Data Protection

Background information about data protection

Early Years Occupational Therapy provides Occupational Therapy assessment and intervention services to children, adolescents and their families. Early Years Occupational Therapy aims to be as transparent as possible regarding how and why information is collected and stored so that you can be confident that your privacy is protected and all measures are taken to reduce the likelihood of breach of data. 

Personal data that is collected to enable service delivery is managed in accordance with Data Protection Legislation (The Data Protection Acts of 1988 and 2003), EU General Data Protection Regulation (GDPR) guidelines, and the Association of Occupational Therapists Ireland Code of Ethics and Professional Conduct ( 2013). The process for handling any personal data is detailed in this policy.

Data Controller contact details

Name: Ruth McKenna

E-mail: ruthmckenna@earlyyearsot.ie

If you have any queries about this policy, please contact the Data Controller directly.

If you require any further information, you can contact The Data Protection Commission (DPC).

Categories of Personal Information Collected:

  1. Personal Data: Any information about a living person, where that person either is identified or could be identified. With respect to you or your child, this information may include contact information  (name, address, telephone number) and general information for the delivery of services to you such as appointment dates, correspondence etc.

  2. Special Category Data: Certain types of sensitive personal data, called ‘special categories’, are subject to additional protection under the GDPR. This may be collected only with your consent to do so and the legal basis for doing so is to deliver services for which you have contracted the service to do for you. Examples of sensitive personal data are details with respect to the developmental, physical, and mental health history of the individual and their family (only limited information pertaining to wider family history is collected and is kept anonymous). This data is needed in order to carry out contracted services.

How data is collected

Consent forms:

Consent forms collect personal details which identify the child and parent for the purposes of demonstrating consent for the contracted service and enabling (where necessary) communication with the family (for example; family name, child's date of birth, address, telephone numbers, email address).

The legal basis for collecting this information is for the purpose of obtaining consent.

Screening and Assessment forms:

Screening and assessment forms collect personal information regarding your child. The information is collected in order to inform the nature of service delivery and to carry out the contracted service.  

The legal basis for collecting this information is for the purposes of delivery a contracted service.

Clinic sessions:

During clinic sessions, information may be collected with respect to your child’s/ family’s history of developmental health, mental-health, physical health, relevant family circumstances, involvement with other services, personal concerns and other relevant sensitive information. Clinical observations and test results may also be recorded relating to your child.

The legal basis for collecting this information is for the purposes of delivery of a contracted service.

Contact with other professionals:

With your consent, information may be collected from other professionals involved in your child's care such as relevant reports or case-notes from another service or relevant information from your child's child minder/ creche/ pre-school/ school regarding your child’s functioning in those settings.

The legal basis for collecting this information is for the purposes of delivery of a contracted service.

Information pertaining to self-harm/ suicidal ideation/intent:

If there is any concern with respect to self-harm/suicidal ideation/intent then specific information with respect to this risk will be collected to ensure that the individual concerned receives appropriate guidance to the relevant services in order to protect and support them.

The legal basis for collecting this information is to protect the vital interests of the individual.

Information pertaining to harm/ neglect/ abuse :

If there is a concern that a child or vulnerable parent may be subject to harm/ neglect/ abuse of any form or if it is disclosed that they have been subject to harm/ neglect/ abuse of any kind in the past then then information collected in this respect will be done so to ensure that appropriate referrals are made to protect and support the child in line with the Children First Act (2015).

The legal basis for collecting this information is to protect the vital interests of the individual.

Potential client enquiries:

If the service is contacted about the possible provision of services, then it may be necessary to collect some information about you and/ or your child via telephone. Website enquires may also involve the collection of personal information regarding the delivery of services.

The legal basis for this is a legitimate interest in conducting the service to ensure that it is the appropriate service in which we can offer a contract with you to meet your needs (additional safeguards are taken to ensure the rights of the data subject are protected including data minimisation and an opt-out measure).

Associate professionals:

Associate professionals that engage in contracted work with Early years Occupational Therapy will be required to show evidence of qualifications, professional indemnity, Garda vetting, next of kin, personal contact and account details for payment, and public liability cover.

The legal basis for this is a contractual obligation between the data controller and the associate professional.

Payment information:

The service is required to hold information on payments received for financial records. This information may include:

  • Your full name

  • The date and amount of the transaction

  • If the payment is made on your behalf, the details of the payee

  • Credit card / debit card details are not stored but will appear as a transaction on our AIB bank statement.

The legal basis for collecting this information is for the purposes of delivery of a contracted service.

Extent of information collected:

Only the necessary amount of information needed to provide quality services will be collected.

How the service uses information collected

Consent, Screening, and Assessment Forms:

Some of the information in these forms is used in reports or consultation records that may be written about the child. Some information (for example, your email address) may also be used for sharing relevant materials with you online.

Clinic sessions:

Information gathered in clinic sessions may be used in reports or consultation records. If you are a parent and have commissioned the service yourself, you are the owner of the report and are solely responsible for determining who it is shared with. If the work has been commissioned by a creche/ school (with your consent), the findings are shared with the creche/ school in a report or consultation record. At this point the document becomes the responsibility of the creche/ school. The school will then share this document with you. The service may also, from time to time and if it is appropriate to do so, share the documentation (or key findings from it) with other professionals. Your consent for us to do this is provided in our consent form.

Contact with other professionals:

Information gathered from other professionals/ agencies may be reported in reports or consultation records.

Potential client enquiries:

This information may be used for further correspondence in order to determine if you wish to proceed with a contracted service (for example, e-mail, follow-up phone call, posting of consent and assessment forms) or if you would like to opt-out of the service in which case your records will be deleted.

Information related to self-harm/ suicidal ideation/ intent:

This information may be shared with the relevant services via face-to-face meeting, telephone, letter, or encrypted e-mail. If this is required, it will be done in consultation with you.

Information related to neglect:

This information may be shared with the relevant services via face-to-face meeting, telephone, letter, or e-mail. If this is required, it will be done in consultation with you, unless doing so is deemed to pose a significant risk to the child.

  

Associate professionals:

We keep your details for the duration of your Associate Agreement with Early Years Occupational Therapy, and for one year afterwards.

Payment information:

The service is required to hold information on payments received for financial records. This information may include:

  • Your full name

  • The date and amount of the transaction

  • If the payment is made on your behalf, details of the payee

  • Credit card/debit card details are not stored but will appear as a transaction on our AIB bank statement

Administrative Services:

If administrative services are recruited as part of Early Years Occupational Therapy then they will need to process your data and will do so in accordance with this data protection and privacy policy.

Where information is stored and how safety is ensured

We are committed to ensuring that the personal information we collect is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable electronic (Halaxy) and managerial procedures, to safeguard and secure personal information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure. All client information collected will be uploaded to Halaxy on the day the information is collected. Once uploaded, the physical copy of the information will be shredded immediately. We cannot guarantee the security of any information that is transmitted to or by us over the Internet. The transmission and exchange of information is carried out at your own risk. Although we take measures to safeguard against unauthorised disclosures of information, we cannot assure you that the personal information we collect will not be disclosed in a manner that is inconsistent with this Privacy Policy.

 

Associate professionals will delete any word documents and emails from their own password protected computers which were used to write the reports so they have no remaining client information once the service contract is completed.

The service e-mail provider is privateemail.com.

Information collected in relation to potential client enquiries will be stored on Halaxy. If you contact us but do not decide to proceed with the service, we will delete your details without delay. Enquires made via the website are not stored on the website. Such enquiries are sent by privateemail.com and when the service contacts clients and arranges appointments this information will then be transferred to Halaxy. If the service contacts a client following a web enquiry and they do not wish to proceed then that e-mail with their personal information and any verbal information given over the phone will be deleted.

Associate professionals

Personal information will be stored electronically in password-protected documents.

How long information is stored

All personal and sensitive data that that is held about an adult is retained for seven years after which it is deleted, made anonymous or destroyed. For children and adolescents this seven year retention period starts at the age of 18 years.

In the case of death by suicide, data will be retained for a period of 10 years after death.

 

Retention periods may change in line with any new statutory or regulatory guidelines that come in to effect.

 

In relation to potential clients, if you contact us but do not decide to proceed with the service, we will delete your details without delay.

Your data protection rights as a client of the service

Under GDPR your rights include:

  • The right to be informed if, how, and why your/ your child’s data are being processed.

  • The right to access and get a copy of any data kept about you/ your child in the service. Information may not be provided if it is considered that providing the information will violate the child or young person’s vital interests. There is no charge for this and copies of data will be provided within one month of date of request.

  • The right to have any data corrected or supplemented if it is inaccurate or incomplete.

  • The right to have your data deleted or erased. However, this right may be limited by the clinician’s obligation to comply with statutory or regulatory requirements for retaining data.

  • The right to limit or restrict how your data are used.

  • The right to data portability (the right to have your data transferred to another data controller). This is unless doing so is deemed to pose a risk to the child/ adolescent.

  • The right to object to processing of your data.

  • The right not to be subject to automated decisions without human involvement, where it would significantly affect you.

You can exercise these rights by contacting the data controller, Ruth McKenna at ruthmckenna@earlyyearsot.com.

More information on your data rights, their extent and limitations, and how to exercise them, can be found on the guidance for individuals section on the Data Protection Commission website.

Data breach procedure

From 25 May 2018, the General Data Protection Regulation (GDPR) introduced a requirement for organisations to report personal data breaches to the relevant supervisory authority, where the breach presents a risk to the affected individuals. In such event happening to your data at Early Years Occupational Therapy, the Data Controller, Ruth McKenna, will contact the Data Protection Commission to notify them of this breach in accordance with their procedures. This will be done within the legal requirement of 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to you or your child then you will be informed without delay.

Automated decision-making or profiling

The service does not use any personal data for the purpose of automated decision-making or profiling.

Communications

E-mails will only be sent with your consent and will be sent using a secured internet connection. Any document attachments in e-mails containing personal information will be encrypted. 

In the event that you cannot answer a phone call, voice-mails will not be left on phones if you do not have a personalised voice-message confirming that it is your phone.

You have the right to ask the service not to contact you. If you are actively engaged with a contracted service then we will require your request in an e-mail to discontinue the contracted service or alternative arrangements to contact you for the duration needed to complete the service you have requested by contract.

Confidentiality 

All information disclosed is treated as private and confidential in line with GDPR guidelines and the Occupational Therapy Code Of Professional Conduct And Ethics (2013). Exceptions to confidentiality arise where a need to disclose information when there is a perceived risk to an individual or their behaviour places others at risk. In which case this information will need to be disclosed to relevant services (for example, CAMHS, Paediatrician, GP, A&E consultants, TUSLA, Social Worker). Client information may also need to be disclosed in the case of a court order under legal requirements.