The Brain Injury Clinic
Lisa Harris, BSc (Hons), MRCSLT, MASLTIP, Reg HCPC
The General Data Protection Regulation (GDPR) updates all regulatory guidelines on how personal data is processed. This notice explains why and how The Brain Injury Clinic (BIC) processes personal data. Lisa Harris is a Data Controller and Processor and is registered with the Information Commissioner’s Office (ICO).
Why does BIC process personal data?
It is necessary to collect and hold data about clients, and other professionals, in order to provide Speech and Language Therapy (SLT). This forms a legal basis as a legitimate interest under Article 6 of GDPR, demonstrated by BICC’s LIA (Legitimate Interest Assessment). BIC is allowed to process special category (health) data under the condition of the provision of healthcare (GDPR Article 9 (2) (h)).
What Data does BIC process?
BIC may hold the following:
- Name, date of birth, address, telephone number and email address
- Information about social, educational and medical history including referral letters
and past medical and/or therapy reports
- Formal assessments, case notes (including photos, audio and video), reports and
correspondence with other professionals involved in care
How does BIC collect data?
Data is collected both from clients and carers, as well as from other professionals involved. Further data is collected during SLT intervention.
How does BIC hold data?
Paper records are kept in a locked, fireproof cabinet. Electronic data is held in encrypted cloud storage and can only be accessed by password. All data will be kept for 7 years following the last therapy session, after which it will be destroyed.
How does BIC transfer data?
Data is only transferred when absolutely necessary for the provision of SLT. When in transit identifiable information is removed whenever possible, paper records are never left and electronic documents are password protected.
What rights do I have over my data?
You can ask to see the data held on you, and for it to be corrected if there are mistakes (Articles 15 and 16 of GDPR). You will be asked for your consent before any data is shared with other professionals or any other third party (Article 23 of GDPR). Given the legal basis for BCC’s processing of personal data you can’t ask for your data to be erased (Article 17) or object to it’s processing (Article 21).