Thomas Fund symbol

Privacy Policy

The following has been written to ensure that we are in line with current data protection guidelines (2018). If, having read the policy, you have any additional questions (or find anything unclear),
please contact us. Please note that this policy might need to be modified slightly from time to time, so please check back occasionally. This policy was last updated on the 10th August 2018.


Whatever your connection with Thomas’s Fund, we want you to feel comfortable and confident to share your personal details with us. At Thomas’s Fund we will store personal details securely to the best of our ability and by following current advice. This is to protect the privacy of those who use our service; our freelance staff; our volunteers and those who support us. You might fall into more than one of the categories above.

We also think carefully about what information we need to keep; why we might need to keep it and whether there might be any exceptional situation where we might be required to share it. We are aware that you will need to be informed about our approach to the above in order to trust us.

You have rights and choices relating to your personal data and we aim to honour these and respect your privacy at all times.

The following policy outlines what data we collect; where it is held and how it might be used? Thomas’s Fund is registered as a data controller with the Information Commissioner’s Office: number ZA445790.

The therapists are all freelance but, whilst working for the fund, are required to be registered with both the HCPC and ICO.

What is ‘personal data’?

Your name, address, phone number and email address would be classed as ‘Personal Data’ and, for the majority of people, would be the only data that Thomas’s Fund would request and keep.

However, please see below for a detailed breakdown of who we collect data from and why.

You might share your personal data directly with us when requesting our service (or information about our service); communicating with us about work that we are doing with you and your child; as a ‘Family’ or ‘Affiliate’ member; making a donation; supporting an event or volunteering; making an enquiry about the fund or if you are working directly with or for us.

If you indicate that you would like to support Thomas’s Fund certain sites, for example fundraising sites like Just Giving and Virgin Money, might share your details with us indirectly, so long as you have given your consent for them to do so.

Who do we collect personal data and why?

In order to promote, fundraise and carry out our services as effectively and efficiently as possible, we need to keep some personal data about different groups of people such as:-

Those who have expressed an interest in the fund and request information

For this group of people we will need to keep names and either all or some of the following:- postal addresses; email addresses and phone numbers (as preferred by the enquirer). This is so that we can get in contact to answer questions and tell these interested parties about our work, events and fundraising initiatives.

Financial supporters of the fund

For this group of people we will need to keep names and either all or some of the following:- postal addresses; email addresses and phone numbers (as preferred by the supporter). When a
contribution has been made, we will also need to keep any basic banking information that our treasurer and auditor will demand in order to conduct our finances properly and ethically. Alongside the requirements of effective accounting, this information allows us to contact and thank our generous supporters; tell them about how their donation has contributed to our work and keep them informed about events and fundraising initiatives (if consent has been given).

Trustees, Patrons, Ambassadors and Volunteers
For this group of people we will need to keep names and either all or some of the following:- postal addresses; email addresses and phone numbers (as preferred by the individual). This is so that we can get in contact about availability, meetings, events and organisational matters. We can also seek opinions to aid decision making and future strategies.

For this group of people, we might also keep personal information such as biographies and videos/ photographs that will be used to promote the work of the Fund. Individuals will be made aware when this is happening and will be given the opportunity to opt out if required. However, on joining this specific group, it will be accepted that general permission, for use of the above, has been given.

Users of services provided by Thomas’s Fund
We need data about the children and families that we work with, in order to provide the most effective service that we can. For users of Thomas’s Fund services ‘Personal Data’ will include all or some of the following: names, addresses and contact details; referral forms; therapy notes* and reports* and essential reports from relevant parties (such as other health professionals, parent/carers etc.). In some cases, photos, videos or audio might be taken by the therapists to aid their work with a child or young person. This information is essential to ensure that we provide the best and most relevant service possible to our users. Informed consent will always be sought for photos, videos and audio recordings. Should any video or photos be taken for the purpose of promoting the work of the fund, separate informed consent will be sought.

*Our freelance Therapists are required to keep their own professional therapy notes whilst working with children and young people. Please see our separate ‘Therapist Privacy Policy’ for information about how they will collect, store and destroy these in line with professional guidelines.

People who work for Thomas’s Fund
Who do we employ? As stated elsewhere all therapists employed by Thomas’s Fund are freelance. Currently, and for the foreseeable future, the only other employee of Thomas’s Fund is our part-time treasurer who is freelance too. This section refers to this group.

In order to run efficiently and effectively, the fund needs to keep more information about this particular group. This will involve all or some of the following:- name; postal addresses; email addresses; phone numbers; relevant bank details to enable payments to be made; professional body registration numbers; DBS number and relevant calendar details so that work can be planned, organised and executed. In order to work for the fund, this group will need to agree to the fund holding this information otherwise it could detrimentally affect the day to day running of our service.

Opting in and out

At Thomas’s Fund, we aim to operate an ‘opt-in only’ communication policy. We will aim to send information only to people who have specifically agreed to us doing so and only in the manner that they have agreed to. On contacting you, we will always aim to remind you of your right to request that contact ceases (or that the manner in which we contact you changes) and will respect your right to change your mind.

If you wish to receive information about Thomas’s Fund but have not yet opted in, you can do so by emailing us at:- or by calling 01933 622497.

OUR PROMISE to every group identified above

Any information that you share with us will only be used by
the fund. We will not share your details with, or sell your
details to, anyone who is not directly involved with the fund
or an organisation that is working directly with us. We would,
obviously, need to share your details if an authority
upholding the law absolutely requires us to do so.

  • We only keep essential information about you. We will not keep information longer than we need to (without your informed consent) and will always try to follow recommendations from the relevant professional bodies unless there is a compelling overriding reason not to do so.
  • We will store any sensitive electronic information using GDPR compliant secure online storage procedures. If information (such as mailing lists) need to be kept in any additional locations (for a specific reason) we will keep these to as few as possible and protect this information, to the best of our ability, with passwords and/or encryption. Any hard copies of information will be kept in even fewer locations and will be locked away. All records will be kept behind two locks when at therapist’s base and extreme care will be taken to keep all documentation safe during transit.
  • It is your right to request to see information that we hold on you, should you have any concerns. We will respond to any requests within 28 days of receiving your request on
  • We feel that we have been as vigorous as possible with regard to the GDPR. However, should you have any concerns about Thomas’s Fund’s information rights practices, you should contact the Information Commissioner’s Office (ICO) helpline on 0303 123 1113 or follow the links on their website –

Online considerations

Please Note: Although we do our very best to take as many precautions as possible with your data, we need to transfer data electronically from time to time. As stated above, we are implementing use of secure GDPR compliant online storage and encrypted email. Nevertheless, we have to accept that the world ‘online’ is not, as yet, completely secure. We need to point this out to you even though we are sure that you will be very aware of this already. Please, also, be aware that the promises above link specifically to our own work. We cannot guarantee the policies of social media providers (e.g. Facebook and Twitter) or third-party websites. Please ensure you read the privacy policy of any social media website before sharing data and make use of the privacy settings and reporting mechanisms to control how your data is used. If you are a user of our fund, we will ask you not to share anything online about specific sessions etc. without securing the relevant Therapist’s advice and consent. Our own website does not use cookies.

Privacy Policy of Therapists working for Thomas’s Fund

Thomas’s Fund uses self-employed, registered music therapists to enable us to carry out our work. Whilst we are aware that individual therapists might have differing working practices within everyday work, Thomas’s Fund asks that ALL music therapists (contracted by the Fund) conduct their Thomas’s Fund work following the guidelines below.

Thomas’s Fund’s Guidelines (for Music Therapists working for us) for the Creation and Storage of Information

What data should/might you be keeping?

  • Referrals
  • Clinical Notes
  • Reports
  • Any additional ‘Unique-to-the-Child / Young person’ Information – that you deem essential to keep in order for you to fulfil your professional duties.
  • Videos – if informed consent has been granted. Important: consent for training, presentation and press/website use should be sought and evidenced separately.
  • Contact details for your client families – Important: These will, most likely, be stored on your personal phone or portable device. It is essential that you gain consent to keep these in this way before you begin to

The creation of clinical notes

Important: It is essential that clinical notes be kept up to date, on the system, so that another therapist could access and add to them if, for example, a child/young person was later seen in hospital or was offered a further block of therapy at later date.

  • It is acceptable for clinical notes to be made electronically or on paper.
  • Clinical notes should always be written in black.
  • The full name of the child/young person should be recorded at the top of each page alongside the date of birth.
  • Each page should be numbered.
  • The completed notes for each session should be signed, dated and timed.
  • Completed clinical notes, for each session, should be saved in .pdf format, with a new .pdf being produced for each session. Paper notes should be scanned (in .pdf format). These should be uploaded, as stated below, as soon as possible.

The storage of information
Important: ALL clinical notes, reports and referrals should be uploaded to the Thomas’s Fund secure central online storage system*. The Fund has designated a GDPR Officer whose responsibility it is to monitor the storage and disposal of data on this central storage system. Any concerns or queries, relating to this system should be addressed to the GDPR Officer in the first instance.

*If you are working, for Thomas’s Fund, but within an NHS setting, you should follow its protocols and store information, relating to the child/ young person, onsite as guided.

  • Within the storage each child/young person should have electronic named folder that should contain a copy of the child / young person’s referral, clinical notes and reports (alongside any additional unique information that is deemed essential to keep in order for you to fulfil your professional duties).
  • Referral Forms, notes or reports (that arrive on paper) should be scanned, as a .pdf, before being uploaded.

Sending data

You should try to keep the sending of sensitive personal data to an absolute minimum. However, if you use your personal Thomas’s Fund email, this will be encrypted anyway. If you deem the data to require even more protection, you could password protect it too.

When will data be deleted?

Written data, relating to your work with each specific child/ young person for Thomas’s Fund, should be kept for 7 years before being deleted. If video (for which consent has been given – see above) is stored, this should be deleted 6 months after therapy sessions end (unless for training, presentation and press/website use).

The GDPR Officer will contact you periodically, to ensure that you have kept your notes up to date and have deleted data that needs to be erased.

Which ‘Consents’ do I need in order to store the data outlined above?

Important: It is essential that permissions are sought within the first face to face session with the child/ young person and the family. N.b. You may need to explain why we need to ask permissions in order to comply with the GDPR. Alongside a clear explanation of how you will make and store notes, referrals and reports, your Service Introduction should include:-

  • Seeking consent/s for video (as outlined above).
  • Gaining consent to store personal contact information on your phone during the course of therapy.
  • Gaining consent to email information (see above re: encryption etc.).
  • Gaining consent to contact/share information with other healthcare