In this policy, the legislation of the General Data Protection Regulation (“GDPR”) Act 2018 is disseminated by means of a series of practical and logical steps to help secure good practice. Good practice includes, but is not limited to, compliance with the requirements of the Data Protection Act 2018. TNP recognises a statutory duty to promote good practice in the handling of personal information.
1. TNP will routinely share information in the following ways:
i) The sharing of information between two or more parties in the form of disclosing limited information once off or sharing substantial information detailing the particulars of potential clients which are sent to TNP by the clients. TNP will, in turn, share information about students and clients with consultants, Therapists, or potential Consultants & Therapists. The sharing of this information may extend to schools, social service departments, and/or specialist education departments in councils which look after the interests of vulnerable children such as those in care.
ii) The sharing of information Consultants & therapists, clients and their families between the Directors and administrative staff of TNP.
2. The decision to share personal information will be based on strict necessity for TNP. Any information that is shared will be relevant and warranted.
i) It is necessary for TNP to share information in order to:
· Match /Consultants/therapists with potential clients and their families
· Provide Consultants/Therapists with information on potential clients and students, and pass on relevant personal details on acceptance of support/tuition/therapy assignments.
· Investigate any concerns regarding consultants/tutors/LSAs/therapists, clients and students
- Share information regarding a client’s progress with clients and relevant agencies.
· Share information with relevant parties in accordance with TNP Child Protection Policy, for example: social services / police.
ii) The impact of holding and sharing sensitive information will be assessed in each case. This is necessary in order to consider the effect that the possession or disclosure of such information may have on the data subject. Some examples of sensitive information might be:
· A client may refer a consultant/therapist regarding gaps in their knowledge or cite weaknesses in their performance.
· A council referring a vulnerable child for extra tuition/support/therapy may disclose information regarding their special educational needs or behaviour in order to source an appropriate tconsultant/therapist.
iii) There are a variety of circumstances in which personal information may be disclosed to TNP about clients. Consultants/Therapists and staff will always ensure that information is only shared when and with whom it is strictly necessary; taking care not to divulge confidential information to any unauthorised third party. To this end, wherever possible, only the students’ initials or first name should be used in any correspondence.
iv) TNP, staff/consultants/therapists may need to share the following types of information so that they have good quality information about their students before they start their assignment:
· Personal details of the clients, parents, carers or guardians such as their name, telephone number, address, email address.
· Personal details of the students such as their name, telephone number, address, and information that is relevant to their tuition/support/therapy. In the case of adult students, this information could include information about their job and possibly their educational background. In the case of young people, information could include test results, school reports, areas of concern such as behaviour, EHCPs or safety issues (medical conditions, allergies and behavioural needs, for example). For all young people, and especially vulnerable young people, our policy is not to communicate via mobile phones or email, but rather via parents or carers, for example, when necessary to arrange or change a tuition/support/therapy session. It may be appropriate to correspond via email directly with a student in some instances (for example when this relates to homework or work related tasks); on these occasions the client / parent / carer must be copied into the emails.
· Personal details about consultants/therapists relevant to their work as a consultants/therapists such as their qualifications and/or experience. Sharing this information will enable consultants/therapists to make informed decisions about which assignments they accept and help them to provide the best possible service and match. This is also important to ensure the safety and welfare of the young person and consultants/therapists. Every effort will be taken to ensure that only relevant information and the minimum necessary to achieve the objective will be shared.
v) In some instances it may be that legal requirements dictate that KITE TLS shares information, or prevents KITE TLS from doing so. There might be occasions where it will be necessary to share information in the case of medical emergencies, criminal activities, suspected criminal activities or of suspected danger to a client or student. In cases of a serious emergency or criminal act, reporting the incident to the relevant authorities is clearly a legal and moral duty, and in these circumstances it is recognised that considerations of data protection may be secondary to the need to deal with the emergency. For TNP a particular instance of the need to share information beyond what would normally be the case is any incident or concern about safeguarding. vi) The sharing of confidential or sensitive information must be carried out in a way that minimises inappropriate or unnecessary distribution in order to protect individuals from damage, distress or embarrassment. It is important to obtain explicit consent from TNP and clients before disseminating sensitive information detailed in EHCPs for example.
vii) The primary responsibility for ensuring that information is handled appropriately lies with the organisation that originally collects that information. It is therefore important that where a client is referred[KS1] to TNP by an organisation or individual, that party must only divulge necessary information and ensure that they have consent to share it. Should TNP and/or their consultants/therapists become aware that information has mistakenly been released by an organisation or individual, necessary corrective action will be taken immediately. Furthermore, should TNP wish to publish case studies or client results, the explicit, written consent of the client must be obtained in advance of any publication. The identity of the client should be anonymised as a general rule and in accordance with their wishes.
3. TNP will process personal information fairly and lawfully. In the interests of fairness and transparency, the following information will be shared:
· Details about the identity of the person or organisation receiving the information;
· The purpose the information will be processed for;
4. All personal information on clients and associates gained during the course of their duties will remain confidential.
i) In order to ensure confidentiality, all information regarding service users must not be disclosed either orally or in writing to unauthorised persons. All written records, computer records and correspondence pertaining to any aspect of TNP’s activities must be kept securely at all times. All associates of TNP have an obligation to ensure that electronic devices are protected from inappropriate access by ensuring that devices, passwords and encryption codes are kept securely. During telephonic conversations, the authenticity of the caller must be checked prior to the disclosure of any sensitive information. Confidential discussions regarding clients should not take place within earshot of any passers-by in public areas like cloak rooms, reception areas or corridors. All work related matters pertaining to organisations and associates must also be preserved with the same confidentiality.
ii) All company information must be kept confidential and can only be shared with third parties after gaining prior written consent from TNP.
5. To maintain the integrity of information consultants/therapists and associates must check that it is adequate, relevant, not excessive, accurate and up to date.
· Sharing information should be done only insofar as is necessary to achieve a given objective.
· Extracted written information from official documents may be shared where relevant, without sharing the document in its entirety.
· Where new information comes to light, TNP should be updated accordingly to maintain up to date records.
6. Personal information should only be retained for as long as necessary. When clients support is terminated, their personal information should be deleted from electronic sources and hard copies should be shredded by TNP and associated consultants/therapists within a year of cessation.
7. Personal information will be protected by appropriate technical and organisational measures as follows:
· TNP consultants/therapists support staff and associates undertake to keep all personal and sensitive information as securely as possible. Hard copy / printed information will be locked away and electronic information will be password protected.
· The use of memory sticks to back up and transfer data is prohibited.
· TNP, consultants/therapists, support staff and associates must maintain and regularly run anti-virus software on their computers to ensure high levels of security.
· Should TNP receive any sensitive information in error, the sender will be informed and it will be returned / deleted with immediate effect.
8. Individuals will have rightful access to information about them which is held by TNP Information will be held uniformly in an orderly way so as it can be easily retrieved should the data subject wish to review it. The source of and purpose for the information held will also be recorded. In certain circumstances where information may be legitimately withheld for legal purposes pertaining to whistleblowing or allegations of criminal misconduct, the responsible authorities will control the amount of information that is permitted to be shared with the data subject.
9. TNP will evaluate and review this policy annually (at minimum) to ensure its efficacy.