What is GDPR?
1. Why do we collect information about you?
There are a number of lawful reasons that Autism Unravelled can use (or 'process') your personal information. One of the lawful reasons is called 'legitimate interests'. This means that Autism Unravelled can process your personal information if:
• We have a genuine and legitimate reason and we are not harming any of your rights and interests
When you provide your personal details we use your information for our legitimate business interests (i.e. to support in the treatment of you/your child). Before doing this, though, we will also carefully consider and balance any potential impact on you and your rights.
2. What information do we collect about you?
To be able to provide assessment and therapy services to you/your child we will need to collect information about you/your child. This may include the following:
• Full name
• Contact details including phone number
• Email address
• Date of birth
• School / place of employment
• Relationships and children
• GP details and other professionals involved in you/your child’s care
• Physical and mental health history
• Payment preferences/bank details for invoicing
3. How do we store your information?
Autism Unravelled take your privacy very seriously. We have put in place a number of security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Please do not hesitate to ask us more about these if you would like further information.
All personal information provided is stored in compliance with EU General Data Protection Regulations (GDPR) rules.
4. How long will we keep you information for?
We are required to keep records securely for a period of 7 years (or for 7 years after a child’s 18th birthday). Records will then be destroyed.
5. Who do we share your personal information with?
We hold information about each of our clients and the therapy they receive in confidence. We will not normally share your personal information with anyone else. However, there are exceptions to this when there may be need for liaison with other parties:
· If you are referred by your health insurance provider, or otherwise claiming through a health insurance policy to fund therapy, then we will share appointment schedules with that organisation for the purposes of billing. We may also share information with that organisation to provide treatment updates.
· In accordance with our professional code of conduct we receive clinical supervision, relating to our work and share sensitive data but will not disclose personal data.
In exceptional circumstances, we might need to share personal information with relevant authorities:
· When there is need-to-know information for another health provider, such as your GP.
· When disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order.
· When the information concerns risk of harm to the client, or risk of harm to another adult or a child. We will discuss such a proposed disclosure with you unless we believe that to do so could increase the level of risk to you or to someone else.
We will not use your information for marketing purposes.
6. What are your rights?
You have the right to request access to the data that we hold on you free of charge. You also have the right to request the correction or deletion of information that you believe to be inaccurate in accordance with the guidelines and requirements for record keeping by The Health and Care Professions Council (HCPC; 2017).
You are able to exercise certain rights in relation to your personal data that we process.
· In relation to a Subject Access Right request, you may request that we inform you of the data we hold about you and how we process it. We will not charge a fee for responding to this request unless your request is clearly unfounded, repetitive or excessive in which case we may charge a reasonable fee or decline to respond.
· We will, in most cases, reply within one month of the date of the request unless your request is complex or you have made a large number of requests in which case we will notify you of any delay and will in any event reply within 3 months.
· If you wish to make a Subject Access Request, please email firstname.lastname@example.org . You have a right to get your personal information corrected if it is inaccurate.
· We are committed to protecting your personal data but if for some reason you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. We should be grateful if you would contact us first by email email@example.com if you do have a complaint so that we can try to resolve it for you.
 Health and Care Professions Council (2017). Confidentiality – guidance for registrants. London: HCPC.