At EPFirst we consistently handle sensitive data from our various clients including, schools, local authorities and parents. We understand our responsibility with regards to processing and storing this data safely and securely in line with new GDPR (General Data Protection Regulations) which came into force on 25th May 2018.

The purpose for processing personal data is to undertake an agreed psychological assessment. Educational psychology assessments involve the processing of special category data including information about health, educational achievements, cognitive functioning, personality, interests and family history. The new regulations focus on enhanced rights for data subjects, in particular those in the ‘Special’ category-see link

we will only collect information from you that is relevant to the purpose of undertaking that assessment and the associated feedback and reporting.

You will only be asked for personal information that is relevant for the work undertaken. The information that will be requested and held will enable the professional working with you or your child/young person to decide:

·       What kind of involvement is appropriate;

·       What tests and assessments should be used; and

·       Whether liaison with other professionals is needed


The specific work carried out will vary according to the individual’s needs and the concerns being investigated. The range of supportive activities that may be undertaken includes:

  • Classroom observation;

  • Discussion with the Special Needs Coordinator (SENCo) and school staff;

  • Work alongside the child/young person in class;

  • Individual assessment work. This might involve using tests, questionnaires or

  • interview techniques for eliciting views;

  • Discussion with other external professionals who are working with the child/young person e.g. speech therapist, specialist teacher;

EPfirst has made a commitment to become a paperless company and will strive to store information electronically wherever possible. Paper information is stored in a locked cabinet temporarily where needed and then scanned and stored electronically before being shredded. 

Reading the current guidance, our responsibilities are  as follows:
1. I confirm I have registered with the Information Commissioner’s Office (ICO)
3. I have conducted an audit of my work environment and confirm I have the appropriate systems in place and that physical personal data is locked away/destroyed securely
4. I understand the need to only use the data for the purposes detailed by the client, for which consent has been sought by the instructing client
5. I understand my responsibilities as both a Data controller and Data processor
6. I understand that personal data received should not be shared with others unless prior authorisation has been sought in advance
7. I understand what is meant by ‘Special categories‘
8. I take all reasonable steps to ensure that I have the appropriate IT security in place to protect all personal data
9. I have a clear and safe process when asked to delete data (physical or electronic)
10. I only keep data for ‘as long as necessary’ and destroy both electronic and physical data safely and securely
11. I take all necessary care and precautions when transporting physical documents around to complete my work
12. Where applicable I transfer all personal data from my mobile device to a secure PC quickly to avoid any breaches occurring
13. If requested, I know how to respond to a ‘Subject Access Request/SAR‘ and that no charge can be applied to the data subject requesting the data and that the request must be actioned within the 30 days’ time limit
14. If a ‘data breach‘ occurs, I know to notify the ICO within the required 72 hour timescales

© EPfirst 

Proudly created with

  • LinkedIn Social Icon
'Like' us here