How we use information about you or your child/young person
Who We Are
Your information is being collected by Two Can Talk Speech Therapy Limited, a company registered in England & Wales with company number 8826718 whose registered office is at Two Can Talk, Cedar Lodge, Chiswick Avenue, Mildenhall, Suffolk, IP28 7BD. All references to “us”, “our”, or “we” throughout this notice refer to Two Can Talk Speech Therapy Limited.
This notice provides comprehensive information on how we collect, store, use and protect your information. If you have any questions regarding this policy or our data practices, please contact our Data Protection Lead: Mags Perry, Director.
What Information We Hold About You and Your Child/Young Person
We collect information about you or your child which may be obtained directly from you or from external sources during triage, assessment, or treatment.
This information may include:
Personal Demographics: Names, dates of birth, contact details, addresses and NHS numbers.
Clinical Category Data: Details relating to your or your child’s health, neurodevelopmental history, treatment notes and clinical observations.
Social & Educational Context: Information concerning family, lifestyle, social circumstances, education and school setting reports.
The information that we collect is strictly necessary for the purposes of providing clinical triage, formal assessments, speech and language therapy treatments and the safe administration of our clinical services.
Our Lawful Basis for Processing Data
Under the UK General Data Protection Regulation (UK GDPR), we rely on the following explicit lawful bases to process your personal and special category health data:
Personal Data (Article 6): Processing is necessary for the performance of a contract to provide our services to you, or to take steps at your request prior to entering into a contract. It is also processed for our legitimate clinical operations.
Special Category Health Data (Article 9): Processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, and the provision of direct health or social care treatment.
Who We May Share Your Data With
With your explicit consent, we may share relevant aspects of your personal or clinical information with relatives, schools, nurseries or other healthcare and educational professionals. This sharing is managed strictly in accordance with our Permission for Liaison with Other Professionals Policy.
We may also disclose necessary data to:
Our trusted technical service providers and clinical sub-contractors where required for system processing.
A legal third party who acquires our business entity.
Law enforcement and regulatory agencies (such as the Care Quality Commission) in connection with any legal investigation, statutory audit, or to help prevent unlawful activity.
Overriding Professional Duty: We maintain a strict statutory and professional safeguarding duty to inform Social Care Services and/or the Police if child abuse or significant neglect is suspected, or if a therapist is notified of an immediate safeguarding risk. We will aim to inform you before doing so, provided that doing so does not put you or your child at further risk.
Keeping Your Data Secure
We employ stringent technical and organisational measures to safeguard your personal data against unauthorised access, loss or alteration.
Electronic Records Management: All primary clinical data, session notes and medical intakes are hosted natively within our cloud-based Electronic Patient Record (EPR) system, Cliniko. Data is secured using banking-grade encryption infrastructures.
Access Controls: System access is limited strictly to authenticated, approved and regulated clinical or administrative staff.
Legacy Paper File Rules: Where legacy physical paper records are handled within general therapy settings, they are held securely in a locked filing cabinet. Once digitised into our secure cloud network, physical copies are destroyed via confidential on-site shredding.
Please note: While we use all reasonable efforts to safeguard your data, the transmission of information over the public internet is not entirely secure, and we cannot entirely guarantee the security of personal data transferred remotely to or from us via unencrypted channels.
Transfer of Data Out of the UK/EEA
We do not transfer or store your personal or clinical data outside of the United Kingdom or the European Economic Area (EEA).
Retention of Data
In strict compliance with the Records Management Code of Practice for Health and Social Care, data relating to you or your child is securely retained under the following minimum timescales:
Children & Young People Records: Retained until the child’s 26th birthday.
Adult Records: Retained for a minimum of 8 years following the date of their last clinical episode of care or discharge.
Upon reaching these statutory expiration windows, all associated data files and matching electronic databases are permanently and securely erased.
Your Statutory Rights
Under UK data protection legislation, you hold specific statutory rights regarding your data:
Right of Access (Subject Access Request): You have the right to request a copy of the personal and medical data we hold about you or your child. This must be requested in writing alongside valid proof of identity and address.
Right to Rectification: You have the right to require us to correct any factual inaccuracies in your records free of charge. Requests must be made in writing, providing sufficient text to identify the record and detailing the information that is incorrect and its correct replacement.
Right to Erasure (Right to be Forgotten): In specific legal circumstances, you can request the erasure of your personal data. Please note that your right to erasure may be legally superseded by our overriding statutory duty to preserve contemporaneous medical and clinical diagnostic charts under UK healthcare retention laws.
Your Right to Make a Complaint
If you have any concerns or questions as to the way in which we process your information, please do contact us directly. In addition, you have a statutory right to lodge a formal complaint at any time with the Information Commissioner’s Office (ICO). The ICO can be reached directly via their public website at www.ico.org.uk or via telephone at 0303 123 1113.
Special Privacy Addendum: MDT Autism Diagnostic Clinic
If you, your child, or a young person under your legal care is engaging with the Two Can Talk Autism Clinic for a formal multi-disciplinary autism spectrum or neurodevelopmental diagnostic assessment, the following supplementary data-processing protocols apply explicitly alongside our clinic-wide policies above:
1. Data Minimisation & Purpose Limitation
We collect and process highly specific personal and special category health data—including detailed early childhood milestone histories, standardized Autism Spectrum Quotient (AQ-10) screening metrics and third-party educational observations. This data is processed solely for the purpose of delivering clinical triage and robust, multi-disciplinary autism spectrum diagnostic assessments in line with national clinical frameworks.
2. Technical Security (Data Protection by Design)
To ensure absolute data security, all parent-facing intake packs and standardized AQ-10 clinical screening questionnaires are issued via secure, patient-specific digital links generated directly from our Electronic Patient Record (EPR) system, Cliniko. Because each form is unique to the individual patient, data maps directly and automatically into the correct child's cloud medical chart upon submission. This completely eliminates data entry handling errors and ensures information moves securely from your browser to our encrypted cloud environment, completely bypassing insecure public links, local device storage, or manual email attachments.
3. Third-Party School Processing
To gather essential multi-setting behavior profiles, we utilise secure online forms for educators and teachers. Educational settings must actively verify their authorisation to share institutional observations before data input is permitted. Once a school questionnaire is completed, it is securely transferred into the child's permanent Cliniko medical chart and any temporary local machine data generated during this transit is immediately and permanently purged by our administrative team.
4. Specialized Data Retention
In strict accordance with the national retention standards for neurodevelopmental, mental health, and multi-disciplinary pediatric assessments, all records and source documents compiled during an autism clinic evaluation are securely locked and retained until the child’s 26th birthday (or 8 years following discharge for adult clients), after which they are permanently deleted.
5. Verification of Data Subject Consents
Our intake process enforces granular consent logging. Legal guardians maintain the explicit right to grant or withhold permission regarding communication with educational providers or the automated sharing of final diagnostic outcome reports with their NHS General Practitioner (GP). These preference logs are permanently stamped onto the patient record and strictly audited by our clinical director prior to any report distribution.