Privacy Policy
Privacy Notice
Data Protection and GDPR Policy
​
1. Introduction
This policy explains how NI Private Speech Therapy handles personal data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and professional standards set by the Health and Care Professions Council (HCPC) and the Royal College of Speech and Language Therapists (RCSLT).
As a self-employed Speech and Language Therapist, I am both the data controller and data processor for all client information that I collect.
I am registered with the Information Commissioner’s Office (ICO) as a data controller.
More information about data protection can be found at www.ico.org.uk
2. Purpose of Processing Personal Data
I collect, store, and use personal data to provide safe, effective, and individualised speech and language therapy services to adults and children.
​
3. What Personal Data I Collect
The type of personal information collected depends on your needs but may include:
-
Contact details (name, address, date of birth, phone number, email).
-
Health, medical, developmental, and educational history.
-
Assessment results, therapy plans, and progress notes.
-
Reports or correspondence from other professionals.
-
Payment and invoicing information.
-
For children and dependent adults: parent, carer, or guardian contact details.
-
Sensitive data such as health information, race, or ethnic origin, where relevant.
I only collect information that is necessary and relevant for the purpose of assessment and therapy.
4. Legal Basis for Processing
I process personal data under the following lawful bases defined in Article 6 of the UK GDPR:
-
Consent – where you have given explicit consent for assessment or therapy.
-
Contract – where data processing is necessary to provide a service you have requested.
-
Legal obligation – to meet professional and legal requirements (e.g. HCPC standards, safeguarding).
-
Vital interests – to protect someone from serious harm.
-
Legitimate interests – for safe, effective clinical practice and business operation.
Where I collect special category data (health information), processing is based on Article 9(2)(h) – for the provision of health care or treatment.
​
5. Data Sharing
Personal data will only be shared when it is necessary and appropriate for your care, or when required by law.
Examples include:
-
With other professionals involved in care (e.g. GP, teacher, psychologist, or another therapist).
-
With your consent, reports may be shared with schools, referrers, or other relevant organisations.
-
In safeguarding situations or where required by court order, I may share information without consent to protect a child or adult at risk.
All sharing is conducted securely and proportionately.
​
6. Confidentiality
Confidentiality is fundamental to professional practice. All client information is treated as strictly confidential and will not be discussed outside therapy except where:
-
The client (or parent/guardian) has provided consent to share information.
-
There is a legal or professional obligation to disclose information (e.g. safeguarding concerns).
-
Disclosure is required to prevent serious harm to the client or others.
All staff, contractors, and third parties with access to data are bound by confidentiality agreements and data processing terms.
​
7. Record Keeping and Retention
I maintain accurate and up-to-date records of assessment, therapy, and correspondence.
Records are stored securely:
-
Paper records are kept in a locked cabinet.
-
Electronic files are stored on encrypted, password-protected devices.
-
Emails are sent through secure, password-protected accounts.
-
Client records are stored securely using WriteUpp, a UK-based practice management system designed for healthcare professionals. WriteUpp acts as a data processor on our behalf and processes data in accordance with UK GDPR requirements. Data is stored securely and access is restricted to authorised users only.
Retention follows HCPC and RCSLT guidance:
-
Adults: Records retained for five years after therapy ends.
-
Children: Records retained until the child’s 25th birthday (or 26th if the child was 17 when therapy ended).
After this period, all data is securely deleted or shredded.
8. Your Rights
Under the UK GDPR, you have the right to:
-
Access your personal data.
-
Request correction of inaccurate information.
-
Request deletion of your data (where legally possible).
-
Restrict or object to processing.
-
Withdraw consent at any time.
-
Request transfer of your data to another provider.
Requests can be made verbally or in writing and will be responded to within one calendar month.
9. Third Parties Who Process Data on My Behalf
I may use trusted third-party service providers who act as data processors on my behalf. These providers only process personal data under my instruction and in accordance with UK GDPR.
These may include:
-
WriteUpp – a UK-based practice management system used for clinical records, appointment management, and correspondence.
-
Accountant – for financial record keeping and tax purposes.
-
Secure IT or cloud storage providers – for file storage and backup.
-
Website and email providers – for hosting and communication.
All data processors are required to apply appropriate technical and organisational measures to protect personal data and do not use data for their own purposes.
10. Website and Cookies
My website may use cookies (small data files) to ensure functionality and to collect anonymised usage statistics.
Further information about the cookies used, their purpose, and how to manage your preferences is available in the Cookie Policy, which is accessible via the website.
You can also choose to accept or decline cookies through your browser settings.
If you use a contact form, your details are stored securely and used only to respond to your enquiry.
11. Payments
Payments made by bank transfer are processed directly between your bank and mine.
If payments are made via third-party processors (e.g. PayPal) transactions are governed by their own privacy policies. I do not access your card details.
​
12. Data Breach Procedure
I take all reasonable steps to avoid data breaches. In the event of a breach:
-
The breach will be contained and assessed immediately.
-
Details will be recorded in the Data Breach Log.
-
If there is any risk to individuals’ rights or freedoms, the ICO will be notified within 72 hours.
-
Affected individuals will be informed where necessary.
All incidents are reviewed to prevent recurrence.
​
13. Complaints Procedure
If you have a concern or complaint about how your data is handled, please contact me directly in the first instance:
Data Controller
Suzanne Turner – Speech and Language Therapist
contact@niprivatespeechtherapy.com
Telephone
07703763799
If your concern is not resolved, you may contact the Information Commissioner’s Office (ICO): www.ico.org.uk/concerns | Tel: 0303 123 1113
​
14. Policy Review
This policy is reviewed annually or sooner if there are changes to legal or professional requirements.
Date of last review
13th January 2025
Name
Suzanne Turner
Role
Speech & Language Therapist / Data Controller
