The following information outlines how information will be processed and stored within Cornwall Autism Limited

Mary HOSKEN – HCPC accredited OT18005

Catriona Law – HCPC accredited SL22155

You may be aware of laws relating to General Data Protection Regulation (GDPR) that came into effect from 25 May 2018. The purpose of GDPR is to provide a set of standardised data protection laws across all EU member countries. This document sets out how Mary Hosken and Catriona (Oni) Law will comply with these laws.

Data Control – What is processed and why:

Mary Hosken and Oni Law are the data controllers for all information. They will collect and process the following personal data from clients:

  • Personal data: basic contact information including name, address, email, school, contact number and GP contact details.
  • Sensitive personal data: Signed contract, assessment records, reports and outcome measures.

The lawful basis for processing personal data:

Mary Hosken and Oni Law have a legitimate interest in using the personal data and sensitive personal data collected to provide diagnostic assessment.

Your information will never be sold to others.

What will be done with your personal information:

Your personal information is only used to provide the services you have requested.

How long we store personal information:

Your personal information will only be stored for as long as it is required. Basic contact information held on a therapist’s mobile phone will be deleted within 6 months of the end of the assessment.

The sensitive personal data defined above is stored for a period of 7 years after the child / young person has turned 18 (until their 25th birthday). After this time, this data will be deleted.

How your personal information is used:

We will use the information we hold to

  • Provide the service requested to you
  • Process payment for such services

You have the right to request that your personal contact information is deleted at any time.

Sharing personal information:

Information about you, your child and the assessment is held in confidence. This means that your personal information is not normally shared with anyone else. However, there are exceptions to this when we may be need to liaise with other services in exceptional circumstances such as:

  • When there is need-to-know information for another health provider, such as your GP.
  • When disclosure is in the public interest, to prevent a miscarriage of justice or where there is a legal duty, for example a Court Order.
  • When the information concerns risk of harm to the client, or risk of harm to another adult or a child.

We will discuss such a proposed disclosure with you unless we believe that to do so could increase the level of risk to you or to someone else.

We will NOT do the following with your personal information:

Your personal information will not be shared with third parties for marketing purposes.

How we will keep your personal information secure:

Personal information is minimised in phone and email communication.

Sensitive personal data will be sent to clients in an email attachment that is password protected. Email applications use private (SSL) settings which encrypts email traffic.

No open or unsecure Wi-Fi will be used to send any personal data.

Personal information is stored on a GDPR compliant secure cloud-based storage facility. This is password protected. No information will be stored on any office computer or mobile phone.

Malware and antivirus protection is installed on all computing devices used to access the cloud storage and secure email.

Mobile devices are protected with a passcode/thumbprint scanner.

Your right to access the personal information held about you:

  • You have a right to access the information held about you.
  • This will usually be shared with you within 30 days of receiving a request.
  • There may be an admin fee for supplying the information to you.
  • You may be requested to provide evidence of your identity before information is released.
  • A copy of your personal information will usually be sent to you in a permanent form (that is, a printed copy)
  • You have a right to request that your personal information is corrected if it is inaccurate.
  • You can complain to a regulator: If you think that Mary Hosken and Oni Law have not complied with data protection laws, you have a right to lodge a complaint with the Information Commissioner’s Office.


Data Protection Act 2018

Record Management Code of Practice for Health and Social Care 2016

Royal College of Occupational Therapists ‘Keeping Records; Guidance for Occupational therapists (4th edition)’

Royal College of Speech and Language Therapists Guidance on Record Keeping

Health and Care Professions Council – Standards of Conduct, Performance and Ethics, 26th January 2016