Kelley Osman Consultancy and Observation (KOCO) aims to be as clear as possible about how and why we use information about you and your chid so that you can be confident that your privacy is protected. This policy describes the information that KOCO collects when you use our services or buy products from us. This information includes personal information as defined in the General Data Protection Regulation (GDPR) 2016 [and the subsequent UK Data Protection Bill that is expected to be enacted in 2018].
The policy describes how we manage your information when you use our services, if you contact us or when we contact you. It also provides extra details to accompany specific statements about privacy that you may see when you use our website.
KOCO uses the information we collect in accordance with all laws concerning the protection of personal data, including the Data Protection Act 1998 and the GDPR 2016. As per these laws, Kelley Osman is the data controller; firstname.lastname@example.org Telephone Number; 07706809053 23 St Edmunds Road Ipswich IP1 3QT
If another party has access to your data we will tell you if they are acting as a data controller or a data processor, who they are, what they are doing with your data and why we need to provide them with the information. If your questions are not fully answered by this policy, please contact our Data Protection Officer. email@example.com Telephone Number; 07706809053 23 St Edmunds Road Ipswich IP1 3QT I am registered with the Information Commissioner's Office, registration is ZA250172. If you are not satisfied with the answers from the Data Protection Officer, you can contact the Information Commissioner's Office (ICO) https://ico.org.uk
1. Why do we need to collect your personal data?
We need to collect information about you so that we can:
- Know who you are so that we can communicate with you in a personal way. The legal basis for this is a legitimate interest.
- Deliver services to you. The legal basis for this is the contract with you.
- Process your payment for services. The legal basis for this is the contract with you.
- Verify your identity so that we can be sure we are dealing with right person. The legal basis for this is a legitimate interest to prevent identity theft and ensure we provide services to the correct person.
2. What personal information do we collect and when do we collect it?
For us to provide you with services, we need to collect the following information:
We collect this information directly from you. If you do not provide us with this information we are not able to provide you with our services. We may also collect information about you from third parties; for example, if we need to gather information from another health professional (such as your Doctor or Occupational Therapist) to provide a complete health assessment.
3. How do we use the information that we collect?
We use the data we collect from you in the following ways:
4. Where do we keep the information?
We keep your information in the stores described below. Please note that we do not store your payment card details in any of our systems; these are passed straight through to our payment provider, via your BACS payment system.
4.1. On our company computers
We use personal computers that are located on our business premises. The computers are password protected and the hard drives are encrypted. Passwords are changed every 90 days and it is company policy that passwords are not shared. We do not use Dropbox, Google Drive or any other cloud service to store your data.
Your client record
We use Microsoft Excel which is a computer program that stores the information on a computer in our office.
We create a report that contains pertinent information that we gather and our findings and conclusions.
4.2. In our accounts package
I use an independent UK based accounting firm. No data is sent electronically. The company that provides the accounts software has stated that they are compliant with GDPR.
4.3. As a paper copy
We take hand written notes when we meet you. These notes are used to create the report that we provide to you. Paper copies are destroyed once pertinent information is added to our encrypted computers. We keep a paper copy of your invoice in our store room. We send this copy to our accountant.
5. How long do we keep the information?
We keep the paper copy invoices for 13 months. The accountant keeps the paper for a maximum of 11 months. Once the accountant has finished with the invoice they shred the paper using a secure shredding service. We keep the electronic invoice for seven years as this is the required length to comply with the HMRC requirements. After seven years we delete the invoices using the Sage delete function. Clinical records will be held electronically for children until their 25th birthday in accordance with Royal College of Nursing advice. www.rcn.org.uk
6. Who do we send the information to?
We send your report to you and anyone we are required by law to inform. All reports are sent through the postal system using recorded delivery. Any reports that are sent electronically are sent as attachments that are encrypted and password protected. We send the paper copy of our invoices to our accountant. The accountant is based in the UK and all their computer systems are in the UK.
7. How can I see all the information you have about me?
You can make a subject access request (SAR) by contacting the Data Protection Officer. We may require additional verification that you are who you say you are to process this request. We may withhold such personal information to the extent permitted by law. In practice, this means that we may not provide information if we consider that providing the information will violate your vital interests or affect the rights of others
8. What if my information is incorrect or I wish to be removed from your system?
Please contact the Data Protection Officer. We may require additional verification that you are who you say you are to process this request. If you wish to have your information corrected, you must provide us with the correct data and after we have corrected the data in our systems we will send you a copy of the updated information in the same format at the subject access request in section 7.
9. How can I have my information removed?
If you want to have your data removed it is our duty to determine if we need to keep the data, for example in case HMRC wish to inspect our records. If we decide that we should delete the data, we will do so without undue delay.
10. Will we send emails and text messages to you?
As part of providing our service to you, we may send your report to you via email. The report will be encrypted, and password protected. Also, as part of this service, we need to send details of your appointments to you. To protect your information, we prefer to use an end-to end encrypted messaging service. If you are not able to use such a service, we may use SMS (text messages); however, this does increase the risk of someone intercepting the message.
11. How do I opt out of receiving emails and/or text messages from us?
If you are receiving text messages from us, you may unsubscribe at any time by following the instructions included within the text message. Similarly, if you are receiving emails from us, you may unsubscribe at any time by following the instructions included within the email. When you unsubscribe (i.e. opt out) from either text message and/or email communications, we will suppress your details on our systems to ensure we have a record of your decision to not be contacted in that particular manner. We will not use the email address or mobile phone number for such messages again unless you opt back in. When unsubscribing from either email or text communications, you should always follow the specific instructions given in the particular email or text that you wish to discontinue receiving.