult with parental responsibility needs to provide consent. However, if there is another adult who shares parental responsibility, whether they are in the family home or not, and there is a suspicion that they would refuse consent, then they must be given an opportunity to do so. If all adults with parental responsibility are not in agreement, then psychological involvement cannot proceed until the position has reached a resolution or there had been a determination of the issue by the Family Court. This is accepted practice across the UK.
4. What types of information and data are collected?
Legitimate Interest
Given the context and nature of our relationship, the intended purpose for collecting and processing your personal data is for educational psychology support and to consider what support is required to remove barriers to learning. Therefore, there is a legitimate interest to collect your relevant data for the purpose of forming a professional opinion.
In so doing, the only information collected from you will be relevant to the purpose of undertaking that consultation, assessment and the associated and expected reporting, profiling and advising. This can include:
- Background information (e.g. family name, date/place of birth, address, phone numbers, areas of strength and need, medical conditions, other services involved)
- Special category data (e.g. race, ethnic origin, religious beliefs, physical or mental health conditions, criminal convictions)
- Psychological reports for children and young people
- Assessment materials
- Email enquiries (schools are asked not to use a child or young person’s name in emails, only initials)
5. Lawful basis for processing data
- Signed consent forms by parent/carers
- All data is collected from children and young people with full parental consent
- Data needs to be processed to comply with a legal obligation of the data holder
- Data needs to be processed in order to save someone’s life
- Processing of data is necessary to perform a task in the public interest or to carry out some official function
6. How is the information that has been collected then used and processed?
- To carry out consultation meetings with key staff and parents/carers and then record this in consultation records/advice
- To carry out the service requested, including interpreting, hypothesising and scoring test information, compiled into a record of involvement (written report or verbal feedback)
- Reports are stored electronically and shared with parents, schools and other professionals (with prior consent)
- Assessment materials are held in paper copies (destroyed after assessment and reporting) and results stored electronically
- Hard copies of reports may be sent via post to multi-agency professionals (e.g. Paediatricians, Speech and Language Therapists)
- Electronic reports are shared using encrypted PDF, with passwords sent separately
7. How personal and sensitive information is stored and kept safe:
7.1 Data security
- Assessment materials, notes and consent forms are in a locked filing cabinet or stored in encrypted electronic files
- Computer has an encrypted drive where reports are stored
- Firewall and anti-virus software on computer
- Electronic data is backed up and password protected
7.2 Data Breach Procedure
- The Information Commissioner’s Office (ICO) will be contacted within 72 hours of becoming aware of a data breach
- Schools and parent/carers will be contacted within a reasonable time frame if a data breach occurs
- Once a report is sent to a school or parent/carer, responsibility for its protection rests with them and their GDPR policies
8. How long is the information kept for?
In line with GDPR’s principle of storage limitation, information is only kept for as long as it is needed for its original purpose (educational psychology involvement, professional accountability, safeguarding, or legal defense). Once the information is no longer required for these purposes, it is securely destroyed.
Handwritten notes from observations and consultations – shredded after the report is completed, because all necessary information is contained within the report itself.
Paper copies of assessment materials – destroyed after the involvement and report are completed, because the information is recorded in the final report.
Electronic copies of reports – retained for 10 years from the final date of involvement (as written on the report), to ensure a professional record is available if needed for safeguarding, demonstrating professional accountability, or defending against legal claims. Signed parent/carer consent forms and school focus forms – retained for 5 years from the final date of involvement (as written on the report), as evidence that informed consent was given.
In the event of ceasing to practise – personal data will continue to be stored securely for the stated retention period, after which it will be permanently deleted.
In the event of death – all data will be deleted by a trusted, DBS-checked third party.
9.1 How can collected information be viewed, deleted or changed?
Subject Access Request Procedure
- Subjects can request information by contacting the Data Protection Officer (Dr Leona Black)
- Verification of identity may be requested
- Data may be withheld if disclosure would violate a child or young person’s vital interests
- Requests for data deletion will be considered in line with legal/professional obligations (e.g. safeguarding, defending legal claims, professional accountability)
- If deletion is appropriate, it will be carried out without undue delay
10. Complaints
- Any complaints should first be directed to Dr Leona Black. If unsatisfied, contact the ICO.
11. Date of current policy and review period
- Data policy created April 2018
- Data policy amended August 2025
- Data policy will be next reviewed in August 2026