Data Protection and Privacy Policy -KT Healthcare

Kirsop-Taylor Healthcare Ltd (trading as KT Healthcare) provides Speech and Language Therapy, Occupational Therapy, Physiotherapy and Music Therapy Services to adults and children. KT Healthcare complies with the General Data Protection Regulation (GDPR) and is committed to protecting your personal information. This policy describes our procedures for ensuring that personal information about our clients and their families is processed fairly and lawfully. It contains important information about what personal details we collect, what we do with the information, who we may share it with and why; and your choices and rights when it comes to

the personal information you have given us.

We may need to make changes to this Privacy Policy in the future and will inform you of any

KT Healthcare is registered with the Information Commissioner’s office and the data controller/processor. You can view our ICO registration by visiting: Each consultant that is contracted by KT Healthcare also has their own individual ICO registration.

KT Healthcare assumes the function of data controller and supervises the compliance with General Data Protection Regulation (GDPR) within the business.

  1. Information we collect
  2. Where we get our information
  3. How we use the information we collect
  4. Information we share
  5. How and when consent is obtained
  6. How we protect your data
  7. Protecting your rights to data
  8. Security of your personal data

1 Information we collect

KT Healthcare holds personal data as part of conducting a professional service. The data falls under the following headings: healthcare records, educational records, clinical records, general administrative records, financial records, and employee records.

1.1 Healthcare records

A healthcare record refers to all information collected, processed and held both in manual and electronic formats pertaining to the service user and their care. A wide range of information may be collected in order to best meet the needs of the client, and to maintain a high-quality service which meets best practice requirements. In order to provide a high-quality service, a range of information may be collected.

Examples of data collected and held on all current and active clients include the following:

important changes.

  • Contact details: Name, address, phone numbers, e-mail address,
  • Personal details: date of birth,
  • Other contacts: name and contact details of GP and any other relevant healthcare professionals

    For child services:

  • Parent/guardian details
  • Description of family
  • Educational placements (if you do not wish for us to contact your child’s educational

    placement please notify us immediately)

  • Pre- and post-natal history: This can include information relating to mother’s pregnancy and child’s birth.
  • Developmental data: developmental milestones, feeding history, audiology history.
  • Medical details: such as any relevant illnesses, medications, and relevant family history.
  • Reports from other relevant allied health professionals such as: Audiology, Psychology, CAMHS

    (Child & Adolescent Mental Health Services), Speech and Language Therapy Occupational therapy, Physiotherapy, Psychotherapy, Ophthalmology, ENT, etc.

    For adult services:

  • Employment/vocational history
  • Family and social history
  • Mental health
  • Medical details: such as any relevant illnesses, medications, and relevant family history
  • Reports from other relevant allied health professionals such as: Audiology, Psychology,

    Occupational therapy, Physiotherapy, Ophthalmology, Neurology, ENT, etc.

  • Other information may also be collected if it is relevant to a specific case.

    1.2 Educational records

    Relevant Individual Educational Plans (IEPs), progress notes from educational staff and school reports may be held, as well as case notes relating to discussions with educational staff.

    1.3 Clinical records

    Specific data in relation to the client’s difficulties may be collected and held, such as assessment forms, reports, case notes, e-mails, text messages and transcripts of phone. Audio and video files may also be collected and stored.

    1.4 General administrative records

    KT Healthcare may hold information regarding attendance reports and accident report forms.

1.5 Financial records

A financial record pertains to all financial information concerning the practice, e.g. invoices, receipts, information for Revenue. KT Healthcare may hold data in relation to: attendance and purchasing history, card payments, bank details, receipts and invoices. Information will include name of bill payer, client name, address and record of invoices and payments made. KT Healthcare may also hold supplier information, including the name, address and bank details of supplier.

1.6 Employee records

KT Healthcare holds records for each individual employee and contractor. These include CV, name, address, date of birth, DBS records, copies of identification, copies of qualification and training certificates, copies of car insurance details, revenue and employee registration documentation, management and performance notes.

2 Where we get our information

Personal data will be provided by the client, or in the case of a child (under 16 years), their parent(s)/guardian(s). This information will be collected as part of a case history form prior to, or on the date of first contact.

Information may also be provided directly from relevant third parties such as case managers, schools, medical professionals and allied health professionals, with prior consent from the client or parent(s)/guardian(s).

Personal data will be provided by the employee/contractor on commencing employment, and periodically during the period of employment as required to update records

3 How we use the information that we collect

We use the information we collect to provide assessment and therapy as per the relevant professional guidelines, as well as to maintain the general running of the business, such as keeping our accounts, managing employee records, and updating you of any changes in policies or fees.

Information may also be used for research purposes, with the written consent of the client or parent/guardian.

3.1 Data retention periods

The retention periods are the suggested time periods for which the records should be held based on the organisation’s needs, legal and/or fiscal precedence or historical purposes. Following the retention deadline, all data will be destroyed under confidential means.

3.2 Client records

3.2.1 Healthcare, Educational and Clinical records, and general administrative records

KT Healthcare keeps electronic records of clinical data in order to provide a service. Each individual therapist may keep some paper assessments. If these are too large to be uploaded to the electronic records these will be kept in a locked cabinet with clients initials only.

• Clinical data is deleted or confidentially destroyed after 2 years from last invoiced session.
• Clinical data used for research purposes (with the client’s permission) may be kept for longer

than 2 years.

• Video or voice recordings relating to client care or videoconferencing records may be recorded with consent, analysed and then destroyed. If written consent is provided to use recordings for training purposes, the client will have the option to withdraw consent at any time.

3.2.2 Financial records

KT Healthcare keeps electronic records of financial data from those who use our services.

Section 886 of the Direct Tax Acts states that the Revenue Commissioners require records to be retained for a minimum period of six years after the completion of the transactions, acts or operations to which they relate. These requirements apply to manual and electronic records equally. Therefore;

• Financial Data is kept for 6 years to adhere to Revenue guidelines.
• Financial Data (including non-payment of bills) can be given to Revenue at Revenue’s


3.2.3 Employee records

KT Healthcare keeps electronic and paper records of employee/contractor data for a period of 6 years after termination of employment by either party. This is to allow for accurate references to be given if requested for further employment or education opportunities, and to contribute to accurate Financial Data if required.

3.2.4 Contact Data

Contact Data is kept for 6 years to allow processing of Financial Data if required. (This may be retained for longer for safety, legal request, or child protection reasons.)

3.3 Exceptions

If under investigation or if litigation is likely, files must be held in original form indefinitely, otherwise files are held for the minimum periods set out above.

4 Information we share

We do not share personal information with companies, organisations and individuals outside KT Healthcare unless one of the following circumstances apply:

4.1 With client consent:

We will share personal information with other relevant health care providers or educational providers when we have your written consent to do so. We require opt-in consent for the sharing of any sensitive information.

4.2 For legal reasons:

We will share personal information with companies or organisations outside KT Healthcare if disclosure of the information is reasonably necessary to:

  • Meet any applicable law, regulation, legal process or enforceable governmental request
  • Meet the requirements of the Children First Act 2015.
  • Protect against harm to the rights, property or safety of KT Healthcare or our service

    users or the public as required or permitted by law.

    4.3 For processing by third parties/external processing

    The following third parties are engaged for processing data:

    5 Sharing Data

    5.1 Legal requirements

    KT Healthcare is required to share data with external parties in the following circumstances:

  • Compliance with local tax and audit laws.
  • Compliance with child protection.
  • Compliance with law enforcement.

    5.2 Financial requirements

    KT Healthcare is also required to share financial data with our accountants at FDC Group in order to comply with local tax laws.

    5.3 Other parties

Who Type of data Purpose

Administrative staff Record keeping, typing, Updating records correspondence.

Any transfers outside the above which contain Personal Identifying Information (PII) to third parties such as hospitals, GPs, nursing homes, are only made once the owner of the data has given express written permission by letter or email to do so.

5.4 Transfer of personal data outside the EEA

In certain instances, personal data may be transferred outside the EEA, e.g. to the US or other countries. This would be for specific purposes such as web-based appointment scheduling, or where a previous employee takes up employment outside the EEA. In such instances, KT Healthcare will use third parties which meet the privacy standards of GDPR.

6 How and when we obtain consent

Prior to initial assessment or consultation this data protection policy will be emailed to them via their case manager. Prior to initial assessment or consultation, a consent form will need to be signed by the client (or in the case of a child (under 16 years), their parent(s)/guardian(s)) stating that they are aware of this data protection policy.

In cases where services from KT Healthcare are obtained and provided to an individual on behalf of a hospital, nursing home, residential care centre, school, pre-school, education centre, training centre, or charity, a consent form will need to be signed by a person in authority at that service confirming that they have engaged our services as a supplier on behalf of their client and are aware of and agree to our data protection policy, and have provided their own privacy policy to the individual which includes consent that external suppliers may hold personal data.

Should a client wish to withdraw their consent for data to be processed, they can do so by contacting KT Healthcare.

7 Howweprotectyourdata

In accordance with the General Data Protection Regulation (GDPR), we will endeavour to protect your personal data in a number of ways:

7.1 By limiting the data that we collect in the first instance



Processing financial accounts

All data collected by us will be collected solely for the purposes set out at 1 above and will be collected for specified, explicit and legitimate purposes. The data will not be processed any further in a manner that is incompatible with those purposes save in the special circumstances referred to in section 5.1. Furthermore, all data collected by us will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected which include, inter alia, the assessment, diagnosis and treatment of speech, language and communication disorders.

7.2 By transmitting the data in certain specified circumstances only

Data will only be shared and transmitted, be it on paper or electronically, only as is required, and as set out in section 3.

7.3 By keeping only the data that is required, when it is required and by limiting its accessibility to any other third parties.

7.4 By disposing of/destroying the data once the individual has ceased receiving treatment within 2 years of the completion of this treatment apart from the special categories of personal data as set out at 1.1 above. Where data is required to be held by us for longer than the period of 2 years we will put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These may include measures such as the encryption of electronic devices, use of pseudonyms for personal data, and/or safe and secure storage facilities for paper/electronic records.

7.5 By retaining the data for only as long as is required which in this case is 2 years except for circumstances in which retention of data is required in circumstances set out at part 1.1 above or in certain specific circumstances as set out at Article 23(1) of the GDPR.

7.6 By destroying the data securely and confidentially after the period of retention has elapsed. This could include the use of confidential shredding facilities or, if requested by the individual, the return of personal records to the individual.

7.7 By ensuring that any personal data collected and retained is both accurate and up-to-date.

8 Protecting your Rights to Data

8.1 Adult clients

Adults have the right to request data held on them as per article 15 of GDPR. A request must be made in writing. Further information regarding accessing your personal data are available in the document ‘Rights of Individuals under the General Data Protection Regulation’, downloadable from:

8.2 Children

For children under the age of 16, data access requests are made by their guardians. When a child turns 16, they may then make a request for their personal data. However, this is subject to adherence with the Children First Act.

9 Security

9.1 KT Healthcare is aware of the need for privacy. As such, we aim to practice privacy by design as a default approach, and only obtain and retain the information needed to provide you with the best possible service.

All persons working in, and with KT Healthcare in a professional capacity are briefed on the proper management, storage and safekeeping of data.

All data used by KT Healthcare, including personal data may be retained in any of the following formats:

  1. Electronic Data
  2. Physical Files (holding paper assessments only)

The type of format for storing the data is decided based on the format the data exists in. Data Security

KT Healthcare understands that the personal data used in order to provide a service belongs to the individuals involved. The following outlines the steps which KT Healthcare use to ensure that the data is kept safe.

9.1.1 Electronic Data

All electronic data is contained in the following systems:

– This system is physically located in the UK.
– This system provider is aware of their requirements for GDPR compliance.
– The system has an administrator who is external to KT Healthcare, however this administrator does not have access to client records
– This system has a Live Update for security enabled.
– All persons working in KT Healthcare have READ/WRITE/ DELETE access to records. – All persons require a Log on and Password in order to access the records.
– A copy of the files are not made on the users’ computer when in use.
– The data controller in KT Healthcare can remove or delete users.
– The data controller in KT Healthcare can change users passwords.

Shared folders (Google Drive):
– The system has an administrator / Database owner who is external to KT Healthcare, however this administrator does not have access to client records.

– This system has a Live Update for security enabled.
– All persons working in KT Healthcare have READ/WRITE/ DELETE access to records. – All persons require a Log on and Password in order to access the records.
– A copy of the files are not made on the users’ computer when in use.
– The data controller in KT Healthcare can remove or delete users.
– The data controller in KT Healthcare can change users passwords.

9.1.2 Physical Files

KT Healthcare do not hold physical files with client data and work on a paperless system. Some contractors may hold paper assessments for clients which they will store in a locked cabinet.

9.2 Security Policy

9.2.1 KT Healthcare understands that requirements for electronic and physical storage may change with time and the state of the art. As such, the data controller in KT Healthcare reviews the electronic and physical storage options available annually.

9.2.2 All physical devices used by persons working in KT Healthcare which may contain any identifiable personal information are password protected. They are not enabled with loss theft tracking and remote wipe abilities.

9.2.3 All persons working in KT Healthcare are aware of and briefed on the requirements for good data hygiene. This is refreshed annually. This briefing compliance is monitored by KT Healthcare data controller and includes, but is not limited to:

• • • •

Awareness of client conversations in unsecure locations. Enabling auto-lock on devices when leaving them unattended. Use of non-identifiable note taking options. (initials, not names).

The awareness of KT Healthcare procedure should a possible data breach occur, either through malicious (theft) or accident (loss) of devices.

Date of document: May 2018 Reviewed: May 2024