Who are we? Who is the Data Controller? The Children's OT is a private provider of children's Occupational Therapy services in Leinster, Ireland. The Children's OT Data Controller is Niamh Mallon. This statement relates to our privacy practices and GDPR compliance in connection with this website, www.thechildrensot.com. We are not responsible for the content, privacy practices or GDPR compliance of other websites. Any external links to other websites are clearly identifiable as such.
Where are we? Where is the location of processing? The Children's OT practice offers clinic-based appointments from The Children's Practice, Suite 5 Cubes 1, Beacon South Quarter, Dublin 18. The registered address of The Children's OT is Enfield, Co. Meath. Our 'phone number is 086 2727665 and email address is email@example.com. Personal Data is processed at our clinic base, registered address or at other locations where the Therapist is located on occasion.
What personal data do we process? How do we process data? We process the following data: Names (of parents/guardians and children), addresses, telephone numbers, email addresses and dates of birth. We process information relating to the health (physical and mental) and education of children using our service. We also process text submitted via forms on our website (which may or may not include names, e-mail addresses and telephone numbers) and IP addresses. We collect information in manual/paper and electronic formats. We do not record 'phone calls or conduct audio or video recording.
Our website (www.thechildrensot.com) is hosted by Squarespace; you can read more about Squarespace and GDPR compliance here: https://support.squarespace.com/hc/en-us/articles/360000851908-GDPR-and-Squarespace
Credit/debit card details and associated cardholder names and addresses submitted via The Children's OT website are processed directly by Acuity Scheduling (online appointment scheduling software) and Stripe (card payment processor). You can read about Acuity Scheduling, Stripe and GDPR compliance here: https://help.acuityscheduling.com/hc/en-us/articles/360003334751 and here: https://stripe.com/guides/general-data-protection-regulation. The Children's OT does not store credit/debit card information.
Our email (firstname.lastname@example.org) is hosted by Gmail; you can read about Gmail and GDPR compliance here: https://privacy.google.com/businesses/compliance/#?modal_active=none
As well as the thechildrensot.com domain name, we also own thechildrensot.ie and thechildrensot.co.uk domains, however our .ie and .co.uk domains both redirect to our .com domain. No personal data is collected or processed through our .ie or .co.uk domains.
How do we store and protect data? Physical/paper-based data is stored at our registered address at Enfield, Co. Meath under lock and key. Electronic data is similarly stored at our registered address and devices storing this information are encrypted and have McAfee LiveSafe Real-Time Scanning and Firewalls enabled. All data is accessible only by Niamh Mallon. We do not store patient information on cloud servers we do not email patient reports.
Information provide via this website is secured within HTTPS networks. HTTPS is the protocol over which data is sent between your browser and The Children's OT website. The "S" at the end of HTTPS stands for secure and indicates that these communications are encrypted.
How long do we retain data for? Our stance on data retention is guided by the HSE. As per the HSE's most recently (2013) published Records Retention Periods policy (https://www.hse.ie/eng/services/list/3/acutehospitals/hospitals/ulh/staff/resources/pppgs/rm/recret2013.pdf), we retain paper and electronic information relating to children/young people until the patient’s 25th birthday or 26th if the young person was 17 at the conclusion of treatment, or 8 years after death. We retain financial data for the current year plus six years. Once a retention period has expired, data is destroyed under confidential conditions.
Why do we process personal data? We process data as part of the process of providing Occupational Therapy services. This includes, but is not limited to booking clinic appointments, carrying out assessments and interventions, referring children to/discussing children's health needs with parents/guardians and other professionals, invoicing, end-of-year accounting and other day-to-day administration purposes that are within our legitimate interests.
Who do we share data with and why? The Children's OT does not share data with individuals, companies or organisations except under the following circumstances:
1. With your Consent - we will share personal information relating to your child with other professionals when we have your written permission to do so; examples include referring your child to another professional or sending a copy of your child's OT report to their school.
2. For processing by third parties - including Squarespace (website host), Gmail (email platform), Acuity Scheduling (online appointment scheduling software), Stripe (card payment processor) and our Accountants.
3. For legal reasons - The Children's OT will share personal information with outside organisations when legally obliged to do so e.g. at the request of the Gardaí or Revenue Commissioners.
Consent: Prior to initial assessment/consultation/intervention, we provide parents/guardians of <16s with a Consent Form which must be signed before assessment/consultation/intervention commences. Young people aged 16+ are required to sign their own Consent Form. Our Consent Form does not contain pre-ticked boxes and does not assume Consent; Consent must be freely given. Once provided, Consent remains valid for two years, although parents/guardians and young people can withdraw their Consent by advising us in writing of their desire to do so.
What is GDPR? The General Data Protection Regulation (GDPR) is a piece of legislation prepared by the European Union that aims to give you more control over how your data is used and protected. The new legislation comes into effect on the 25th May 2018. GDPR affords you the following rights:
1. Right to be Informed: You have the right to be provided with “fair processing information”, which will be completely transparent about how we have gathered and will use your data. You have the right to be notified about any third party processors with whom we share your personal data, along with the reason for doing so.
2. Right of Access: You have the right to confirmation that your personal data are being processed and to access a copy of your personal data.
3. Right of Rectification: You have the right to have your personal data corrected if it is inaccurate or incomplete.
4. Right to Erasure: You have the right to have your personal data deleted from our systems in the following situations:
When you withdraw consent
Data deletion is to comply with a legal obligation
Where the data was unlawfully processed
Where it is no longer necessary
Where you object to the processing
Where the personal data is processed to offer “information society services” to a child
We may have grounds to refuse such deletion requests for the following reasons:
Exercise the right of freedom of expression
For public health purposes in the public interest
To comply with legal obligations
The exercise or defence of legal claims
Archiving purposes in the public interest
5. Right to Restrict Processing: You have the right to request that we no longer process your data, but that we can still store it.
6. Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes, without hindrance. We will provide the data to you in a structured and widely used machine readable form.
7. Right to Object: You have the right to object to any direct marketing from us. We will immediately cease any such marketing upon request (via an unsubscribe link at the bottom of the direct marketing e-mail).
8. Rights in relation to Automated Decision Making and Profiling: We do not carry out any automated decision making or profiling activities, so this right does not apply in this circumstance.
To exercise these rights, please send an e-mail to email@example.com. We may ask you to verify your identity as part of processing the requests to exercise your rights. We will endeavour to respond to all requests within 30 days of receiving the initial request. If we are unable to complete the request within the 30 day limit, we will notify you within the required time limit.
Technical details in connection with visits to this website are logged by our internet service provider for our statistical purposes. No information is collected that could be used by us to personally identify website visitors. The technical details logged are confined to the following items:
the IP address of the visitor’s web server - this is the identifying details for your computer, or your internet company’s computer, expressed in "internet protocol" code (for example 192.16x.xx.xx). Every computer connected to the web has a unique IP address, although the address may not be the same every time a connection is made.
the top-level domain name used (for example .ie, .com, .org, .net)
the previous website address from which the visitor reached us, including any search terms used
the type of web browser and operating system used by the website visitor.
"The Children's OT" makes no attempt to identify individual visitors, or to associate the technical details listed above with any individual, nor will we disclose such technical information in respect of individual website visitors to any third party (apart from our internet service provider, which records such data on our behalf and which is bound by confidentiality provisions in this regard), unless obliged to disclose such information by law. The technical information will be used only by "The Children's OT" and only for statistical and other administrative purposes. You should note that technical details, which we cannot associate with any identifiable individual, do not constitute "personal data" for the purposes of the GDPR.
Cross-border data transfer: Our use of Squarespace, Gmail, Acuity Scheduling and Stripe means that certain personal data is stored on servers located outside of the EU. We understand that these companies are GDPR compliant and have subscribed to the EU-US and Swiss-US Privacy Shield which is a regulatory implementation designed to guarantee that EU citizens are adequately protected under EU data protection laws as their data passes into and out of the United States. Read more about Privacy Shield here: https://www.privacyshield.gov/welcome
Complaints about how your data is processed: If you are concerned about how personal data is processed by The Children's OT, please contact us via this link: https://www.thechildrensot.com/contact/ or by emailing firstname.lastname@example.org