In this statement we explain why personal and confidential information is held and how this is protected. Many of these procedures have been in place since BeginningwithA's inception. Some additional requirements have been specified by the General Data Protection Regulation or GDPR. which came into force on 25th May 2018.
See https://ico.org.uk if you would like more detail about GDPR, or contact BeginningwithA’s Data Protection Officer (DPO), Garry Neale at email@example.com.
There are three areas in which BeginningwithA stores and processes personal information in the course of conducting business: A. Personal details of past, present or potential training course customers. B. Personal details of past, present or potential clinical customers. C. Personal details of patients and volunteers in videos.
A. Training Course Customers
BeginningwithA maintains the training professionals email list (the "List”) comprising names and email addresses of people with a professional connection or interest in Autism Spectrum Disorders (ASD). The List includes:
- Customers who have attended or have booked to attend a BeginningwithA training course.
- Potential training course customers who have previously enquired about BeginningwithA services.
- Professionals who have registered on the BeginningwithA website to receive information on BeginningwithA products and services.
Mailshots to the List take place between two and four times a year.
Any member of the List can unsubscribe at any time. This is stated clearly on the website signup form and on every mailing sent to the List.
Information in the List is for exclusive use by BeginningwithA and will never passed to any other organisation or individual except in the course of processing data for the purposes described in this Policy statement.
Processing of the List within GDPR Requirements
- We believe that those on the List will be professionals with a reasonable expectation that the data will be processed and with a genuine interest in BeginningwithA services.
- Use of the List has minimal impact on privacy of individuals.
- The vast majority of customers in the List have had personal face-to-face contact with BeginningwithA, normally as participants in a BeginningwithA training event.
- Since January 2018, attendees at BeginningwithA training events are invited to sign a form indicating if they wish to receive emails from BeginningwithA in future. Anyone choosing not to sign will not be added to the List.
- BeginningwithA has concluded that the holding and processing of data in the List is justified under GDPR Article 6 “Legitimate Interest”.
B. Clinical Customers
Keeping records is an essential component of healthcare. Contact information such as name, postal address, telephone number and email address of a service user, parent or guardian enables us to contact you at all stages of our engagement.
Health related data, gathered from you, your child/relative and from other professionals (with your explicit consent) helps us in understanding how best to help and forms the basis of any reports needed.
An important and fundamental assumption in law, is that by engaging with BeginningwithA in the first instance you are consenting to records being kept. Given this assumption it is important therefore for you to know how and why we gather data, and how we store and process it.
How we Store your Data
Processes are in place to maximise confidentiality and BeginningwithA personnel / sub-contractors are required to follow these at all times when dealing with BeginningwithA clients and their data.
Your information will not be shared with others without your explicit and written informed consent unless there are exceptional circumstances such as risk to yourself or others. At those times other services such as your GP or police may be contacted, without your consent, as this is a professional obligation.
Information recorded on paper will be securely stored in a locked filing cabinet and accessed only by those approved by the data protection officer
Confidential digital information will be stored on hard disc and in a GDPR compliant secure cloud service offering high levels of security.
All electronic devices (e.g. computer, laptop, smartphone) used to store and access information will themselves be password protected and carry a facility to immediately delete all information in the event of loss.
C. Patients and Volunteers in Videos
The GDPR applies to “personal data”, which effectively means any information that can be used, directly or indirectly, to identify a living individual. In this respect, video footage containing imagery of clearly identifiable individuals should be considered as identifying data.
Video footage also falls within the definition of “personal data” under the existing legislative framework (the Data Protection Directive and the Data Protection Act 1998).
Videos showing patients and volunteers are used by BeginningwithA for two main purposes:
Videos of volunteer subjects are used in the training of professionals in the assessment and diagnosis of autism spectrum disorders.
Patient assessment sessions may, with consent, be recorded on video in order to share with clinical professionals. This is to facilitate multi-disciplinary input to assessment and treatment processes.
Security and Control of Videos
Videos are kept on a server in the form that does not permit downloading or sharing. when a video needs to be made available to other professionals for clinical or training purposes, the video is made available online and will never be distributed by DVD, USB memory or any other portable or copiable device.
A video may refer in title and in content to the first name of the patient. Second names and other identifying details are not used.
Consent is obtained from the patient or from the patient’s parent/caregiver before video is taken. Depending on the purpose of the video, the consent form will relate to training or to sharing with colleagues for clinical purposes.
Clinical videos are retained for as long as is required for assessment and/or treatment of the patient. Once a clinical video is no longer required it is deleted from the Vimeo server.