Privacy Notices - Paediatric therapies Privacy Notice


Swindon Borough Council provides a range of community health, social care and early help services such as family centres and the youth engagement service, as well as education support services. This in an integrated children’s service and is named children, families and community health services.

This service holds information on paper and on an electronic database about your family if you are referred to us and if you go on to receive a service. Once your information is on the database, other professionals within Swindon Borough Council's children, families and community health services will be able to see which services you are involved with and any relevant case information. Staff need this information so they can give the best advice possible and offer support.

Individual case information will be shared with our partner agencies to provide the right care for your child, this may include their GP, Medical and educational professionals involved in their care, their educational setting, their named social worker, SENAT if you have applied for an Educational health Care Plan.

If there is a potential risk of significant harm to a person. Relevant information will also be shared with partners at contact stage through our MASH (multi agency safeguarding hub) which is operated by Swindon Borough Council.

What is a Privacy Notice?

A Privacy Notice is a statement issued by an organisation which explains how personal and confidential data about individuals is collected, used and shared

Who is collecting and using your personal data?

Swindon Borough Council will act as a “Data Controller” for any personal data that you provide to us.  We will ensure that the data given to us is processed in line with our Data Protection Act 2018 (DPA 18) and the EU General Data Protection Regulations. (GDPR)

To find out more about Swindon Borough Council’s data protection policies please contact our Data Protection Officer. or in writing to Data Protection Officer, Civic Offices, Euclid Street, Swindon, Wiltshire, SN1 2JH.

Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”).

What personal data do we collect?

The categories of this information that we collect, process, hold and share include:

  • personal information (such as name, unique pupil number, NHS number and contact details including address, phone number and email)
  • characteristics (such as ethnicity, language and free school meal eligibility)
  • GP
  • educational setting
  • medical professionals details who are involved in the multidisciplinary care of your child
  • details of parents and carers
  • photos or videos of your child to support their clinical care
  • school attainment and attendance data
  • case information if you are in receipt of services from children, families and community health. Case information relating to children and their families will include contact, referral, assessment, plans, reviews, outcomes, images, recordings and case information notes for all of the below services:
    • Social care services for children in need, children on child protection plans, children looked after and care leavers
    • Early help and education services including:
      • community health services (health visiting, family nurse partnership, school nursing, speech and language therapy, paediatric therapy)
      • SENAT (special educational needs)
      • schools admissions
      • early years (pre-school and nursery provision including payment to providers
      • education welfare and exclusions
      • education psychology
      • parent partnership
      • youth engagement
      • TAMHS (Targeted mental health services)
      • alternative provision and reintegration team
      • safeguarding education
      • virtual school for looked after children


How do we process your personal data?

We comply with our obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

Why do we need your personal information?

We may need to use some information about you to:

  • deliver services and support to you
  • manage those services we provide to you
  • train and manage the employment of our workers who deliver those services
  • help investigate any worries or complaints you have about your services
  • keep track of spending on services
  • check the quality of services
  • help with research and planning of new services
How the law allows us to use your information?

There are a number of legal, legitimate or lawful reasons why we need to collect and use your personal information.

Each Privacy Notice from the menu on this page explains for each service which legal reason is being used. Generally we collect and use personal information in circumstances where:

  • it is necessary to perform our statutory duties
  • it is necessary to protect someone in an emergency
  • it is required by law
  • it is necessary to deliver health or social care services
  • it is necessary for legal cases
  • it is necessary to protect public health
  • it is necessary for archiving, research, or statistical purposes
  • you, or your legal representative, have given consent

If we have consent to use your personal information, you have the right to remove it at any time.

If you want to remove your consent, contact and tell us which service you are using so we can deal with your request.

We only use what we need!

Where we can, we will only collect and use personal information if we need it to deliver a service or meet a requirement.

If we do not need personal information, we will either, keep you anonymous if we already have it for something else, or we will not ask you for it. For example in a survey, we may not need your contact details we will only collect your survey responses.

If we use your personal information for research and analysis, we will always keep you anonymous or use a different name unless you have explicitly agreed that your personal information can be used for that research.

We do not sell your personal information to anyone else.

Who do we share your information with?

We use children and young person’s data to:

  • work with other professionals across health, education and social care to ensure that the care of your child is joined up to meet their needs in a safe and effective way
  • enable us to carry out specific functions for which we are responsible
  • meet statutory reporting  and case recording requirements for Social Care, Early Help, Virtual School, Exclusions and Reintegration, Education Safeguarding and Special Educational needs service provision
  • derive statistics which inform decisions such as the funding of schools
  • assess performance and to set targets for the services we provide
  • provide commissioning services with aggregate data so that we can be held accountable for the services we are commissioned to provide
  • complete statutory returns on children in receipt of social care and health and Early Help services and these datasets can include unique identifiers such as a National Health Number

The lawful basis on which we use this information

We collect and use this information under Article 6 (lawful processing), and Article 9 (special categories of data), of GDPR 2018:

Article 6 of GDPR:

Public task: the processing is necessary for the local authority to perform a task in the public interest or for official functions, and the task or function has a clear basis in law in terms of Health and Social Care Provision.

For those early help services where the above does not apply:

Consent: the individual has given clear consent for the local authority to process their personal data for a specific purpose.
Article 9 (2) of GDPR – Special Categories of Data and lawful processing of:
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
The Data Protection Act 2018 (12, Schedule 1, part 2 specifically outlines the responsibilities in relation to processing data for the purposes of safeguarding children and individuals at risk.

Collecting this information

Whilst the majority of children and young person’s information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the data protection legislation, we will inform you whether you are required to provide certain information to us or if you have a choice in this.

Storing this information

We hold children and young person’s data for set periods of time based on statutory requirements and the Council’s data retention policy.

The Local Authority (LA) uses information about children for whom it provides services, to enable it to carry out specific functions for which it is responsible, such as the assessment of any special educational needs the child may have. Swindon Borough Council holds child level information on a database for children and families who are in receipt of Education, Health and Social Care Services. It also uses the information to derive statistics to inform decisions on (for example) the funding of schools, and to assess the performance of service delivery and identify where improvements are required.

Who we share this information with

We routinely share children and young person’s information with:

  • Department for Education (DfE) - on a statutory basis under section 3 of The Education (Information about Individual Pupils) (England) Regulations 2013
  • Department of Education (Social Care) – under the Children’s Act 1989 which requires us to complete statutory reporting requirements for children in receipt of social care
  • Youth support services – under section 507B of the Education Act 1996, to enable them to provide information regarding training and careers as part of the education or training of 13-19 year olds.
  • NHS provision – mandatory data collection for The Mental Health Services Data Set (MHSDS). This dataset contains record-level data about the care of children, young people and adults who are in contact with mental health, learning disabilities or autism spectrum disorder services.
  • RCSLT (Royal College of Speech and Language Therapists), National ROOT database for Speech and Language Therapy, Therapy Outcome measures (TOMS)
  • Speech and Language Therapy - we may wish to use recordings and images of children and young people during therapy for Education and Training purposes for other health and social care professionals. You will be asked for your consent before any recordings and images are taken and if you are willing for them to be used for this purpose. You may withdraw your consent for this at any time and the recording and/or image will no longer be used and deleted as per the SBC data retention policy.

Education and training

We hold information about young people living in our area, including about their education and training history. This is to support the provision of their education up to the age of 20 (and beyond this age for those with a special educational need or disability).  Under parts 1 and 2 of the Education and Skills Act 2008, education institutions and other public bodies (including the Department for Education (DfE), police, probation and health services) may pass information to us to help us to support these provisions.

Pupils aged 16+

We will also share relevant information about pupils not in education, training or employment (such as their contact details) aged 16+ with the provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.

This enables them to provide the following services:

  • Post-16 education and training
  • Careers advice

MASH (Multi Agency Safeguarding Hub)

Swindon Borough Council like many other authorities operates a MASH team which helps provide a joined up service at the point of contact to children services. In order for the team to offer you the best advice and service, colleagues within the MASH (Health, Social Care and Police), may share relevant information. Consent will always be sought with families first, but there may be some cases where information is shared without consent if it is in the best interest of the child/children referred to us.

Troubled Families Initiative

Personal information will be matched within Swindon Borough Council e.g. Housing Benefit and also to those held within other organisations such as the police,  probation, and schools, Carers Centre, and Job Centre Plus to identify families who may potentially benefit from the government led troubled families initiative and this information is held on the integrated children services database. Outcomes for families included in the programme will also be recorded. If you are currently in receipt of support from a service team working within the programme, this will also be recorded on the integrated children services database. Basic demographics such as name, address and vulnerability factors will also be shared with the Department for Communities and Local Government for research purposes.

More information is available at GOV.UK - helping troubled families website.

CP-IS (Child Protection Information Sharing) System

This is a national system which was introduced during 2015.

If your child is subject to a child protection plan or a child in care this will be flagged on the CP-IS system which is national health system. This system can be accessed by health providers in hospital emergency departments and health providers to let them know your child in on a child protection plan or in care. Your social worker will also receive an automatic notification that your child has been admitted to hospital.

ATV (Adoption Thames Valley)

Adoption Thames Valley provides adoption services to the Borough and recruit and match adopters to children. We share relevant case information in relation to the children who have adoption in their best interest in order to complete the adoption process.

CHIS (Child Health Information Service)

The Child Health Information Service is responsible for the health records for all children. We share information in relation to the demographics and school relating to children to make sure immunisations are delivered effectively and that children under aged 5 receive the visits and support required as part of the National Healthy Child Programme delivery.

Eligibility for two-year-old early years funding

A dataset is received from DWP identifying parents/carers whose child is eligible for two-year-old funding for pre-school sessions. This entitles two-year-olds to a fully funded place. This address and parent is matched to our children’s database to identify the name and date of birth of the child entitled, and the council will then contact you in writing to advise you of your eligibility.

Post-16 providers attended by Swindon learners

We will share demographics and personal characteristics of a young person with post-16 Swindon providers where those providers may be able to offer choices to the young person which could improve their life chances and enable them to make a positive contribution. The information will also be shared as part of the September Guarantee Process, which is a statutory obligation for Children Services to ensure that all young people are offered appropriate learning opportunities.

Virtual School

The purposes for sharing information between Swindon Borough Council’s Virtual School for Children in Care and schools, academies and Education and Learning Providers are:

  • The purpose of sharing information is to safeguard the welfare of children in care through monitoring of attendance
  • Schools and learning providers have the basic information about pupils on their roll, additional information about care status and the professionals that support the child in care is shared to support partnership working
  • Information about the child in care’s education attainment and progress will be shared with the current education provider to support improved educational outcomes and to ensure appropriate support for learning
  • Ensure sufficient and appropriate learning provision is available to meet the needs of young people up to the age of 18 years old
  • Support in the short and long term strategies to reduce young people NOT in employment, education or training (NEET) and those who are ‘Unknown’ to the local authority
  • Enable all learning providers to utilise data to enhance their current learning provision and offer young people appropriate learning provision.

Education Safeguarding

The purposes for sharing information between Multi-Agency partners and schools, academies and Education and Learning

Providers are:

  • to facilitate the exchange of personal and sensitive information in the interests of protecting children and young people from actual or potential harm
  • to prevent crime
  • for investigations under Safeguarding Children procedures
  • to make an assessment of the service user's needs so that appropriate services can be provided
  • for the early identification, prevention, and investigation of abuse and neglect

Exclusions and reintegration

The purpose of sharing information between SBC, schools, pupil referral units (PRU’s) and alternative education providers is to ensure SBC fulfils its statutory responsibility of ensuring that provision is made for those pupils unable to access education, either because of permanent exclusion or because they are unable to access mainstream schools for medical reasons.

Appropriate child level case information is also shared between SBC, schools and PRUs regarding pupils who are not attending an educational placement on a full time basis.  This is in line with requirements of the Ofsted framework and evaluation schedule.

Appropriate child level case information is shared with Fair Access Panel and or Gaps in Provision Panel to ensure all pupils secure a suitable education placement.

Why we share this information

We share children and young person’s data with the Department for Education (DfE) on a statutory basis under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013. This data sharing underpins school funding, educational attainment policy and monitoring and enables them to; produce statistics, assess our performance, determine the destinations of young people after they have left school or college and to evaluate Government funded programmes.

We share relevant case information with practitioners who are working with children and families when it is necessary for service provision and in the best interests of the child.

We do not share information about children and young people without consent unless the law and our policies allow us to do so.

Data collection requirements

To find out more about the data collection requirements placed on us by the Department for Education go to:

The National Pupil Database (NPD)

The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

The law requires us to provide information about our pupils to the DfE as part of statutory data collections. Some of this information is then stored in the national pupil database (NPD). The legislation that requires this is the Education (Information

About Individual Pupils) (England) Regulations 2013

To find out more about the NPD, go to:

The Department may share information about our pupils from the National Pupil Database with third parties who promote the education or well-being of children in England by:

  • conducting research or analysis
  • producing statistics
  • providing information, advice or guidance

The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

  • who is requesting the data
  • the purpose for which it is required
  • the level and sensitivity of data requested
  • the arrangements in place to store and handle the data

To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

For more information about the department’s data sharing process, visit:

For information about which organisations the department has provided pupil information, (and for which project), visit:

To contact DfE:

How do we protect your information?

We will do what we can to make sure we hold records about you (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them.

Examples of our security include:

  • encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code, or what is called a 'cypher'. The hidden information is said to then be 'encrypted'.
  • pseudonymisation, meaning that we will use a different name so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was yours.
  • controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
  • training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
  • regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches).
How long do we keep your personal information?

Personal health records need to be retained for minimum periods to take account of the Limitation Act 1975 and the Congenital Disabilities (civil liability) Act 1976.

Records relating to children and young people, including community child health records - until patients 25th birthday or 26th if entry made when young person was 17, or 8 years after death.

What you can do with your information?

The law gives you a number of rights to control what personal information is used by us and how it is used by us.

You can ask for access to the information we hold on you.

We would normally expect to share what we record about you with you whenever we assess your needs or provide you with services.

However, you also have the right to ask for a copy of all the information we have about you and the services you receive from us. When we receive a request from you in writing, we must give you access to everything we have recorded about you, however, we cannot let you see any parts of your records that contain: 

  • confidential information about other people
  • data a professional thinks will cause serious harm to you or someone else’s physical or mental wellbeing
  • information may stop us from preventing or detecting a crime.

This applies to personal information that is in both paper and electronic records. If you ask us, we will also let others see your record (except if one of the points above applies).

If you cannot ask for your records in writing, we will make sure there are other ways that you can.

If you have any queries about access to your information contact

You can ask to change information you think is inaccurate.

You should let us know if you disagree with something written on your file.

We may not always be able to change or remove that information but we will correct factual inaccuracies and may include your comments in the record to show that you disagree with it.

You can ask to delete information (right to be forgotten).

In some circumstances, you can ask for your personal information to be deleted, for example: 

  • Where your personal information is no longer needed for the reason it was collected in the first place
  • Where you have removed your consent for us to use your information and where there is no other legal, legitimate or lawful reason for us to keep it
  • Where there is no legal reason for the use of your information
  • Where deleting the information is a legal requirement.

Where your personal information has been shared with others, we will do what we can to make sure those using your personal information comply with your request for erasure.

Please note that we cannot delete your information where:

  • we are required to have it by law
  • it is used for freedom of expression
  • it is used for public health purposes
  • it is used for, scientific or historical research, or statistical purposes where it would make information unusable
  • it is necessary for legal claims

You can ask us to limit what we use your personal data for.

You have the right to ask us to restrict what we use your personal information for where:

  • you have identified inaccurate information, and have told us of it
  • where we have no legal reason to use that information, but you want us to restrict what we use it for rather than erase the information altogether

When information is restricted, it cannot be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it is for important public interests of the UK.

Where restriction of use has been granted, we will inform you before we carry on using your personal information.

You have the right to ask us to stop using your personal information for any council service. However, if this request is approved this may cause delays or prevent us from delivering that service to you.

Where possible we will always seek to comply with your request, but we may need to hold or use information because we are required to by law.

You can ask to have your information moved to another provider (data portability).

You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.

However, this only applies if we are using your personal information with consent (not if we are required to by law) and if decisions were made by a computer and not a human being. 

It is likely that data portability will not apply to most of the services you receive from the Council. 

You can ask to have any computer made decisions explained to you, and details of how we may have 'profiled' you.

You have the right to question decisions made about you by a computer, unless it’s required for any contract you have entered into, required by law, or you have consented to it.

You also have the right to object if you are being 'profiled'. 'Profiling' is where decisions are made about you based on certain things in your personal information. For example, your health conditions.

If the Council uses your personal information to profile you, in order to deliver the most appropriate service to you, you will be informed.

If you have concerns regarding automated decision-making, or profiling, please contact our Data Protection Officer who will be able to advise you about how we are using your information. 

Your right to complain

In the event that you wish to complain about the way that your personal data has been handled by Swindon Borough Council, you should write to the Data Protection Officer and clearly outline your case. Your complaint will then be investigated in accordance with our customer complaint procedure.
If you remain dissatisfied with the way your personal data has been handled, you have the right to complain to the Information Commissioner’s Office at You may refer the matter to the Information Commissioner’s Office whose contact details are below:

Information Commissioner’s Office
Wycliffe House
Water Lane


This website also contains information on data protection and your rights and remedies.

What if you do not provide personal data?

You are under no statutory obligation to provide personal data to Swindon Borough Council. However, if you do not provide sufficient data, we may not be able to provide your child with a safe and effective service.

How will we ensure compliance?

A yearly audit will take place on personal data to ensure that we remain legally compliant in accordance with current data protection legislation.

Main privacy notice

You are viewing the Privacy Notice for Paediatric therapies.

Read the main Privacy Notice