About the Service
Treehouse Practice Limited is a multi disciplinary child and adolescent service providing psychology, speech and language therapy, occupational therapy, and psychotherapy services to young people and their parents/carers.
How we protect and manage your personal data
Although we need to collect and hold certain personal data in order to deliver services we are committed to protecting and respecting your privacy. This policy provides an overview of how we comply with data protection legislation within the current Data Protection Legislation (the Data Protection Acts of 1988 and 2003) and the new EU guidelines known as GDPR (General Data Protection Regulation). The policy outlines the basis on which any personal data that you provide the service will be processed.
How the service obtains personal information and purpose specification
If you contact the service by telephone, email, or by other means, we may keep a record of that contact. We may keep records of any meetings and sessions in the form of written or electronic notes. We may receive correspondence from you or from other healthcare professionals relating to your case.
The information held on you falls into two categories, Personal Data and Special Category Data. Although both categories of information are held in order to deliver a service to you, we will ask for your explicit written consent to holding Special Category data.
Contact information: This information may include data to identify you and your child including your contact information:
• You and your child’s full name
• Your child’s date of birth
• Your address
• Your telephone number(s)
• Your email address
General Information: We hold general information that you have provided to the service and which we use to manage the delivery of services to you. Some of this information also enables us to comply with my legal or regulatory obligations. This information may include:
• The indivdiual or organisation that referred you/your child (where relevant)
• A record of appointment dates and attendance
• General and administrative correspondence
• Information on the type and location of sessions
Familial relationships: We may ask for a nominated next of kin to ensure that we are able to comply with sensible health and safety arrangements. If we require consent from a parent or guardian to deliver services, or if a family member, guardian, or other agreed person is directly involved in your case, then we will need to hold contact and general information about those individuals.
Special Category data
Due to the nature of the service we may need to process data relating to your physical and mental health. The General Data Protection Regulations deem data concerning health as a special category of personal data, which means that we need specific reasons for processing this data. These reasons relate to the type of services that we deliver to you, but we believe it is also important to get your informed consent to holding this data. The service holds sufficient information for the declared purpose in order to provide a fair and comprehensive service to you. We only hold information that is relevant to the purpose it serves, and reviews are conducted of the information collected on the initial and closing stages to ensure that is sufficient and not excessive.
This information may include:
• Your reasons for contacting this service
• The name and contact details for your GP
• The name and contact details for other healthcare professionals involved in you/your child’s care
• Significant physical or mental health details for you/your child including medication
• The type of therapeutic service being offered by you
• Correspondence from or to you about your/your child’s case
• Correspondence from or to other healthcare professionals about your case,
• Correspondence from third parties about possible referrals
• Writing or drawing or objects that you/your child have produced as part of the therapeutic work
• Completed consent forms
• Session notes
The practice is required to hold information on payments received for financial records. This information may include:
• Your full name
• The date and amount of the transaction
• If the payment is made on your behalf details of the payee
• Credit card/debit card details are not stored but will appear as a transaction on our AIB card machine
Who we share your data with
There may be the need to share your/your child’s Special Category Data with other healthcare professionals involved in your case, but we will make sure you are aware of this. All clinicians are required to undergo formal supervision. As part of these sessions it may be necessary to discuss your/your child’s Personal or Special Category data with the supervisor who will be a qualified healthcare professional operating under terms of confidentiality.
As a practice there has been significant consideration to the ethical requirements cited by the current governing bodies for the clinicians in the practice.
Clinical notes are kept to a minimum of headings and abbreviations as an aide memoire.
We do not keep information about you/your child any longer than is necessary. The length of time we keep your data may be determined by statutory or regulatory requirements. After a period of seven years, all personal and sensitive data that that is held about an adult is deleted or destroyed. Exceptions to this are in the case of death by suicide, in which case duration is 10 years after death. Purging of data occurs on an annual basis.
In the case of individuals under the age of 18 years, this seven year period commences at the age of 18 years.
Where we store your data
All relevant client digital data is held by our software partner Cliniko, securely on their servers (and “cloud” based). Cliniko are fully compliant with all EU Legislation pertaining to GDPR and have in-built checks to make sure that we are compliant with procedures relating to consent. Cliniko is accessible only by clinicians within the practice.
All physical material is secured in locked storage when not in use. This includes information about your contact details as well as any other information you may share during the course of you/your child’s therapy/assessment.
In the unlikely event of data being lost or compromised we will tell you what has happened, unless you have stated that you do not wish to be contacted by the service, and inform the Office of the Data Protection Commissioner where the loss involves sensitive data. Where devices or equipment containing personal or sensitive data are lost or stolen the Data Protection Commissioner is notified only where data on such devices is not encrypted.
Contact, whether by telephone, email, website, or other means, to make appointments will not be saved beyond what is necessary. Texts and emails are regularly deleted after the appointment is made. We will keep records of the dates of any meetings and minimal notes as aide-memoires.
Limits to Confidentiality
Client records are private and confidential unless required by law, the client or others are deemed to be at risk, where a young persona may be at risk, or your/your child’s behaviour may pose a threat or risk to others. In the event of any risk arising either to your own well-being or to third parties, we will request permission from you to speak to an appropriate person, such as to your GP or another health related professional (such as a social worker). Information relevant to the situation may be shared with such a professional in the event of risk. Likewise records may be shared via a court order for disclosure or under a legal requirement
Your Rights under Data Protection Legislation
You have various rights under the relevant data protection legislation. If you wish to exercise any of these rights, then please contact the service via email on firstname.lastname@example.org
Subject Access You have the right to see what information the practice holds about you/your child. There is no fee for this.
Rectification You have the right to ask the practice to correct any personal data we hold about you that is wrong. If you feel this is the case, then please let us know.
Erasure You have the right to ask us to erase any information we hold about you. However, this right may be limited by our need to comply with statutory or regulatory requirements for retaining data.
Communications You have the right to ask us not to contact you. This may be for specific purposes or you may not wish to be contacted at all. Obviously, we will need permission to contact you if you are an active client so that we can continue to deliver the agreed services to you.
In the event of your request for access to the therapist’s records, the following restrictions may apply.
Restrictions on Access to Medical Data and Social Work Data
Data Protection Act-Right to Access Exemptions
The rules are set out in the Data Protection (Subject Access Modification) (Health) Order 2000 (SI 2000/413), The Data Protection (Access Modification) (Health) Regulations, 1989 (S.I. No. 82 of 1989) provide that health data relating to an individual should not be made available to the individual, in response to an access request, if that would be likely to cause serious harm to the physical or mental health of the data subject.
Information about Other Individuals
Section 4(4) of the Data Protection Act makes special provision for dealing with the personal data of another individual. A data controller is not obliged to comply with an access request if that would result in disclosing data about another individual, unless that other individual has consented to the disclosure. However, the data controller is obliged to disclose so much of the information as can be supplied without identifying the other individual, e.g. by omitting names or other identifying particulars.
Expressions of opinion
Where personal data consists of an expression of opinion about the data subject by another person, the data subject has a right to access that opinion except if that opinion was given in confidence. If the opinion was not given in confidence then the possible identification of the individual who gave it does not exempt it from access.
Contact regarding data protection issues
Treehouse Practice Limited has appointed a Data Protection Officer (DPO) to ensure compliance with the new regulations and to liaise with anyone who has a query. All queries will be dealt with in a confidential manner. You can contact the DPO, in writing, to: Data Protection Officer, Treehouse Practice Ltd, 3 Cubes 3, Beacon South Quarter, Sandyford, Dublin 18