top of page

GDPR Personal Data Policy

​

Updated 27/08/25

 

Contents

1. Introduction & Who We Are

2. Legal Basis For Processing Your Information

3. Information We Collect & How We Use It

4. Digital Communications & Security

5. Use of Artificial Intelligence

6. Information Storage and Protection

7. Sharing Information with Others

8. Your Rights & Choices

9. Data Breaches & Complaints

10. School, Organisations and Non-Caseload Data Processing

11. Contact Information

12. Acknowledgement Of Notice & When To Contact Us If Your Information Changes

 

  1. Who we are

  • Sinead Owens is a qualified Speech and Language Therapist and the founder of Connect and Communicate. Connect and Communicate provides independent speech and language therapy to children and young people, typically in the home or educational setting.

  • Therapists are registered with the Health and Care Professions Council (HCPC), members of the Royal College of Speech and Language Therapists (RCSLT) and members of the Association of Speech and Language Therapists in Independent Practice (ASLTIP) and CORU - Regulating body of Health & Social Care Professionals in the Republic of Ireland.

  • Connect and Communicate operates a website at www.connectandcommunicate.uk. Connect and Communicate is committed to protecting the privacy of information provided by our clients.

 

  1. Legal Basis for Processing Your Information

  • Our lawful basis for processing and storing personal information is one of 'legitimate interest' under section 6 of the General Data Protection Regulations (GDPR).

  • We cannot adequately deliver a service to you without processing your personal information. As it is both a necessity for our service delivery and of benefit to you, we have a legitimate interest to process and store your data.

  • Data relating to an individual's health is classified as 'Special Category Data' under   section 9 of the GDPR.

  • The regulations specify that health professionals who are 'legally bound to professional secrecy' may have a lawful basis for processing this data.

  • Speech and Language Therapists are legally bound to keep client information confidential and it is under this condition that we process and store personal information.

  • It is a legal requirement for all Speech and Language Therapists to be registered with the Health and Care Professions Council (HCPC) and CORU (Regulatory body of Health and Social Care Professionals in the Republic of Ireland).

 

The HCPC has clear standards of conduct, performance and ethics that all registrants must adhere to. These standards affect the way in which we process and share information,

specifically:

 

Standard 2: Communicate appropriately and effectively

  • "You must share relevant information, where appropriate, with colleagues involved in the care, treatment or other services provided to a service user."

Standard 5: Respect Confidentiality

  • “ You must treat information about service users as confidential.

  • 5.2 You must only disclose confidential information if: you have permission; the law allows this;  it is in the service user’s best interests; or it is in the public interest, such as if it is necessary to protect public safety or prevent harm to other people.”

Standard 10: Keep records of your work

  • "You must keep full, clear, and accurate records for everyone you care for,  treat, or provide other services to. You must complete all records promptly  and as soon as possible after providing care, treatment or other services.

  • You must keep records secure by protecting them from loss, damage or inappropriate access."

CORU regulatory body in the Republic of Ireland also obtain similar clear standards of conduct, performance and ethics that all registrants must adhere to:

Standard 2: Respect the confidentiality and privacy of service users

  • “keep service user information securely and, subject to other provisions of this Code, treat it confidentially, including guarding it against accidental disclosure”

  • “share service user information with others only where and to the extent necessary to give safe and effective care or where disclosure is mandated by law”

  • “ inform service users of the limits of confidentiality and the circumstances in which their information may be shared with others”

  • “ obtain the consent of a service user before discussing confidential information with their family, carers, friends or other professionals involved in his/her care”

  • “always follow employer guidelines and relevant legislation when handling service user information”

  • “be aware of the following circumstances in which disclosure of confidential information in the absence of consent may be appropriate, justifiable and/or required by law:

  • to prevent harm to the service user or a third party

  • to prevent harm to the public at large

  • to comply with a legal requirement”

 

Standard 7: Obey laws, regulations and guidelines

  • “know and work within the laws, regulations and guidelines governing your practice and keep up to date with any changes in legislation or regulation or guidelines”

  • “obey the laws of the country in which you live and work in both your professional practice and your personal life”

 

Standard 18: Keep accurate records

  • “keep clear and accurate and up-to-date records in line with the policies and procedures set out in your workplace or as dictated by relevant guidelines or legislation”

  • “make sure that all records are: complete, legible (if handwritten) identifiable as being made by you, using your registered name and registration number dated and timed completed as soon as practicable following assessment, intervention or treatment, and clear and factual”

  • “ if you supervise students, review each student’s entries in the records and record that you have done so”

  • “store and use records according to data protection legislation, and other relevant legislation and policies governing your practice”

  • “ protect information in records against loss, damage or access by anyone who is not allowed to access them”

  • “ make sure that if records are updated, previously recorded information is retained g. understand that service users generally have a right to obtain copies of their records, subject to certain limited exceptions”

  • “Ensure that records are retrievable for service users throughout the designated retention period. Records are all information collected, processed and held in manual, electronic or any other format pertaining to the service user and service user care.”

  • “Records include data, demographics, clinical data, images, unique identification, investigation, samples, correspondence and communications relating to service users and their care”

 

  1. Information We Collect and How We Use It

Information about you may be collected in spoken or written form. With

your consent, information may also be collected from other people or professionals

working with you (such as your partner/carer, medical team, other members of your

‘treating team’/case managers and NHS Speech and Language Therapists).

You may use the Connect and Communicate website without providing any personal information.

 

Website:

  • If you wish to enquire the website's online submission form, you are requested to provide your name, e-mail address and contact telephone number to enable us to respond to your enquiry. You may add comments or queries which might also contain personal information.

  • If your enquiry does not result in you being seen by Connect and Communicate, then this personal information will be deleted once your enquiry has been dealt with.

  • The Connect and Communicate website contains links to other internet sites which are outside our control and are not covered by this privacy policy. We are not responsible for data which you provide through any such linked websites. Please refer to our website privacy policy for additional information via our website www.connectandcommunicate.uk

 

 

Information We Collect:

Personal information collected by us via the  Connect and Communicate website, email, telephone or face to face, is stored and used by us for the purpose of delivering your speech and language intervention.

Directly from you:

  • Pre-assessment questionnaire information, case history, referral information

  • Communications about appointments and progress

  • Child development information

  • Contact and payment details

 

From your child:

  • Assessment results and observations

  • Therapy session notes and progress recording

  • Video recordings (with consent)

  • Speech and language samples

  • Resources used in sessions if paper based

 

From other professionals (with consent):

  • Healthcare provider reports

  • Educational setting information

  • Updates from other involved professionals

 

How We Use Your Information

Core Therapy Services:

  • Planning and delivering therapy

  • Tracking progress and adjusting treatment plans

  • Creating tailored resources

  • Writing reports and programmes

  • Communication about therapy

Administration:

  • Appointment scheduling

  • Invoice and payment processing

  • Business record maintenance

Service Improvement:

  • Service review and enhancement

  • Clinical audit (using anonymised data)

 

4. Digital Communications and Security

Email Communication

  • We protect your privacy in email correspondence by:

  • Sending password-protected PDF files for personal information

  • WeTransfer for additional encryption for sending media files home (video or audio)

  • Using preference for initials rather than full names in professional communications

  • Conversations are uploaded to your child’s records

Microsoft Teams Communication

Parent Communication

  • With consent, parents, the therapist and other professionals may enter a Teams channel to support MDT communication and continuation of care of children and young people. Updates following the school session can be provided on these channels with parental consent.

  • In cases where ongoing communication is required, protected files will be stored on the Teams channel relating to the child with agreed access to named professionals and carers only. Once care ends or the channel is no longer actively required, parents will have a designated time frame to download communications or request the therapist to export the chat for their file and personal records before the channel is deleted.

  • In relation to team channels for individual clients, the parent of the child or Connect and Communicate will be the controller of the data. Suppose parents are the controller and this is their preference. In that case, it is important Connect and Communicate cannot export communications easily due to accessibility limitations on member or guest access to place on the health record.

 

School Communication

  • In schools, therapists work regularly and hold a caseload. The therapist may be included in a Teams Channel to support communication with the Head of Learning or SENco, along with other relevant stakeholders such as the named school's Occupational Therapist, for example.

  • School will be the controller of the data.

  • Stakeholders will be registered with the school, work under school policies and work with the students and staff regularly within the setting.

  • The therapists follow school policies and training requirements.

  • In communication, in relation to specific pupils, initials are used as well as password-protected documents for the school's knowledge only to provide data access to relevant people who have specific consent for data information.

  • Other communications include day-to-day working in the school or therapy plans for the year ahead. The school will hold accountability and ownership of team privileges and serve as the data controller of all information.

  • With parental consent, relevant information will be shared with other school therapists for onward referrals.

  • Teams Channels are reviewed on a quarterly basis.

Video Sessions (Microsoft Teams)

For video sessions, we:

  • Use unique meeting IDs and passwords

  • Enable waiting room features

  • Never record without explicit consent

  • Conduct sessions in private spaces

  • Use professional accounts

File Sharing and Reports

For secure document sharing:

  • All personal/clinical documents are password-protected or securely sent with additional encryption

Videos, images and audio

  • Therapy purposes to document progress

  • To support assessment

  • To share progress updates with parents

  • For use for Connect and Communicates trainings, website and/or business social media IF explicit consent is given.

5. Use of Artificial Intelligence

Our Approach to AI

We use AI tools to enhance services while maintaining privacy and professional care. All AI use is overseen by our qualified therapist, and no AI tool makes clinical decisions.

Examples of AI Tools We Use

  • ChatGPT, Perplexity, Copilot, Grammarly

  • Heidi occasional use (AI medical scribe for note-taking)

How We Use AI

Resource Creation:

  • Initial therapy material drafts

  • Visual support and worksheet creation

  • Story-based activity development

  • Therapist review and customisation

Administrative Support:

  • Document formatting

  • Standard communication drafts

  • Schedule organisation

  • Document readability improvement

Research and Planning:

  • Therapy approach exploration

  • Evidence-based practice research

  • Therapy idea generation

  • Clinical decisions by a qualified therapist only

AI-Assisted Note-Taking:

  • Routine post-session dictation- occasional use for busy clinic days and currently explored tool.

  • After sessions, I may dictate a summary into Heidi – an AI medical scribe provided by Heidi Health Pty Ltd. Heidi converts the dictation to text and immediately deletes the audio once the transcript is produced. No part of your child's voice is captured in this routine workflow, and the resulting note becomes part of your child's therapy record.

  • Purpose – to improve the accuracy and efficiency of record-keeping.

Storage & retention

  • AI-generated text from post-session dictation is imported into WriteUpp and retained in line with our policy.

Accuracy assurance

  • AI-generated transcripts may contain occasional transcription errors. The SLT will always thoroughly check the transcript and make alterations to ensure it is an accurate reflection of the session before finalising the note in your child’s electronic health record.

AI Data Protection Measures

No Personal Information Entry (for general AI tools):

  • No names, addresses, or identifying details

  • No unique identifying characteristics

Data Anonymisation (for general AI tools):

  • Removal of identifying information

  • Content checking for identifying information

Content Review:

  • Therapist review of AI-generated content

  • Individual needs customisation

  • Quality and accuracy verification

Heidi-Specific Protections:

  • Audio deleted immediately after transcription

  • Data hosted on UK/EEA servers

  • No routine transfers outside UK/EEA

  • Processing under UK-approved Standard Contractual Clauses if overseas technical support needed

Your AI Rights

You can:

  • Opt out of AI-supported service aspects

  • Request AI use information

  • Ask questions about AI use

  • Raise concerns about AI-generated content

  • Withdraw consent for live transcription at any time

 

Our Lawful Basis for AI Processing

We rely on:

  • Legitimate interests (efficient record-keeping) for post-session dictation

  • Patient safety

  • Legal obligation under HCPC Standards to keep full, clear and accurate records as well as patient safety

 

International Transfers and Third-Party Processors

  • Both WriteUpp and Heidi host and process all data for UK users on secure servers located within the United Kingdom and the European Economic Area (EU/EEA).

  • In the unlikely event that overseas personnel from either service require temporary, read-only access for technical support, such access is provided under UK-approved Standard Contractual Clauses and appropriate data protection safeguards.

 

6. Information Storage and Protection

Record Keeping System

We use WriteUpp, a secure healthcare-specific cloud system that:

  • Complies with UK data protection laws

  • Uses encryption

  • Has regular security updates

  • Requires secure, password-protected access

  • Facilitates direct communication with parents and carers

 

Document Storage

Initial Storage:

  • Temporary password-protected OneDrive storage

  • We use a secure electronic cloud-based system called One Drive, Teams and Outlook for Business Use and Microsoft Forms which is compliant with general data protection regulations, One Drive for Business is HIPAA compliant.

  • We use Monzo Business, which is also encrypted and is GDPR compliant, to hold accounts of invoices and information relating to your payments.

  • Restricted access to Sinead Owens

  • Security audits and transfer of documents to Writeupp

 

Audio and or Video Recordings:

  • Password-protected device use

  • Explicit consent requirement

  • Deleted from device notes have been made in the child’s record, or confirmation media has been received from parents

  • OR stored on the Business One Drive IF consent is given for other uses such as social media, trainings or websites, as indicated on your consent form and discussed with you

  • Videos are sent through WeTransfer for added encryption.

                       

Physical Records:

  • Locked filing cabinet with restricted access

  • The minimum amount of confidential information will be taken out of the Speech and Language Therapist’s office base

  • When your child’s information is taken out of the office, it will be kept with the Speech and Language Therapist

  • Physical records are destroyed using the recommended confidential paper shredder after files are scanned and uploaded to the patient record.

  • ​

Retention Periods

  • Records are kept for the appropriate retention period to be compliant with healthcare regulations

  • Secure destruction is conducted after the retention period

 

7. Sharing Information with Others

Professional Information Sharing

We share information when:

1. We have explicit consent

2. It's in your child's best interests

3. It's necessary for care

4. It's legally required

 

Information Recipients may include (with consent)

Educational Settings:

  • Teachers and assistants

  • SENCOs

  • Early years practitioners

Healthcare Professionals:

  • NHS Speech and Language Therapists

  • GPs and specialists

  • Private therapists

  • Health visitors

Other Professionals:

  • Educational Psychologists

  • Occupational Therapists

  • Social Workers

  • Local Authority, EHCP co-ordinators

  • Other care professionals (nurses)

 

Third Party Service Providers

WriteUpp:

  • Electronic clinical records system

  • Data processing agreement

  • UK data protection compliance

 

Online Services:

  • MS Teams

  • Outlook

  • WeTransfer

  • Grammarly

  • Hollie Guard

  • Widgit (creating personalised social stories and visuals)

 

Banking

  • Monzo Business Pro

 

Heidi:

• AI medical scribe

• Data processing agreement

• UK/EEA data hosting

 

Emergency Access

Next of Kin:

  • In the event of Sinead Owens going unexpectedly missing during a working day, her next of kin would gain access to her diary including client names and addresses in order to locate her and be reassured of her safety.

  • Or use the safeguard app Hollie Guard

8. Your Rights and Choices

Data protection legislation gives you, the parent, various rights. The most important of these are as follows:

  • You have the right to a copy of information we hold about your child.

  • You have the right to ask for your record to be amended if you believe that it is wrong.

  • You can access the information we hold about you by writing to us at the address given below. Please apply in writing.

  • A copy of your child’s records is provided free of charge.

  • We will provide access to your child’s records within 30 days of receipt of all necessary information.

  • It is important to note that the Data Protection Act 2018 (Article 9, section (2)(h) says that the right to be forgotten/erased does not apply when data is processed for Health or Social Care purposes.

  • Speech and Language Therapists are Healthcare Professionals (registered with the Health Care Professions Council), so the information we process about a child is considered to be a Health Record. If you are happy for a child/YP’s data to be extracted and used for the purposes described in this privacy notice, then you do not need to do anything.

 

9. Data Breaches

Data breaches will be dealt with as follows:

Immediate Actions:

  • Breach identification/containment

  • Risk assessment

  • Party notification

  • ICO reporting if needed

Follow-up:

  • Cause investigation

  • Prevention implementation

  • Security updates

  • Learning documentation

 

10. Data Processing Of School ,Organisations and Non-Caseload Children and Young People

Staff Of School and Organisations

Additional information relating to the professionals, schools and organisations we liaise with and work with at Connect and Communicate. All previous information on storage and rights detailed above are also applicable.

  • This privacy notice lets you know what happens to any data that you give to us about you or people working in and around your school/organisation, or any that we may collect from you or about people in your school/organisation.

  • For information on what happens to personal data that we collect on our service users please refer to part one of our ‘Privacy Notice’

 

The information that we collect and use

When you or your school/organisation is working with Connect and Communicate we must collect basic ‘personal data’ about the people we are working with. This includes their name, work or home address and contact details such as email and mobile.

 

 

 

The reason why we collect this data

To run our service efficiently and maintain accurate employment records, we must collect and retain information about our collaborators. Personal information is used to:

  • Work jointly to make decisions about the service provided to your school/organisation

  • Share information on children or young people we are working with jointly

  • Work together with other services that are working in your school/organisation

  • We also may use, or share, personal information for the following purposes:

  • Making sure that our service can meet patient needs in the future

  • Reporting back to schools on outcomes of our service

  • Investigating concerns, complaints or legal claims

  • Helping staff to review the care they provide to make sure it is of the highest standards

  • Record information shared by you in the client's Health Record

  • Training and educating staff

 

Non-Caseload Group Participants:

In some schools where the therapist works regularly and holds a caseload and enrolled, there are opportunities for children to attend sessions with the consent and knowledge of parents, on the therapist's specialist caseload, to support their child’s therapy targets.

 

Children who attend some sessions but are not on the therapist’s caseload participate in targeted interventions informally. School staff identify children, and the Group Consent Forms are sent via the school administration. This is a specific consent form. The school is responsible for both sending and returning forms to the therapist and providing a suitable time frame of at least two weeks for parents to respond to the written communication request.

 

The therapist works within the school, adhering to the majority of its policies within the environment, even when not working directly with specific students.

 

Why we use an opt-out model for group sessions

We work very closely with schools, and it is often impractical to collect and securely store a large number of individual consent forms for short group activities. Using an opt-out model means that:

 

  • Parents are always informed before their child can be included.

  • Parents have a clear and easy way to say “no” if they do not want their child to take part.

  • We keep the amount of personal data we collect and store to the minimum necessary, reducing risk and protecting privacy.

  • No detailed records or therapy notes are made for children who are not on the therapist’s caseload.

  • This approach allows us to support schools efficiently, while still respecting family choice and safeguarding children’s information.

 

Personal Data Processed and Stored when an Opt-Out consent form is received:

  • The completed Opt-Out consent form is provided to the therapist, scanned, and securely stored on the Business OneDrive.

  • The form is retained for one academic year only, after which it is permanently deleted.

  • It is stored solely to confirm that parents/carers have chosen not to consent to group participation, ensuring both the school and the therapist respect and uphold parental preference.

 

 

Personal Data Processed and Stored when no Opt-Out consent form is returned:

 

  • If no Opt-Out form is received, the school may invite a child to join a group activity, with parental knowledge and school oversight.

  • The only information recorded is the child’s first name, noted within the original client’s file to show their location and group participation. This may be shared with the school or parent of the child if requested to confirm attendance.

  • No individual therapy record is created for the child. Their attendance is considered informal, play-based participation, not part of a formal caseload.

  • During sessions, a child may share information naturally.

  • Occasionally, anonymised examples (e.g., “Child A”, “Child B”) from these group activities may be used to illustrate progress for children already on the therapist’s caseload.

  • Safeguarding standards are always followed, and the therapist works within the school’s policies.

  • The Opt-Out consent form includes the therapist’s contact details and directs parents to this privacy notice for more information.

 

Integrated Support
In some schools, the therapist attends regularly and works with children and young people on their specialist caseload. With the school’s agreement, this may include integrated support delivered within the school day (for example, during classroom activities, lunchtime, or in the playground).

  • Integrated support is provided only for children on the therapist’s specialist caseload.

  • While working in these natural environments, the therapist may have incidental contact with other children. In such cases, the only information that may be processed is a child’s first name and anything they share directly in the moment.

  • No individual records or therapy notes are created for children who are not on the therapist’s caseload.

  • Safeguarding principles always apply, and the therapist always follows the school’s policies and procedures.

 

11. How to Contact Us

FAO Sinead Foyle Data Access Request

sinead@connectandcommunicate.uk

 

Document Management

• Last updated: 26/08/25

• Next review:  22/08/26

 

Complaints

  • Should a parent have any concerns about your child’s information is managed at Connect and Communicate please contact Sinead.

  • If a parent are still unhappy following a review, you a right to submit a complaint with the Information Commissioner.

 

Information Commissioner:

 

Wycliffe house

 

Water Lane

 

Wilmslow

 

Cheshire 

 

SK9 5AF

 

Tel: 0303 123 1113 (local rate) or 01625 545 745 if a parent prefer to use a national rate number

www.informationcommissioner.gov.uk

 

What should a parent do if a child’s personal information changes?

  • It is important that a parent or carer inform Connect and Communicate if any details, such as the child’s name or address, have changed, or if any of their information, like the date of birth, is incorrect so that it can be updated.

  • A parent or carer has a responsibility to inform us of any changes so that our records remain accurate and up to date for a parent or carer.

 

 

Agreement to Privacy Policy

  • The therapist will direct you to our personal data privacy notice.

  • By using our services, you acknowledge reading and understanding this privacy notice.

  • Please contact us with any questions about information protection.

bottom of page