Privacy Policy

ICO Reference- A1079762

Leah Burman Associates UK Limited Documentation and Professional Policy

Updated in accordance with GDPR and ICO practice Article 29 working party.

Leah Burman Associates UK Limited is registered with Information Commissioners Office for data control. ICO updates are read and the Documentation and Professional Policy updated regularly.


  • Referrals are accepted once the completed referral form is received verifying client data with parent/ carer consent (and consent from the young person if over 10 years old or over and able to understand/ make own decisions) (see Leah Burman Associates UK Ltd referral and parental consent form).
  • Referral information is saved on a spreadsheet depending on the psychologist it has been allocated to.  Each Psychologist has a spreadsheet providing information relating to their client.
  • All referrals are saved in individual electronic case files (labelled with the child’s name) and the referral document is password protected. Other information is added to this file, including emails from parents and professionals, copies of invoices, appointments letters, reports and paperwork from other professionals, and notes from telephone conversations.
  • Any handwritten notes made at the time of the telephone call are added to the child’s paper file, which is then scanned into an electronic file.
  • The referral information is stored on an electronic database which are password protected.
  • All personal data is saved securely on a password-protected, encrypted computer in a locked, secure building.
  • Parents/ carers and professionals are informed of the Information Security Policy and Record Keeping Policy.
  • Information from referrals which do not proceed are deleted after six months (electronic files are deleted completely and paper copies are disposed of via confidential waste).


  • Assessment notes and information gathered during assessment (including notes from observations, questionnaires, test forms and notes from discussions with parents, carers, school staff, young people and other professionals) are initially recorded by hand and are made in paper files for the individual client. These are stored in locked cabinets in a secure building.
  • The content of paper files is then scanned electronically; either scanned or saved as PDF or password protected word documents. All electronic data is stored confidentially in electronic case files on a secure password protected computer electronic file. This may include reports/ typed notes from discussions with other professionals, including telephone conversations.
  • All paper files are subsequently held securely
  • Reports are typed on an encrypted, password protected computer and are saved in the child’s electronic file.
  • All data is stored on a password protected computer and backed up in a cloud. Computers are stored in a locked, secure building.
  • A data protection officer is appointed (Debbie Haffner, Lead Psychologist) to audit data protection every 8 weeks and to detect, report, investigate any personal data protection breech and to identify actions to be taken to prevent future breeches of data protection/ confidentiality.

Historic Case Files

  • Copies of all children’s reports are stored in the archives on a password protected, encrypted computer.
  • Archived files are also stored on an external hard drive, stored in a locked filing cabinet in a secure locked building.
  • Archive files on the computer in electronic case files (password protected).

Transmission of Data

  • Parents are asked to send an email to the psychologist/ Fiona Poole (Secretary for Leah Burman Associates UK Ltd) to check the validity of the email address. Leah Burman Associates UK Ltd staff click reply to send secure data.
  • When transmitting confidential data, the email thread is deleted from the new email containing the data.
  • Parental consent is gained to receive and send confidential data to other professionals (see Leah Burman Associate consent form).
  • If Leah Burman Associates UK Ltd receive a request from either a parent or professional to disclose confidential data, the parents are either asked to email the confidential data themselves or asked to give signed consent to Leah Burman Associates UK Ltd to transfer the confidential data (using the data sharing consent form).
  • Parents who do not have access to a computer can request that the report be posted. In this instance, reports will be sent via post, using recorded delivery. The address will be confirmed by Leah Burman Associates UK Limited before posting.

Secure Report Distribution

  • Reports are saved and forwarded in a form which restricts editing to prevent unauthorised alterations, i.e. by pdf format or sent with track changes.
  • Parents are emailed to inform them the report is complete and ready to be sent. Parents are asked to respond to the email to confirm they are expecting the report.
  • Once the parent’s email is received, the electronic copy of the password protected report is emailed and the parents are asked to acknowledge receipt of the report. The password to open the report is emailed separately.
  • The sent email is deleted from Leah Burman Associates’ sent, deleted and trash box.
  • Reports are only distributed to other professionals in accordance with parents’ signed distribution authorisation. Email addresses are verified and all reports are password protected. Passwords are sent in a separate email.
  • A copy of the final report is encrypted and archived on the computer (cloud).

Record Keeping/ Data Storage/ Deletion

  • Full, clear and accurate records are kept in relation to individual clients who are assessed, or for whom services are provided.
  • All records are completed promptly and as soon as possible after assessments or other services.
  • The director’s PA is familiar with all record keeping arrangements and will make suitable provision should the director of the service become ill, or unable to work.  In this circumstance, records will be transferred to another psychological practice where they can be accessed with appropriate permissions, as required.
  • Computer data is stored on encrypted password protected computers and backed up to encrypted cloud storage. Computers are stored in a locked, secure building.
  • Portable computers are BIOS password protected and fully drive encrypted.
  • Sensitive documents are further password encrypted by applications on creation and at rest.
  • All electronic data is password protected before sending it by email to parents and other professionals, including appointment letters, invoices and reports.
  • Referral information and any additional information in children’s electronic or paper files where parents have decided not to proceed are deleted within 1 month of the last contact with parents (i.e. paper information is shredded in confidential waste and electronic data is deleted and removed from trash).
  • Any scrap paper where clients can be identified are shredded instead of binned.
  • Records are kept until the client reaches the age of 26 years, or for 7 years following an assessment for clients over 18 years, in order to comply with professional requirements in relation to possible legal actions/ legal requirements. There may be some exceptional professional circumstances for keeping some files for longer
  • Consent to store data for this amount of time will be gained through the request form.

Process for People Requesting Access to Records

This right, commonly referred to as Subject Access is created by Section 7 of the Data Protection Act. It is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this and an individual who makes a written request and pays a fee is entitled to be:

  • Told whether any personal data is being processed.
  • Given a description of the personal data, the reasons it is being processed and whether it will be given to any other organisations of people.
  • Given a copy of the information comprising the data and given details of the source of the data (where this is available).

Any individual/ authorised organisation can request information about the reasoning behind any decisions, an assessment report or copies of case notes. The policy for responding to requests for confidential data is:

  • Respond to the request within 40 calendar days of receiving the request.
  • Ask whom the request is for and inform parents, carers, or adult clients of the data control and confidentiality procedure- (Information Commissioners Office,
  • Ask parents/ carer/ clients to give signed consent to share the data from the case notes and ask for proof or identify with their name and home address (Driving license/ passport), with a signature (see Leah Burman Associates UK Ltd consent form).
  • Parents and clients can view and discuss the case notes with the psychologist in a face-to-face meeting if requested.

Associates/ Employees

  • It is every professional’s personal responsibility to store data in accordance with the GDPR, Information Security Policy and Record Keeping Policies.

Complaints Procedure

In the event that clients wish to complain about the use of their information we inform them that they should contact us to resolve the matter in the first instance and also of their  right the complain to the Information Commisisioner’s Office whose contact details are:

Wycliffe House

Water Lane




Tl 0303 123 1113

Review and Update Procedure…..

Leah Burman Associates Documentation and Professional Policy

Updated in accordance with GDPR and ICO practice Article 20 working party