Privacy Policy

When you use Sparking Speech Clinic you trust us with your information. This privacy policy is meant to help you understand what data we collect, why we collect it, and what we do with it. We have tried to make it as simple as possible but if you have any questions please contact us.

1. Information We Collect

Sparking Speech holds personal data as part of conducting a professional service. The data follows under the following headings: healthcare records, educational records, clinical records, general administrative records, and financial records.

1.1 Healthcare Records

A healthcare record refers to all information collected, processed and held in electronic formats pertaining to the service user and their care.  Speech, language and communication difficulties can be complex, and a wide range of information may need to be collected in order to best meet the needs of the client, and to maintain a high-quality service which meets best practice requirements. In order to provide a high-quality service, a range of information may be collected.

Examples of data collected and held on all current and active clients include the following:

• Contact details: Name, address, phone numbers, e-mail address
• Personal details: Date of birth
• Other contacts: Name and contact details of GP and any other relevant healthcare professionals involved.
• Parent/guardian details
• Description of family
• Educational placements
• Pre- and post-natal history: This can include information relating to mother’s pregnancy, and child’s birth
• Developmental data: Developmental milestones, feeding history, audiology history
• Medical details: Such as any relevant illnesses, medications, and relevant family history
• Reports from other relevant allied health professionals such as: Audiology, Psychology, CAMHS (Child & Adolescent Mental Health Services), Occupational therapy, Physiotherapy, Ophthalmology

1.2 Educational Records

Relevant Individual Educational Plans (IEPs), progress notes from educational staff and school reports may be held.

1.3 Clinical Records

Specific data in relation to communication skills may be collected and held, such as assessment forms, reports, case notes, e-mails, text messages and transcripts of phone calls. Audio and video files may also be collected and stored.

1.4 General Administrative Records

Sparking Speech Clinic may hold information regarding attendance reports and accident report forms.

1.5 Financial Records

A financial record pertains to all financial information concerning the practice, e.g. invoices, receipts, information for Revenue. Sparking Speech Clinic may hold data in relation to:

• On-line purchasing history
• Card payments
• Bank details
• Receipts & invoices

Information will include name of bill payer, client name, address, e-mail address and record of invoices and payments made.

2. Where We Get Our Information

Personal data will be provided by the client, or in the case of a child (under 16 years), their parent(s)/guardian(s). This information will be collected as part of a case history form prior to, or on the date of first contact.

Information may also be provided directly from relevant third parties such as schools, medical professionals and allied health professionals, with prior consent from the parent(s)/guardian(s).

3. How We Use The Information That We Collect

We use the information we collect to provide assessment and therapy as per the relevant professional guidelines, as well as to maintain the general running of the business, such as running our electronic booking system, keeping our accounts and updating you of any changes in policies or fees.

Information may also be used for research purposes, with the written consent of the client or parent/guardian.

3.1 Data Retention Periods

The retention periods are the suggested time periods for which the records should be held based on the organisation’s needs, legal and/or fiscal precedence or historical purposes. Following the retention deadline, all data will be destroyed under confidential means.

3.2 Client Records

3.2.1 Clinical Records

Sparking Speech Clinic keeps electronic records of clinical data in order to provide a high-quality service.

• Clinical data is deleted/confidentially destroyed 3 years after discharge from Sparking Speech’s services.
• Clinical data used for research purposes, may be kept for longer than 3 years with the written consent of the client or parent/guardian.
• Video records / voice recordings relating to client care / video-conferencing records may be recorded with consent, for analysis purposes and to facilitate the monitoring of client progress. All recordings will be destroyed 3 years after discharge.
• If written consent is provided to use recordings for training purposes, the client will have the option to withdraw consent at any time.

3.2.2 Financial Records

Sparking Speech Clinic keeps electronic records of financial data from those who use our services.

Section 886 of the Direct Tax Acts states that the Revenue Commissioners require records to be retained for a minimum period of six years after the completion of the transactions, acts or operations to which they relate. These requirements apply to manual and electronic records equally.

• Financial Data is kept for 6 years to adhere to Revenue guidelines.
• Financial Data (including non-payment of bills) can be given to Revenue at Revenue’s request.

3.2.3 Contact Data

Contact Data is kept for 6 years to allow processing of Financial Data if required.  (This may be retained for longer for safety, legal request, or child protection reasons).

3.3 Exceptions

If under investigation or if litigation is likely, files must be held in original form indefinitely, otherwise files are held for the minimum periods set out above.

4. Information We Share

We do not share personal information with companies, organisations and individuals outside Sparking Speech Clinic unless one of the following circumstances apply:

4.1 With Your Consent

We will share personal information with other relevant health care providers or educational providers when we have your written consent to do so. We require opt-in consent for the sharing of any sensitive information.

4.2 For Legal Reasons

We will share personal information with companies or organisations outside of Sparking Speech Clinic if disclosure of the information is reasonably necessary to:

• Meet any applicable law, regulation, legal process or enforceable governmental request.
• Meet the requirements of the Children First Act 2015.
• To protect against harm to the rights, property or safely of Sparking Speech Clinic, our service users or the public as required or permitted by law.

4.3 For Processing By Third Parties/ External Processing

The following third parties are engaged for processing data:

Who?	Type of Data	Purpose
Accountant	Financial	Processing financial accounts
Retail Merchant Services	Financial	Processing credit and debit card payments
Write Up	Clinical & Financial Date	Healthcare Records
Three Ireland	Phone Numbers	Appointments

5. Sharing Data

5.1 Legal Requirements

Sparking Speech Clinic is required to share data with external parties in the following circumstances:

• Compliance with local tax and audit laws.
• Compliance with child protection.
• Compliance with law enforcement.

5.2 Other Parties

Any transfers outside the above which contain Personal Identifying Information (PII) to third parties such as hospitals, GPs, nursing homes, are only made once the owner of the data has given express written permission by letter or email to do so.

6. How & When We Obtain Consent

Prior to initial assessment or consultation, a copy of the data protection policy will be provided to clients along with a Client Appointment Letter, Case History Form and our Fees and Cancellation Policy. A consent form will need to be signed by the client prior to commencing the service. Copies of the signed consent form will be given to both parties.

Should a client wish to withdraw their consent for data to be processed, they can do so by contacting Sparking Speech Clinic in writing.

7. How We Protect Your Data

In accordance with the General Data Protection Regulation (GDPR), we will endeavour to protect your personal data in a number of ways:

7.1 By Limiting The Data We Collect In The First Instance

All data collected by us will be collected solely for the purposes set out at 1 above and will be collected for specified, explicit and legitimate purposes.  The data will not be processed any further in a manner that is incompatible with those purposes save in the special circumstances referred to in section 5.1. Furthermore, all data collected by us will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected which include, inter alia, the assessment, diagnosis and treatment of speech, language and communication disorders.

7.2 By Transmitting The Date In Certain Specified Circumstances Only

Data will only be share and transmitted, be it on paper or electronically only as is required, and as set out in section 3.

7.3 By Keeping Only The Data That Is Required

 Data will be kept only when it is required and its accessibility to any other third parties will be limited.

7.4 By Disposing Of/ Destroying The Data Once The Individual Has Been Discharged From Sparking Speech’s Services

Data will be confidentially destroyed 3 years after the date of discharge, apart from the special categories of personal data as set out at 1.1 above.  Where data is required to be held by us for longer than the period of 3 years post-discharge, we will put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These may include measures such as the encryption of electronic devices, pseudonymisation of personal data, and/or safe and secure storage facilities for electronic records.

7.5 By Retaining The Data For Only As Long As It Is Required

which in this case is 3 years post-discharge except for circumstances in which retention of data is required in circumstances set out at part 1.1 above or in certain specific circumstances as set out at Article 23(1) of the GDPR.

7.6 By Destroying The Data Securely And Confidentially After The Period Of Retention Has Elapsed

7.7 By Ensuring That Any Personal Data Collected And Retained Is Both Accurate And Up-To-Date

8. Protecting Your Rights To Date

 For children under the age of 16, data access requests are made by their guardians. When a child turns 16, then they may make a request for their personal data. However, this is subject to adherence with the Children First Act.

9. Security

Sparking Speech, as with most providers of healthcare services is aware of the need for privacy. As such, we aim to practice privacy by design as a default approach, and only obtain and retain the information needed to provide you with the best possible service.

All persons working in, and with Sparking Speech Clinic in a professional capacity are briefed on the proper management, storage and safekeeping of data.

All data used by Sparking Speech Clinic, including personal data may be retained in any of the following formats:

1. Electronic Data
2. Physical Files

The type of format for storing the data is decided based on the format the data exists in.
Where applicable, Sparking Speech Clinic may convert physical files to electronic records to allow us to provide a better service to clients.

9.1 Data Security

Sparking Speech Clinic understands that the personal data used in order to provide a service belongs to the individuals involved. The following outlines the steps which Sparking Speech Clinic use to ensure that the data is kept safe.

9.1.1 Electronic Data

All electronic data is contained in the following systems:

Write Up

• This system is physically located in Europe.
• It uses two-factor authentication login and encrypted date replication across different servers to keep your records safe.
• ISO27001 Certified – Globally recognised information governance and security standard. Write Up’s systems and processes comply with this standard and are audited annually to ensure continued compliance.
• This system provider is aware of their requirements for GDPR compliance.
• The system has a Sparking Speech Clinic administrator. Write Up does not have access to client records.
• All Speech and Language Therapists working in Sparking Speech Clinic have read/write/delete access to clinical records.
• All Administrators working in Sparking Speech Clinic have read/write/delete access to contact data and financial data.
• Sparking Speech Clinic Directors have access to all data.
• All persons require a Log on and Password in order to access the records.
• The data controller in Sparking Speech Clinic can remove or delete users.
• The data controller in Sparking Speech Clinic can change users passwords.

Google Calendar/Email

• This system is physically located in the European Union.
• This system provider is aware of their requirements for GDPR compliance.
• The system has a Sparking Speech Clinic administrator. Google does not have access to client records.
• This system has a Live Update for security enabled.
• All Speech and Language Clinic Therapists working in Sparking Speech Clinic have read/write/delete access to their own Gmail account and to a shared Google calendar.
• All persons working in Sparking Speech Clinic have read/write/delete access to calendar data.
• Sparking Speech Clinic Directors have access to all Google calendar and email data.
• All persons require a Log on and Password in order to access the records.
• The data controller in Sparking Speech Clinic can remove or delete users.
• The data controller in Sparking Speech Clinic can change users’ passwords.

Retail Merchant Services

• These systems are physically located in Ireland & the United Kingdom.
• These system providers are aware of their requirements for GDPR compliance.
• These systems have a Sparking Speech Clinic administrator.
• All Speech & Language Clinic Therapists, Directors and administrative staff working in Sparking Speech Clinic have read/write access to financial data for credit and debit card payment purposes.
• All persons require a Log on and Password in order to access the records.
• The data controller in Sparking Speech Clinic can remove or delete users. 

Three Ireland (Hutchison) Limited

• This system is physically located in Ireland.
• This system provider is aware of their requirements for GDPR compliance.
• The system has a Sparking Speech Clinic administrator.
• All Speech and Language Clinic Therapists, Directors and administrative staff working in ARC Speech & Language Clinic have read/write access to contact data (client mobile phone details).
• All persons share a single Log on and Password in order to access the records.
• The data controller in Sparking Speech Clinic can change the password.

9.2 Security Policy

9.2.1 

Sparking Speech Clinic understands that requirements for electronic storage may change with time. As such, the data controller in Sparking Speech Clinic reviews the electronic storage options available every year.

9.2.2 

All physical devices used by persons working in Sparking Speech Clinic which may contain any identifiable PII are enabled with loss theft tracking and remote wipe abilities.

9.2.3 

All persons working in Sparking Speech Clinic are aware of and briefed on and refresh the requirements for good data management every year. This briefing compliance is monitored by the Sparking Speech Clinic Data Controller and includes, but is not limited to:

• Awareness of client conversations in un-secure locations
• Enabling auto-lock on devices when leaving them unattended, even within Sparking Speech Clinic locations
• Use of non-identifiable note taking options (e.g. initials, not names)
• The awareness of Sparking Speech Clinic procedure should a possible data breach occur, either through malicious (theft) or accident (loss) of devices or physical files.