Privacy Policy

Baby being walked on beach

This privacy notice has been written to be understood by both adults and children, as children are a large part of our service and should be involved in decisions about sharing personal data with us. Where we are providing our service to children, parents or guardians should also read this notice as they tend to make referrals for their children and because they are sometimes responsible for exercising their child’s data protection rights on their behalf (e.g., if the child is young). This privacy notice also applies to all employees, workers and consultants or contractors. Historic versions of our privacy notice can be obtained by contacting us.

  1. The purpose of this privacy policy 
  2. Contacting us (for queries or concerns)
  3. What type of information do we collect?
  4. How do we get the information and why do we have it?
  5. What do we do with the information we have?
  6. How do we store your information?
  7. Using cookies
  8. Who we may share your personal data with
  9. International transfers
  10. How long do we keep your data?
  11. What are your data protection rights?
  12. How can I make a complaint?

1. The purpose of this privacy policy 

Shropshire Autism Service Ltd collects and uses personal data about you, and is the “controller” for that personal data. Personal data is any information that identifies you. You have a right by law to be informed about why we use your data and how we process it. It is important that you understand the risks and implications of sharing information with us, as well as the security measures we have in place to protect your privacy. You can then decide if you want to share personal data with us.

This notice describes what information we collect about you, where we get it from, what we use it for, and how we store it. It also lists your data protection rights.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to provide you with our services. In this case, we may have to cancel our contract or engagement with you, but we will notify you if this is the case at the time.

2. Contacting us (for queries or concerns)

If you have any questions about our processing of data, please phone us on 0300 303 0667 or you can contact us via our contact form. Paragraph 12 below contains information about making complaints.

 3. What type of information do we collect?

We may collect, use, store, and transfer different kinds of personal data about you which we have grouped together as follows:

  1. Identity data is information about your identity and includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, and gender.
  2. Contact data is information we need in order to contact you and includes billing address, delivery address, email addresses, and telephone numbers – including a summary of each contact we have with you.
  3. Clinical data is information relevant to our assessment and/or therapeutic work.
  4. Financial data is information we need in order to make payments to or take payments from you and includes bank account and payment card details.
  5. Transaction data is the details of payments to and from you, and other details of services you have purchased from us.
  6. Technical data is information which we automatically capture when you visit our website and includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
  7. Profile data includes your purchases, your interests, preferences, feedback, and survey responses.
  8. Usage data is information about how you use our website and services.
  9. Marketing and communications data is your preferences in receiving marketing from us and our third parties and your communication preferences.
  10. Recorded data is the audio and/or visual recordings made from telephone calls, video conferencing, and/or CCTV recordings.

Where you are an employee, worker or consultant or contractor, we collect and process the following further information about you:

  1. Date of birth 
  2. Gender 
  3. Marital status and dependents 
  4. National insurance number 
  5. Bank account details, payroll records, and tax status information
  6. Salary, annual leave, pension, and benefits information

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data, but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

Marketing: In respect of marketing, you can ask us, or third parties, to stop sending you marketing messages by following the opt-out links on any marketing message sent to you or by contacting us at any time. Where you opt-out of receiving these marketing messages, this will not apply to personal data provided to us as a result of services provided to you or other transactions.

4. How do we get the information and why do we have it?

Most of the data we get about you is provided directly by you or your parents/guardians. We also sometimes need to speak to other people who know you, such as teachers or social workers. We collect this information so that we can provide the service you have asked for (or advise you about available services). This is known as a “contractual obligation” under law and this allows us to process your personal data legally.

There are some situations when a contractual obligation is not the most appropriate lawful basis for processing; for example “contracts” with older children may not be valid. We therefore rely on a different reason to process your data, which is known as “legitimate interests”. This means that there is a benefit to the processing that justifies any impact. More often than not, the benefit is that you get the help or support that has been recommended by a healthcare professional. We take on extra responsibility for protecting your rights when using legitimate interests as the lawful basis.

Because we process data related to your health, which is known as “special category data” because it is highly sensitive and requires more protection, we are required by law to identify a further condition for collecting information about you. Under law, we can process this information because it is necessary for the provision of health care and treatment and providing medical diagnoses.

If you are an employee, worker, consultant or contractor, we collect your personal data via the application and recruitment process, either directly from you or sometimes an employment agency or background check provider, and we process your data in the following circumstances:

  1. Where we need to fulfil our contractual obligations with you. 
  2. Where we need to comply with a legal obligation
  3. Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  1. Where we need to protect your interests (or someone else’s interests).
  2. Where it is needed in the public interest or for official purposes.

More specific information is in the table below:

Purpose/activity Type of data Lawful basis for processing including basis of legitimate interest
To register or engage you as a client, patient, employee, worker, consultant or contractor. 1. Identity.
2. Contact.		 Performance of a contract with you.
To deliver services to you, including:
1. Providing advice, reports.
2. Managing payments, fees and charges.
3. Collecting and recovering money owed to us.		 1. Identity.
2. Contact.3. Clinical.
4. Financial.
5. Transaction.
6. Marketing and communications.		 1. Performance of a contract with you.
2. Necessary for our legitimate interests (to recover debts due to us and/or our clients).3. Consent.
To deal with your application for employment or engagement with us as an employee, worker, consultant or contractor. 1. Identity.
2. Contact.3. Financial.		 Necessary for our legitimate interests (to administer our recruitment or engagement process).
To manage our relationship with you which will include:
1. Notifying you about changes to our terms or privacy policy.
2. Asking you to leave a review or take a survey.		 1. Identity.
2. Contact.
3. Profile.
4. Marketing and communications.		 1. Performance of a contract with you.
2. Necessary to comply with a legal obligation.
3. Necessary for our legitimate interests (to keep our records updated and to study if our clients are happy with our services).
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). 1. Identity.
2. Contact.
3. Technical.		 1. Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise).
2. Necessary to comply with a legal obligation.
1. To protect and secure our buildings/assets and the well-being of staff, clients, patients, visitors, venue owners/operators.
2. For training and monitoring purposes.		 1. Identity
2. Contact
3. Financial
4. Transaction
5. Recorded		 1. Necessary for our legitimate business interests (to protect our business)
2. Necessary for our legitimate business interests (to provide you and/or our clients with our advice)
3. Necessary to comply with a legal obligation
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences. 1. Technical.
2. Usage.		 Necessary for our legitimate interests (to define types of clients or patients for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy).
To make suggestions and recommendations to you about services that may be of interest to you. 1. Identity.
2. Contact.
3. Clinical.4. Technical.
5. Usage.
6. Profile.		 1. Necessary for our legitimate interests (to develop our services and grow our business).

2. Consent.

If you interact with our website, we may automatically collect technical data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies, server logs, and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies. Please see paragraph 7 below for more information on cookies.

5. What do we do with the information we have?

We use the information that you have given us in order to:

  1. Contact you about our services
  2. Provide you with services using our own employees or by using consultants or contractors 
  3. Maintain accurate and identifiable clinical records
  4. Create written reports
  5. Generate invoices and record payments
  6. Improve our services and the usefulness of our website, software applications and other platforms used for communication and/or to provide services.
  7. Improve our practice through clinical supervision.  

We may share personal information about you with other professionals, such as your GP. Your permission would be obtained before we did this. The only exception would be if we were worried about your or another person’s safety; in which case we can share information without your permission. Our clinical supervisors and accountant will also see some information. This is on a need-to-know basis; so our accountant, for example, will only see your postal address that is recorded on invoices.

Where you are an employee, worker or self-employed consultant or contractor, we will use your data for the following further purposes:

  1. Making a decision about your recruitment or appointment, for example, by using the data collected from your CV.
  2. Determining the terms on which you work for us.
  3. Determining whether your engagement is deemed employment for the purposes of Chapter 10 of Part 2 of the Income Tax (Earnings and Pensions) Act 2003 (ITEPA 2003) and providing you with a status determination statement in accordance with the applicable provisions of ITEPA 2003.
  4. Checking you are legally entitled to work in the UK, for example, by using the data collected from your passport and/or driving licence and your national insurance number.
  5. Paying you and, if you are an employee or deemed employee for tax purposes, deducting tax and national insurance contributions (NICs).
  6. Complying with our contract with you.

6. How do we store your information?

Your personal data is stored securely on a number of different systems:

Storage Type of information Retention period
Secure cloud-based computing software (accessed on company smartphones and laptops only) Emails and calendar – minimal personal data will be transmitted or stored in this form

 

 

Clinical records and reports (backup)

 Relevant information will be extracted and put in clinical record and then the email will be deleted or entry anonymised (and the record removed from the system within 180 days of this)

 

Copy will be kept until the child’s 25th birthday – or 26th birthday if child was 17 when contact ended – or eight years after death (and the record removed from the system within 180 days of this)
Encrypted company smartphones Contact details and log

 

Text messages and voicemails – minimal personal data will be transmitted or stored in this form

 Entry will be deleted once contact is complete

 

Relevant information will be extracted and put in clinical record and then the message will be deleted
Encrypted company laptops Clinical records and reports

 

 

Photography and video recordings

 Copy will be kept until the child’s 25th birthday (or 26th birthday if the child was 17 when contact ended) or eight years after death

 

Entry will be deleted once contact is complete
Lockable filing cabinets Handwritten clinical records

 

 

Assessment booklets

 Notes will be scanned and uploaded to an encrypted laptop once contact is complete, and the originals destroyed securely

 

Destroyed securely after report has been written and agreed with family
Secure cloud-based accounting software Invoices and payment record Copy will be kept for a minimum of six years from the end of the last company financial year

The security measures that we have in place include:

  1. Staff training in general security awareness and cyber security
  2. Policies concerning the use of email and company equipment, and mobile working
  3. Laptops have encryption and anti-virus software installed, and this software is kept up-to-date
  4. Use of cloud-based software that is secure
  5. Backup system for personal data
  6. Portable equipment, including handwritten clinical records, is stored in locked cabinets, in a locked room/building when not in use
  7. Secure disposal of personal data

Whilst these security measures will help to protect your personal data, we cannot guarantee that the information you share with us is 100% secure. 

7. Using cookies 

Our website uses cookies which are text files placed on your computer used to make our website work, or work more efficiently, as well as providing us with information about how our website is used. The table below shows the cookies that we use and why.

Cookie Name  Purpose 
Universal Analytics (Google) _ga

_gali

_gat

_gid

 These cookies are used to collect information about how you use our website. We use the information to create reports and to help us improve the website. 

The cookies collect information in a way that does not directly identify anyone, including the number of visitors to the website and blog, where visitors have come to the website from and the pages they visited.

To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.

8. Who we may share your personal data with  

We may share your personal data with the parties set out below for the purposes set out under the heading “How do we get the information and why do we have it?” above:

Party  Description
People outside of our organisation  This may include:

  • People providing a service to us: for example our advisers, agents, representatives, consultants or contractors who will process your personal data on our behalf (or if you are an employee, worker, consultant or contractor, third party providers providing services such as payroll, pension administration, benefits provision and administration and IT services).
  • People who advise us: for example the following service providers our lawyers, financial advisors, auditors, bankers and insurers, who will process your personal data on our behalf.

HM Revenue & Customs, regulators and other authorities who will process your personal data on our behalf and also control your data alongside us from the United Kingdom because they require reporting of processing activities in certain circumstances.

Google – We may use Google services for specific features on our website that process your personal data. When consent is given, data may be processed according to Google’s Google’s Privacy & Terms site  for specific functionalities such as analytics and advertising. Amongst other things, through that site you should be able to understand:

  • what information Google collects and why, how Google uses it, and how you can review, manage, delete and update it;
  • how Google uses personal information it receives from sites or apps that use Google’s advertising services; and
  • how personal data is shared across Google services and how Google handles personal data received from Google’s advertising partners.
Parties to whom we may choose to sell, transfer or merge parts of our business or possessions  We may seek to buy other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

The table above gives some examples of the third parties we share our data with. We have given examples because our third-party suppliers change from time to time. If you would like to see an up-to-date list of the third parties we share our data with, just ask us and we will be happy to provide it to you. 

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Third party websites: Our website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

9. International transfers 

We do not transfer your personal data outside of the United Kingdom. 

10. How long do we keep your data?

We will only keep your personal data for as long as we need it to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. 

We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine how long we keep your personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

Details of how long we keep your personal data for different aspects of your personal data are available in our retention policy which you can request from us by contacting us.

 11. What are your data protection rights?

Under data protection law, you have rights including:

  1. The right to ask us for copies of your personal information
  2. The right to ask us to rectify information you think is inaccurate, or to complete information you think is incomplete
  3. The right to ask us to erase your personal information
  4. The right to ask us to restrict the processing of your information
  5. The right to object to the processing of your personal data
  6. The right to ask that we transfer the information you gave us to another organisation, or to you

Some of these rights only apply in certain circumstances. Please contact us on the number or email address above if you would like to make a request. You are not required to pay a fee for exercising your rights, unless the request is manifestly unfounded or excessive, and we may deny your request in these circumstances.

If you make a request, we have one month to respond to you. Occasionally, it could take us longer than a month if your request is complex or you have made a number of requests (or we need to clarify your request or verify your identity). In this case, we will notify you and keep you updated.

If the information we hold about you is inaccurate and you would like us to rectify it, please let us know. In certain circumstances you can also ask our client to erase the information or restrict the use of the information. You can also object to how your information is being used in limited circumstances. You can contact us using the means stated in paragraph 2 above.

12. How can I make a complaint?

If there are any issues you would like to discuss in relation to the way we have used your personal data, please contact us using the means stated in paragraph 2 above. Alternatively, you can contact the Information Commissioner’s Office (ICO). The ICO’s address is: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Their contact number is: 0303 123 1113. Further information on how to complain to the ICO can be found at http://ico.org.uk/complaints.