In order to provide a quality service and comply with legislation, information from parents and carers about their child and families will be requested. 

Some of this will be personal details about clients, including but not limited to:  name, age, gender, contact details, family relationships, etc.

I take the privacy of my clients and those with legal responsibility for them seriously and in accordance with the UK Data Protection Act, 1998 and the General Data Protection Regulation, 2018 (GDPR) I will process any personal data according to the principles below:

• I will have a lawful reason for collecting personal data, and must do it in a fair and transparent way. I will be clear about what data I am collecting, and why.
• I will only use the data for the reason it is initially obtained. This means that I will not use a person’s data to market a product or service to them that is unconnected to the reasons for which they shared the data with me in the first place.
• I will not collect any more data than is necessary. I will only collect the data I need to hold, in order to do the job for which I have collected the data.
• I will ensure that the data is accurate, and ask families periodically to check and confirm that data held is still accurate
• I will only keep the data for as long as is needed to complete the tasks it was collected for.
• I will protect the personal data. I am responsible for ensuring that I and anyone else charged with using the data, including fellow professionals, clinical supervisor or school staff, processes and stores it securely.
• I will be accountable for the data. This means that I will be able to show how I, and anyone working with me including my governing body Play Therapy UK (PTUK), are complying with the law.
• I will not transfer personal data abroad without suitable safeguards.

The role of Healing Minds Play and Creative Arts Therapy is to: 

• Assess clients and facilitate the delivery of therapeutic services to the standards of PTUK’s accredited register

• • Monitor and report on progress made
  • Provide appropriate health and safety requirements
  • Make recommendations at the end of the intervention that may include referring clients on to further services e.g. CAMHS

• Comply with the law regarding data sharing

Procedure: The Data Protection Act requires that I am registered with the Information Commissioner’s Office (ICO) at: www.ico.org.uk/register. 

Healing Minds Play and Creative Arts Therapy registration details are as follows: 

• Data Controller: Tajwar Hassan
• Registration reference: ZA791399

Informed Consent

Informed consent is when the person sharing personal data clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data and then gives their consent.

When collecting data, I will ensure that the client, parent or person legally responsible for a child client:

• understands why the information is needed
• understands what it will be used for and what the consequences are should the person legally responsible for the client or the client themselves decides not to give consent
• as far as reasonably practicable, is competent enough to give consent and have given so freely without any duress 
• has received sufficient information on why their data is needed and how it will be used.

I will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person or by completing a form.

Data Storage

Paper based records and information relating to clients and their family will be stored securely, in a locked filing cabinet, and will only be accessible to authorised persons.   

Some client’s data and records will be stored electronically in secure and encrypted cloud-based services namely Microsoft One Drive and Fortuna. The data is held in the UK. These records are stored securely in password-protected files. Contact details will occasionally be store on a mobile phone for phone calls and messages to parents. The phone is encrypted and protected by 2-factor authentication. 

Data Access and Accuracy

Clients, parents, or the legally responsible adult for a child client, have the right to access information that is held about them or their child at any time. This will be provided without delay and in line with legislation no later than one month after the request, which should be made in writing. 

Reasonable steps will be taken to ensure that information is kept up to date by asking clients, parents or the legally responsible adult to check that the data is correct and to update it where necessary.

Information Sharing

During the course of a therapeutic intervention, I may be required to share some information about the client with other professionals who may include:

• • School staff such as the SENCO or Class Teacher (usually the Referrer)
  • Social worker 
  • Clinical supervisor

• Play Therapy UK- as my governing body

PTUK – Governing Body

As a member of PTUK I am required to adopt data protection measures in respect of therapeutic work undertaken. I am required to supply PTUK with a considerable amount of data however, I will not reveal the child’s name or address in any information I share with them or anyone else, unless it is for medical or legal reasons.

PTUK may use information gathered by me as originally provided by clients, parents, legal guardians and referrers for a number of reasons including:

• the protection of the public through revalidation purposes, 
• audit and quality assurance
• for research purposes

Emails

Emails sent between relevant professionals will not contain full disclosure of a client. Any information sent via email that could identify a client is anonymised or sent securely via an encrypted email service such as Egress. 

Safe Disposal of Data

Information will only be stored for as long as it is needed or required and will be disposed of appropriately. When personal data is deleted, this is done such that the data is irrecoverable.

Suspected Breach

If I suspect that data has been accessed unlawfully, I will inform the relevant parties immediately and report to the Information Commissioner’s Office within 72 hours. I will keep a record of any data breach.

This policy was adopted on 25th October 2022 and will be reviewed annually

Signed: Tajwar Hassan – Play and Creative Arts Therapist 

Last updated:  25th October 2024