Who am I?
Sole Trader: Caroline Ashton, Independent Adult Speech & Language Therapist
Address: 66 Newberries Avenue, Radlett, WD7 7EP
I provide Independent Speech & Language Therapy to clients who have had a stroke and are experiencing communication difficulties who live in Hertfordshire, Middlesex and Barnet. My practice is General Data Protection Regulations (GDPR) compliant. I am the data controller and I am registered with the Information Commissioner’s Office (ICO). I am legally required to be registered with the Health and Care Professions Council (HCPC) and am bound to adhere to the standards set by them.
What personal data do I collect about you?
I collect personal (e.g. name, date of birth, address, email, telephone number), medical, social, speech and language information necessary to be able to assess, provide therapy and appropriate speech & language therapy management to you. All information will be kept in my notes.
How do I collect personal data about you from?
The following are the different ways in which I may collect personal data about you:
Information may be collected via spoken or written information from you or your partner/spouse/family members/next of kin
From the first instance from yourself or your family/ partner/spouse/next of kin/friend/GP/Consultant/Stroke group co-ordinator on an initial phone call/email re a referral to my practise
Initially you or your partner/spouse/family member/next of kin will complete my questionnaire prior to the initial assessment or at the initial assessment with myself, asking for your personal details (address, email, telephone number, date of birth), past and present medical history, social history, speech and language therapy history, goals of therapy, GP and next of kin details
With consent, I may approach other people involved in your care and obtain written or verbal information from them via emails (only using your initials) or telephone conversations. This may include previous NHS Speech & Language Therapists, Research Speech & Language Therapists, Occupational Therapist, Psychologists, Neuropsychologists, Physiotherapists, GP’s and Consultants and Stroke/Head injury co-ordinators and so forth
With consent, from previous reports/letters; GP letters, multidisciplinary reports, discharge reports, Consultant letters, NHS Speech & Language discharge letters/reports
Any information emailed to me (including when first making contact with me to enquire about my services) will be included in your notes
I will also ask you or your partner/spouse/family member/next of kin to read and sign my treatment contract, which also includes my Terms and Conditions
How I share and use your personal data?
At the initial meeting, I will also ask you or your partner/spouse/family member/next of kin to read and sign consent form, giving me consent to share your information verbally or written with other Professionals involved in your care. This may include other Speech & Language Therapists (NHS & Independent), Research Speech & Language Therapists or any other Professionals, for example Neuropsychologists, Psychologists, Occupational Therapists, Physiotherapists, GP, Consultants and Stroke/Head injury support groups. The consent form will be kept in your records. I will not share any information without consent, unless required by law. For instance, if I am concerned about your wellbeing, then I am legally obliged to inform relevant agencies and share information with them. All letters or reports sent out (with consent) will have you copied into them.
I use your personal data to help plan, prepare and provide speech and language therapy appropriate to your needs. Any sensitive personal details are stored in a secure and confidential system and processed in confidence and shall only be used for the purposes of delivering appropriate speech and language service.
I use your personal data to contact you via telephone (including text message), email (using only initials) and post. I contact you through these methods to arrange/confirm/change session times, for general communication between sessions, sending letters/reports. I also use your personal data (with consent) when communicating information verbally or written with other Professionals involved in your care. I will use your personal data on invoices and receipts, but I will give them to you in person. I can email invoices and receipts on your request, with only client initials. Medical insurance companies request your personal data when submitting invoices usually done through a secure website or by post.
Please note that if consenting to email correspondence, you understand that emails are never 100% safe, even though I will always only write your initials on emails. I will send emails with password protection when sending initial or discharge letters/reports. I am investigating into purchasing encryption software.
I conduct clinical audits of my caseload. In this case, I only record initials as a method to identify them. Results of audits presented to others will have all client identifies removed.
How long do I keep your personal data for?
I keep your information in accordance with the guidelines set by my professional bodies with regard to the length of storing your data. Your data will be stored for 8 years after discharge, unless there are other circumstances, such as mental health problems, where your data is stored for 20 years.
After this time frame all records pertaining to you will be destroyed. Your paper notes will be shredded and all electronic files pertaining to you will be erased. This includes any audio or video recordings (which you consented to) that may have been stored. Most are erased immediately after each session, unless used to determine progress.
How I store your data?
At present I use a mixture of paper notes and electronic files. After discharge, all electronic files are stored on an encrypted USB stick, to which only I have the password, and are locked in a metal cabinet. All paper notes are stored in a locked metal cabinet.
The minimum of confidential information will be taken off site, for home visits. Any information off-site will be kept with me at all times and stored safely upon return.
With regards to audio/video recordings, these will only be taken with consent. Most will be erased immediately after each session, unless kept for comparison for before/after therapy to determine progress. In this case, such recording will also be destroyed after 8 years post-discharge. Any audio recordings are saved using your initials only and date recorded. I will not ask you to say your name or other identifying information on an audio recording.
I will never give or sell your personal details to any third party. I am the date controller, and only I have control of your data in my practice. I do not employ a secretary or any other agents to process personal data.
Meeting my professional obligations
It is a legal requirement for all Speech and Language Therapists to be registered with the Health and Care Professions Council (HCPC). The HCPC has clear standards of conduct, performance and ethics that all registrants must adhere to. These standards affect the way in which we process and share information. Specifically:
Standard 2: Communicate appropriately and effectively
“You must share relevant information, where appropriate, with colleagues involved in the care, treatment or other services provided to a service user.”
Standard 10: Keep records of your work
“You must keep full, clear, and accurate records for everyone you care for, treat, or provide other services to. You must complete all records promptly and as soon as possible after providing care, treatment or other services. You must keep records secure by protecting them from loss, damage or inappropriate access.”
What legal basis do I have for using your information?
My lawful basis for processing and storing information is one of ‘legitimate interest’ (under article 6 of GDPR). I cannot adequately deliver a service to clients without processing their personal information.
As it is both a necessity for my service delivery and of benefit to clients, I have legitimate interest to process their data. Data relating to an individual health is classified as ‘Special Category Data’ under section 9 of GDPR.
The regulations specify that health professionals who are “legally bound to professional secrecy” may have a lawful basis for processing this data. Speech and Language Therapists are bound to keep client information confidential and it is under this condition that I process and store personal information.
What rights do you have in relation to the data I hold on you?
By law, you have a number of rights when it comes to your personal data. The most important of these are as follow:
The right to be informed: You have the right to be provided with clear, transparent and easily understandable information about how I use your information and your rights. This is why I am providing you with this information.
The right of access: You have the right to obtain access to any information I have on you. If you would like a copy of your notes, please send a letter requesting this, with your original signature for my records. A copy of your records is provided free of charge. I will provide access to your records within 30 days of receipt of all necessary information.
The right to rectification: You are entitled to have your record to be amended if you believe it is incorrect.
The right to erasure: This is also known as the ‘right to be forgotten’ and, in simple terms it enables you to request the deletion or removal of your information. However, as I deal with ‘Special Category’ information, processing is necessary for me to professionally work with you. As a Health Care Professional, I can withdraw this consent and keep your notes.
The right to withdraw from consent: If you or your family member/spouse/partner/next of kin have given consent to anything I do with your personal data, you have the right to withdraw consent at any time (although if you do so, it does not mean that anything I have done with your personal data with your consent up to that point is unlawful) e.g. you may no longer wish for a discharge report to be sent to your GP. This right also includes your right to withdraw from working with me.
Breach of data
This includes hacking, unauthorised use of sensitive data, human error, unforeseen circumstances such as fire or flood, or any other breach of data.
When I become aware of any breach of data, the following actions will take place:
An incident form will be completed, detailing the time and nature of the breach, and if it is still ongoing.
An investigation will take place to determine if any data can be recovered or limit the damage of the breach. The full consequences of the breach will be considered, and all parties who need to know about the breach will be notified. Experts may be consulted for their advice about how to manage the situation.
A risk assessment will be drawn up (or existing risk assessment re-examined) to minimise the risk of such a breach re-occurring if possible.
How will I contact you?
I may contact you by phone, email (personal data removed) and occasional SMS messages re appointment changes to you/a family member. If you prefer a particular contact means over another, please just let me know.
How can you contact Caroline Ashton?
If you would like a copy of your records, please request in writing to:
Address: 66 Newberries Avenue, Radlett, WD7 7EP
If you have any further questions about how I use your information, please contact