top of page

Privacy Policy

1. INTRODUCTION AND SCOPE

This Privacy Policy sets out how Hopscotch Children's Therapy Centre ("HCTC", "we", "us", "our") collects, uses, stores, and protects personal data. It applies to all individuals whose personal data we process, including clients, their parents and carers, employees, contractors, and third parties. It also sets out the obligations of all HCTC staff and contractors when handling personal data.

We are committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and all other applicable data protection legislation. Failure to comply with this Policy may result in disciplinary action and, in serious cases, regulatory enforcement.

Our registered address is: Hopscotch Children's Therapy Centre, 11 Gower Street, London WC1E 6HB. Data protection enquiries should be directed to info@hopscotchtherapy.co.uk.

2. WHAT IS PERSONAL DATA AND WHAT IS A DATA SUBJECT

Personal data is any information about an identifiable living individual. An individual is identifiable where HCTC holds direct identifiers such as name, address, date of birth, or where identification is reasonably possible by other means such as employee ID numbers, client reference numbers, or combinations of indirect information.

Online identifiers including cookie IDs, IP addresses, and device IDs are also personal data, as are subjective opinions and decisions made about individuals.

Special Category Data

Special category data is personal data that is more sensitive in nature and therefore attracts additional protections under Article 9 of the UK GDPR. As a paediatric therapy clinic, we regularly process special category data including data concerning the physical and mental health of children, and in some circumstances, data relating to disability, ethnicity, and family circumstances. This data is processed only where a lawful basis under Article 6 and an appropriate condition under Article 9 of the UK GDPR have been identified, as set out in this Policy.

3. WHAT IS PROCESSING

Processing means any use that HCTC makes of personal data. This includes obtaining, creating, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, combining, restricting, erasing, or destroying personal data.

4. CORE DATA PROTECTION PRINCIPLES

HCTC follows the six core data protection principles set out in Article 5 of the UK GDPR when processing personal data:

a. Lawfulness, Fairness and Transparency

We always process personal data fairly, in line with individuals' reasonable expectations, and lawfully. We inform individuals how their personal data will be collected and used at the time of collection, or within one month where data is obtained from another source. Privacy notices are written in clear, plain language and are easily accessible.

We only process personal data where we can identify a lawful basis under Article 6 of the UK GDPR. Applicable bases include:

  • Consent the individual has given clear consent to the processing;

  • Contract the processing is necessary to perform a contract with the individual, or to take steps prior to entering into a contract;

  • Legal obligation the processing is necessary for compliance with a legal obligation to which HCTC is subject;

  • Legitimate interests the processing is necessary for HCTC's legitimate interests or those of a third party, except where the interests or rights of the individual override those interests.

Where we process special category data, we also identify an appropriate condition under Article 9 of the UK GDPR. Our primary condition for processing children's clinical and therapeutic data is Article 9(2)(h) processing necessary for the provision of health care or treatment together with the associated Schedule 1 condition under the DPA 2018.

b. Purpose Limitation

We only process personal data for purposes that are legitimate and that we have communicated to the individual. We do not process personal data for any purpose that is incompatible with the purpose for which it was originally collected. If our purposes change, we will provide a further privacy notice before any new processing takes place.

c. Data Minimisation and Accuracy

We only collect personal data that is adequate, relevant, and limited to what is necessary for the purpose of processing. We do not collect personal data speculatively or on the basis that it may be useful in the future. We take reasonable steps to ensure that personal data is accurate, and correct or delete inaccurate data promptly.

d. Storage Limitation

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by law or professional regulation. Clinical records are generally retained in accordance with the NHS Records Management Code of Practice and the standards of the Health and Care Professions Council (HCPC). Records relating to children are generally retained until the child's 25th birthday, or for eight years following the end of treatment if later, unless a longer period is required by law.

e. Integrity and Confidentiality

We implement appropriate technical and organisational measures to keep personal data secure, protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include encryption, access controls, data anonymisation where appropriate, and staff training. We also maintain a data breach response programme to enable us to log, remediate, and report breaches as required by law.

f. Accountability

We can demonstrate our compliance with this Policy and with applicable data protection law. We design our services and procedures with privacy in mind from the outset (privacy by design) and process only the minimum necessary data by default (privacy by default). We maintain a formal Record of Processing Activities and carry out Data Protection Impact Assessments (DPIAs) where required.

5. INDIVIDUAL RIGHTS

Under UK GDPR, individuals have the following rights in relation to their personal data. Requests to exercise any of these rights should be directed to info@hopscotchtherapy.co.uk. We will respond promptly and within the timescales required by law.

  • Right of access to obtain confirmation that we process your personal data and to receive a copy of it, together with supporting information about how and why it is processed.

  • Right to rectification to request correction of inaccurate or incomplete personal data.

  • Right to erasure to request deletion of personal data in certain circumstances, for example where consent has been withdrawn or the data is no longer necessary.

  • Right to restriction to request that processing is paused whilst a complaint is resolved, or where processing is unlawful but erasure is not required.

  • Right to data portability to receive personal data in a structured, machine-readable format, where processing is based on consent or contract and is carried out by automated means.

  • Right to object to object to processing based on legitimate interests, or to processing for direct marketing purposes.

  • Rights related to automated decision-making not to be subject to decisions taken solely on the basis of automated processing where those decisions have a legal or similarly significant effect. HCTC does not use automated individual decision-making technology.

If you are not satisfied with our response to any rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

6. SUBJECT ACCESS REQUESTS (SARs)

Your right of access

Under Article 15 of the UK GDPR and the DPA 2018, you have the right to obtain confirmation of whether we hold personal data about you, and to request a copy of that data together with supporting information about how and why we process it. This is known as a Subject Access Request (SAR).

How to make a request

SARs can be submitted in any format there is no prescribed form and no specific wording is required. You may submit a request in writing by email to info@hopscotchtherapy.co.uk or by post to Hopscotch Children's Therapy Centre, 11 Gower Street, London WC1E 6HB. Any written communication that asks for your personal data, or asks what data we hold about you, will be treated as a SAR and handled accordingly.

Identity verification

Before we can respond to any SAR, we are required to satisfy ourselves that the request is made by, or on behalf of, the correct individual. This is to ensure that personal data is only ever disclosed to the person entitled to receive it.

We use Yoti, a UK-based GDPR-compliant digital identity verification platform, to carry out this process securely and proportionately. Upon receipt of your SAR, we will send you a separate email with instructions on how to complete the Yoti verification process. Please do not send copies of identity documents by standard email all verification must be carried out through the Yoti process only. Identity information collected for verification purposes will not be retained by HCTC beyond what is strictly necessary and will be securely deleted once verification is complete, in accordance with the principle of data minimisation under Article 5(1)(c) of the UK GDPR.

Where you have an existing and established relationship with us and your identity is not in doubt, we may waive or simplify the verification requirement in accordance with the principle of proportionality.

What we will provide

In response to a valid SAR, we will provide you with:

  • Confirmation of whether we hold personal data about you;

  • A copy of that personal data in a commonly used, intelligible format;

  • Information about the purposes for which we process it;

  • The categories of data held;

  • The recipients or categories of recipients to whom it has been or may be disclosed;

  • The retention period or the criteria used to determine it;

  • Information about your rights, including the right to request rectification, erasure, or restriction of processing.

Timescales

We will respond to your SAR within one calendar month of receiving it, or within one calendar month of completing identity verification where this is required first, in accordance with Article 12(3) of the UK GDPR. Where a request is complex, involves a large volume of data, or involves multiple data subjects, we may extend the response period by a further two months, making a maximum of three months in total. If we need to extend the period we will notify you within the first month and provide reasons for doing so.

Fees

There is no charge for making a SAR. However, where requests are manifestly unfounded or manifestly excessive in particular where they are repetitive in nature we reserve the right in accordance with Article 12(5) of the UK GDPR to either charge a reasonable administrative fee reflecting the cost of providing the information, or to refuse to comply with the request. Where we refuse or charge a fee, we will provide written reasons and notify you of your right to complain to the ICO.

Exemptions

Certain personal data may be exempt from disclosure under Schedules 2 and 3 of the DPA 2018. Applicable exemptions include but are not limited to:

  • Data relating to current or contemplated legal proceedings;

  • Data subject to legal professional privilege;

  • Data which would prejudice the prevention or detection of crime;

  • Data relating to third parties whose rights and freedoms would be adversely affected by disclosure.

Where an exemption applies, we will notify you in writing, identify the exemption relied upon, and provide our reasons. We will always disclose the maximum amount of information possible within the bounds of any applicable exemption.

How to complain

If you are not satisfied with our response to your SAR, or if you believe we have failed to comply with our obligations, you have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113. You also have the right to seek a court order requiring us to comply with a SAR.

7. CHILDREN'S PERSONAL DATA

Our commitment to children's privacy

As a paediatric therapy clinic, a significant proportion of the personal data we hold relates to children under the age of 18. We recognise that children require specific protection in relation to their personal data, as they may be less aware of the risks and consequences of sharing their information. We design all of our data processing with the best interests of the child as our primary consideration, in accordance with the principle of privacy by design and by default under Article 25 of the UK GDPR, and in line with ICO guidance on Children and the UK GDPR.

What data we collect about children

In the course of providing Occupational Therapy, Speech and Language Therapy, and related therapeutic and assessment services, we collect and process the following categories of personal data relating to children:

  • Full name and date of birth;

  • Contact and address information (held via the parent or carer);

  • Clinical and therapeutic records including assessment reports, session notes, programme plans, and progress records;

  • Education, Health and Care Plan (EHCP) documentation;

  • School and educational setting information;

  • Referral and correspondence records;

  • Any other information necessary to deliver the agreed provision.

Special category health data

Clinical and therapeutic records constitute special category data under Article 9 of the UK GDPR as they relate to the physical and mental health of the child. We are required to identify both a lawful basis under Article 6 and a separate condition for processing under Article 9. Our lawful basis for processing children's clinical data is the performance of a contract for the provision of therapeutic services (Article 6(1)(b)), and where applicable, compliance with a legal obligation (Article 6(1)(c)). Our condition for processing special category health data is Article 9(2)(h) processing necessary for the provision of health care or treatment together with the associated Schedule 1 condition under the DPA 2018. We document which categories of special category data we process and maintain appropriate safeguards at all times.

Children's rights

Children have the same data protection rights as adults under the UK GDPR. These include the right to access their personal data, request rectification, object to processing, and have their personal data erased. Where a child is of sufficient age and maturity to understand and exercise their own data protection rights, we will respond to requests made directly by the child. In England and Wales, there is no fixed age of competence and we assess this on a case by case basis, having regard to the child's level of understanding and the nature of the request.

Where a child is not considered sufficiently mature to exercise their rights independently, a person with parental responsibility may do so on the child's behalf, subject to the conditions set out below. In all cases, the rights belong to the child and not to the parent, and the best interests of the child will always be our primary consideration.

Parental access to children's data

Where a parent or person with parental responsibility makes a request for access to a child's personal data, we are required before responding to satisfy ourselves that:

  • The person making the request holds parental responsibility for the child;

  • There are no court orders in place that restrict or qualify that parental responsibility or the person's ability to access information about the child;

  • Disclosure is in the best interests of the child.

We will ask any person requesting a child's data to provide confirmation of parental responsibility, to complete our identity verification process via Yoti, and to confirm in writing whether any child arrangements order, prohibited steps order, or other relevant court order is in place.

Separated parents

Where parents are separated or not living together, we handle requests for a child's data with particular care. We may notify the other parent or carer before responding to a SAR, where we consider it appropriate and in the best interests of the child to do so. We will consider each situation individually and on its own facts. Where there is a dispute between parents regarding access to a child's data, the best interests of the child will prevail.

Sharing children's data with third parties

In the course of delivering therapeutic provision, we may share relevant data about a child with the following categories of recipients:

  • Local Authorities, including Special Educational Needs and Assessment Services;

  • Schools and educational settings named in or relevant to the child's EHCP;

  • Other healthcare professionals involved in the child's care;

  • Regulatory bodies where required by law or professional obligation.

We will always inform parents and, where appropriate, the child, about any significant sharing of their data, unless doing so would be contrary to the child's best interests or prohibited by law.

Retention of children's data

We retain children's clinical records in accordance with the NHS Records Management Code of Practice and the standards of the Health and Care Professions Council (HCPC). Clinical records relating to children are generally retained until the child's 25th birthday, or for eight years following the end of treatment if this is later, unless a longer retention period is required by law or professional regulation. Records relating to serious incidents may be retained for longer periods.

Privacy information for children

We are committed to providing privacy information in clear, plain language that is accessible to children. If you would like a version of this Privacy Policy written in child-friendly language, please contact us at info@hopscotchtherapy.co.uk and we will provide one on request.​​​​​​​​​​​​​​

8. SHARING PERSONAL DATA WITH THIRD PARTIES

Data processors are other organisations which process personal data on behalf of HCTC as a controller. We may appoint processors to help us process personal data, including payroll providers, recruiters, IT providers, and identity verification services. When appointing any data processor, HCTC:

  • Ensures, before engagement, that the processor provides satisfactory assurances about their data protection practices;

  • Signs the processor up to a formal Data Processing Agreement containing the terms required by Article 28 of the UK GDPR;

  • Confirms on an appropriate periodic basis that the processor continues to meet the required standards.

 

Current data processors engaged by HCTC include Yoti Limited, used for the purpose of identity verification in connection with Subject Access Requests. Yoti processes identity data on our behalf in accordance with a Data Processing Agreement and in compliance with UK GDPR.

We do not sell personal data to third parties. We do not transfer personal data outside the United Kingdom except where appropriate safeguards are in place in accordance with Chapter V of the UK GDPR.

9. DATA BREACHES

HCTC maintains a data breach response programme. In the event of a personal data breach, we will assess the risk to individuals and, where required, notify the ICO within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to individuals, we will also notify affected individuals without undue delay. All breaches, whether reportable or not, will be logged internally.

10. CONTACT US AND HOW TO COMPLAIN

If you have any questions about this Privacy Policy, wish to exercise any of your data protection rights, or have a concern about how we handle your personal data, please contact us at:

Email: info@hopscotchtherapy.co.uk

Post: Hopscotch Children's Therapy Centre, 11 Gower Street, London WC1E 6HB

Telephone: 020 7486 8168

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk

  • Telephone: 0303 123 1113

  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

This policy is reviewed annually and updated as required. Last updated: 30 April 2026.

bottom of page