EPT GDPR Policy and Contract
Last updated May 2020
EPT Clinic’s Consent and GDPR Policy Please take your time to read this policy carefully.
The Education, Psychology and Therapy Clinic (EPT Clinic) is committed to ensuring that the privacy is protected of everyone associated with the Clinic, including, but not limited to clients, families, staff, trainees, and website and social media users. This policy explains how personal information is collected and stored, and the procedures that are in place for information to be safeguarded.
The Clinic only uses personal information in line with relevant legislation, including the General Data Protection Regulation. Personal information is any information related to a person who can be identified either directly or indirectly through that information. The GDPR applies to ‘controllers’ and ‘processors’. The controller says how and why the personal data is processed. The processor acts on the controller’s behalf. GDPR affords clients many rights including:
• Having their personal data appropriately stored and protected;
• Knowledge about how their personal data is being used;
• Access to their own personal information, and other content that forms part of records that are related to them;
• To ask that their personal information be updated, corrected, deleted or supplemented;
• To request that their information is transferred to another individual or company;
• To know if their personal information is forwarded to any third-party (e.g. school);
• Prevent further use (or processing) of their information;
• Have their personal data deleted when no longer required to be held for legitimate purposes (e.g. to fulfil professional or legal obligations).
The Clinic complies with the above requests unless it considers that there are compelling reasons not to do so. In that case, the individual is informed of this decision and of the steps that they can take to appeal against the decision.
Therapists and healthcare professionals within the EPT Clinic require personal details about clients including, but not limited to, name, age, gender, contact details, personal relationships, developmental and family history, significant life events and any involvement of other services and/or professionals. Families who are clients of the clinic are typically provided with a written report, summary or feedback following involvement with the EPT Clinic. Clients have the right to verify the accuracy of their own personal information or to ask for it to be supplemented, deleted, updated or corrected.
1. What is the basis for holding personal information?
1.1. That the information relates to an individual who has newly contacted the Clinic, in which case explicit consent has been given by the individual for the information to be held. (The ‘consent’ basis.)
1.2. The information relates to an individual with whom the Clinic has had a professional relationship with and there is a reasonable belief that the individual would expect that the relationship would include the holding of personal information (The ‘legitimate interest’ basis).
2. Children and parental consent
2.1. This policy applies both to children and to adults.
2.2. Where consent is relied upon as the basis for processing personal information and the individual is under 18 years of age, then parental consent will be required.
3. How will the data be used? EPT GDPR Policy and Contract Last updated May 2020
3.1. Data is used for the purpose of providing therapy and intervention to the named client/s and for completing professional assessment reports. As the EPT Clinic operates a multi-disciplinary team, information is shared amongst team members and relevant consultants where appropriate in order to ensure the family receives holistic support.
3.2. In line with best practice guidelines, all members of the team engage in clinical supervision. This means that cases are discussed with a superior to ensure a high standard of healthcare.
3.3. Any material used in case studies or training sessions will be adequately disguised, where appropriate, to ensure the client’s identity is protected.
3.4. Therapists usually keep brief notes for their own use while seeing a child and will usually maintain casenotes, recording factual information, when the sessions come to an end. Some or all of these notes and/or summary may be held until the child reaches the age of 25 unless a ‘mature’ child requests that they be deleted before then. At that point they will be securely destroyed. Parents do not typically have access to any notes or files in relation to the child’s therapy sessions.
3.5. Therapists work in accordance with the Children First Act 2015, legal requirements, and a code of ethics and are obliged to report any child protection concerns that arise in the course of their work.
4. Sharing information
4.1. With the exceptions noted below, the Clinic does not share personal information with any third party. However, the Clinic will share personal information with a third party if:
4.1.1. The individual requests this.
4.1.2. The Clinic has an immediate concern about an individual’s safety.
4.1.3. The Clinic has a safeguarding concern.
4.1.4. The Clinic requests and receives specific permission from the individual to share their personal information, for example, in order to process a referral, or in the case of informed consent for training or research purposes.
4.1.5. There is a requirement by law to share this information.
4.1.6. If a concern arises in the clinic regarding a client’s safety, in line with Children’s First guidelines, Gardai and a Social Worker may be contacted.
5. Immediate concerns about an individual’s safety
5.1. The Clinic will consider sharing personal information without the individual’s permission if there is a serious and immediate concern that the individual is at risk of committing suicide.
5.2. This sharing might be with the person holding medical responsibility for the individual or, in the case of a child, with the parent or carer.
5.3. Wherever possible this will be discussed with the individual before this step is taken.
6. Booking an Appointment or Paying Online
6.1. Some information needs to be collected when online bookings or payments are completed through the Clinic’s website. For example, it is necessary to know the purchaser’s name, child’s name, date of birth (for assessment), credit or debit card number and expiry date, email address and telephone number. This information allows the transaction to be completed and the order fulfilled.
6.2. Payments are processed by four third party agencies, Bank of Ireland, Stripe, Acuity and Squarespace, and any necessary details are passed on so that the payment and bookings can be processed. These third parties have undertaken that they will protect that information.
6.3. The Clinic does not share customer details with any other third parties.
7. Legal Proceedings
7.1. Therapists do not become involved in legal proceedings or provide court reports unless an agreement to undertake an assessment and/or intervention has been specifically agreed and a contract for such work exists. This is not such a contract. If subpoenaed to court, therapists can be obliged to share information in their possession, not just that which either parent may wish to introduce. Please see Court Proceedings Fee Policy for details.