Organisation name: Sunshine Play Therapy
ICO Registration reference: ZA253712
Date registered: May 2017
Responsibility for controlling and processing assigned to: Lesley Towers (Self-employed owner and play therapist of Sunshine Play Therapy).
Email address: email@example.com
Under the Data Protection Act 1998 (DPA) and in line with GDPR Sunshine Play Therapy will:
Nature of work description:
Play therapy , creative art therapy and creative supervision provider
We process personal information to enable us to provide:
When we hold data we will inform the individual of the data we hold, how we store it, how long we keep it for and with whom it is shared. They can request to see that data and we will provide that within 30 days. They can request for the data to be corrected, erased or the processing restricted.
We process information relevant to the above reasons/purposes. This may include:
We also process sensitive classes of information that may include:
We process personal information about:
How the information is stored:
Wherever possible data is stored electronically on Bacpac [http://bac-pac.co.uk].
“How safe are my records?
Your therapist uses Bacpac: a system designed to ensure that your information is safe, secure and completely confidential.
The information stored within Bacpac is encrypted and in addition to a password, your therapist must input a unique code each time they log in. This ensures that your records are accessible only to them.
Bacpac has been built on a secure hosting platform by Mayden, a company with over 10 years
experience developing protected software for the NHS, voluntary services and the private sector.
Mayden has been vetted by the NHS and by the Ministry of Defence to host confidential medical
information, so you can be certain that your notes are stored safely and securely.
Mayden has robust procedures in place to ensure that your information remains confidential. We are happy to share these with you.
Simply email firstname.lastname@example.org for details.” [Bacpac, 2019]
The Sunshine Play Therapy laptop is password protected. Where paper records are kept these are
stored in a private building, in a locked filing cabinet.
Data will be kept until it is no longer needed for the reasons or purposes listed above, or in certain
cases in line with legal requirements (e.g. Looked after or Adopted Children). As stated above,
individuals can enquire as to how long their data will be kept.
With whom information may be shared:
We sometimes need to share the personal information we process with the
individuals themselves and also with other organisations. Where this is necessary we
are required to comply with all aspects of the Data Protection Act (DPA) and with GDPR.
Where necessary or required we share information with:
When information is shared it is anonymised (where appropriate) and sent by email, password protected.
Personal information is also processed in order to undertake research. For this reason the information processed may include name, contact details, family details, lifestyle and social circumstances. The sensitive types of information may include physical or mental health details, racial or ethnic origin. When used for research the individual will not be identifiable from the data. Data is anonymised. When necessary or required this information may be shared with customers and clients.
Consulting and advisory services
Information is processed for consultancy and advisory services that are offered. For this reason the
information processed may include name, contact details, family details, lifestyle and social
circumstances. The sensitive types of information may include physical or mental health details, racial or ethnic origin. This information may be about customers and clients. Where appropriate this information is shared with the data subject themselves, family members, other professional advisers and service providers.
Contact information of schools organisations and individuals is held in order to promote our services.
Where an email is a personal one the individual has been a previous client and has opted in to being on our mailing list.
Incident Management and Reporting:
Should there be an incident regarding a data breach the relevant parties are to initially report the
details to the play therapist and owner of Sunshine Play Therapy. A record will be made of the relevant details and advice will be sought from the ICO as to the required form of action.
Post incident the relevant parties will meet the play therapist to decide what needs to be put in place to ensure that the situation is not repeated. A time scale will be specified for the changes to be implemented.
Should someone have a complaint about Data protection initially they will be directed to the play
therapist. A record will be made of the relevant details and attempts will be made to resolve the
situation. If the complainant is still dissatisfied, then the requester will be informed that they can register their complaint with the ICO. In this case advice will be sought from the ICO.
Post incident the play therapist and relevant parties will meet to decide what needs to be put in place to ensure that the situation is not repeated. A time scale will be specified for the changes to be implemented.
This policy and Sunshine Play Therapy’s data protection procedures will be formally reviewed every year and changes communicated to all relevant parties. Ongoing reviews and changes will also take place in response to information and situations.
Date for review: October 2020
Sunshine Play Therapy 2019