Our Privacy Policy

At Now, Next & Then, we understand that the information you share about your child and family is highly personal. We are committed to handling all personal data lawfully, transparently, and securely, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy explains what information we collect, why we collect it, how we use it, and your rights.


What information do we collect?

In order to provide assessment, treatment, and support services, we will collect and process the following information:

  • Child or young person’s personal details (e.g. name, date of birth)

  • Parent/carer contact details

  • Developmental history (including early development)

  • Health and medical information

  • Educational information (e.g. school or college attended)

  • Details of current or previous support services

  • Your concerns and goals for your child

During sessions, we also create and store:

  • Clinical notes and observations

  • Assessment and observations and results (formal and informal)

  • Reports, recommendations, and progress records

With your explicit signed consent, we may also collect:

Photographs (e.g. posture or pencil grip for clinical purposes only)

When do we collect this information?

We collect information:

  • Before your first appointment, via our request and consent forms, and parent and school questionnaires

  • During sessions, assessments, and interventions

  • During communications, such as phone calls, emails, and meetings

  • During liaison with other professionals, where you have given permission

We will never contact your child’s school or other professionals without your prior consent.

Lawful basis for processing

‍Under UK GDPR, we process your child’s data under the following lawful bases:

‍Article 6(1)(b) – Contract: to provide agreed services

  • Article 6(1)(c) – Legal obligation: where we are required to retain records

  • Article 6(1)(f) – Legitimate interests: to ensure effective service delivery

  • Article 9(2)(h) – Health and social care: for provision of health-related services

Where required, we rely on explicit consent (Article 9(2)(a)), particularly for:

  • Sharing information with third parties

  • Taking photographs

‍ ‍You may withdraw consent at any time.

How do we store and protect information?

‍We take appropriate technical and organisational measures to keep all data secure, including:

  • Locked filing cabinets for paper records

  • Password-protected devices

  • Encrypted storage systems and backups

  • Secure cloud-based storage with restricted access

  • Staff training in confidentiality and data protection

‍ Only authorised members of the Now, Next & Then team can access this information and our systems, and all staff are bound by confidentiality obligations.

How long do we keep information?

We retain records in line with professional and legal guidance:

  • ‍ Records are kept until the child reaches 25 years of age, or

  • 26 years of age if they were 17 at the time of last contact

After this period, records are securely destroyed.

When and why might we share information?

We do not share personal data without your explicit consent, except where required by law (e.g. safeguarding concerns).

With your written permission, we may share relevant information with:

  • ‍ Schools or colleges

  • Healthcare professionals (e.g. Paediatricians)

  • Local Authorities or other support services

‍Reports are shared electronically and, if preferred, will be password protected, and are stored in our encrypted storage systems.

Your rights

We comply to the UK GDPR guidelines on access to records, correction of inaccurate data, deletion (where applicable) and data portability (where applicable). You can withdraw consent at any time. ‍

To make a request, please contact us directly. We will respond within one month.

Complaints

If you are unhappy with how your data is handled, you can contact us in the first instance to discuss your concerns.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk

‍ ‍

Data Controller

Now, Next & Then is the Data Controller responsible for your data.

Updates to this policy

‍We may update this Privacy Notice from time to time. The latest version will always be available on request or via our website.

‍ ‍

April 2026

‍ ‍