Privacy Policy  

 Who are we and why do we process personal data?  

 The New ADHD Clinic Ltd (Company No 15443114), trading as ‘The ADHD Clinic’ (referred to as “we”, “us” or “our” in this Privacy Policy) provides neurodiversity diagnostic assessments and treatment through our panel of specialist mental health providers (“Mental Health Providers”). This Privacy Policy gives you information about how we collect and use your personal data when you use our services.  

 We are based at Unit G03, High Weald House, Glovers End, Bexhill, East Sussex, TN39 5ES. We can be contacted by email (office@theadhdclinic.co.uk) or telephone (01424 533259) during normal office hours.  

 Our Company Director, Zofia Ludwig, is our Data Protection Lead responsible for dealing with any queries related to our Data Protection obligations, however you raise these with us.  

 What personal data do we process and where do we get it from? 

 We process the name and contact details of those using our website to raise enquiries concerning our services. We also collect the data directly from you (the patient) or other Mental Health providers which includes:  

 

  • Identity Data (including, but not limited to, names, title, date of birth and gender)
  • Contact Data (including, but not limited to, billing address, correspondence address, email address and telephone number(s)) 

 

  • Medical Data (including, but not limited to, treatment and prescriptions, diagnosis outcome and referral details)
  • Financial Data (including, but not limited to, bank account and payment card details).  

We also process personal data relating to the Mental Health Providers on or wishing to join our panel including their name, contact details, relevant financial information and details concerning the relevant education and experience allowing us to ensure that only highly qualified Mental Health Providers (Psychologists and Psychiatrists) are included on our panel. Such information is generally provided by the Mental Health Provider or their employees or employers. We may access publicly available information regarding education and experience and obtain references for Mental Health Providers wishing to join our panel.  

In addition, we process large amounts of subjects’ personal data relating to the situation giving rise to the need for an assessment or treatment. We do not control the information provided by other mental health providers / health providers. Common examples of the information provided include correspondence, referral letters which may include medical records, photographic, audio or video information with any related metadata. We may also receive personal data relating to the family of the subject or others (whether in a personal or professional capacity) where this is relevant to the need of an assessment and treatment.   

The information provided regularly includes sensitive personal data with special protection under the UK General Data Protection Regulation (“UK GDPR”) and Data Protection Act 2018 (“DPA”) as special category data. This most often involves the receipt of information concerning mental and physical health but may also involve details of race, ethnic origin, religion, employment status including any trade union membership and details regarding sexual orientation. In certain circumstances the Medical Data provided may contain genetic information or biometric records and where relevant details of a person’s sex life may be included. Where such data relates to a person known to the subject no direct privacy notice is provided as there is an obligation of secrecy concerning the relevance of this to the subject’s mental health.  

Our Mental Health Providers may collect personal data directly from you (the patient), during the assessment or treatment. The subject is in control of the information supplied in these circumstances, but such personal data covers the range of categories noted above including specifically the special category data (as defined by the DPA).  

We do not use any form of automated decision making on the basis of personal data provided to us.  

Why do we process this personal data?  

We collect the personal data set out above for the purpose of providing assessments and treatment, as well as in situations where it is necessary for the conduct of our business.  

Our lawful basis: 

The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:  

  • Performance of a contract with you: Where we need to perform the contract we are about to enter, or have entered into with you.  
  • Legitimate Interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). 
  • Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose. 

 Purposes for which we will use your personal data 

We have set out below, in a table format, a description of all the ways we plan to use the various categories of your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.  

 

Purpose / Use 

Type of data 

Legal basis 

To register you as a patient / Mental Health Provider 

  1. Identity Data 
  1. Contact Data 
  1. Performance of a contract with you 

To provide the service to patients including referrals to and from other relevant healthcare providers.  

  1. Identity Data 
  1. Contact Data 
  1. Medical Data 
  1. Performance of a contract with you; 
  1. Consent  

To manage our relationship with you which will include: 

  1. Notifying you about changes to our Privacy Policy 
  1. Dealing with your requests, complaints and queries 
  1. Identity Data 
  1. Contact Data 
  1. Performance of a contract with you; 
  1. Necessary to for our legitimate interests (to keep our records updated and manage our relationship with you) 

To manage payments, fees are charges or collect money owed to us 

  1. Identity Data 
  1. Contact Data 
  1. Financial Data 
  1. Performance of a contract with you; 
  1. Necessary for our legitimate interests (to process payments and to recover debts due to us) 

 Who do we share the personal data with? 

We will share your personal data received with the relevant Mental Health Providers on our panel to enable them to conduct their assessment and provide treatment.  With consent, we may share your personal data with other healthcare providers to provide the contracted service for example this may include your GP when relating to your diagnosis and medication.  

Whenever we transfer your personal data outside of the UK to countries which have laws that do not provide the same level of protection as the UK law, we always ensure that a similar degree of protection is afforded to it by using specific standard contractual terms which give the transferred personal data the same protection as it has in the UK.  

How do we secure personal data? 

We take the security of the personal data we hold very seriously; the confidentiality of data is central to our Mental Health Providers’ professional qualifications. In addition to these professional obligations, we have a Data Processing Agreement with each Mental Health Provider.  

 We use a secure, UK GDPR compliant cloud-based service to share the personal data with our Mental Health Providers.  We have a contract with the provider to ensure that the requirements of the UK GDPR and the DPA are contractually imposed where this data is transferred to any third country not directly covered by the UK GDPR. 

Any physical data received in relation to a patient is scanned into this system and the physical copies securely shredded in accordance with our data protection policies. The system provides for encrypted, password protected access to the information for authorised recipients. We keep our IT services under review and ensure that we have sufficient IT support to advise on developing security issues and to ensure a prompt response should any issues arise. 

 

How long will we keep your data? 

We keep personal data relating to the patient for a maximum period of eight years following the last treatment date.  

What are your rights? 

The UK GDPR and the DPA set out eight rights in relation to personal data held by organisations. The nature of our work restricts the extent to which we can provide information in response to rights requests. This is particularly the case where the courts are involved. 

Notwithstanding this, we are committed to providing a response to all data rights requests and will always set out any relevant exemption or restriction and its effect when responding. You also have the right to raise any data protection issue with the Information Commissioners Office (www.ico.org.uk). We set out the details of your data rights below: 

The right to be informed. This Privacy Notice sets out the information to which you are entitled in relation to our processing of your personal data. It is not always appropriate to provide a notice directly to a person whose information we have received, particularly in relation to active court cases. We display it here so that it is available to anybody who wishes to understand our approach to data protection whether or not they are entitled to receive a notice directly. 

The right to access. Generally known as a Subject Access Request (‘SAR’), this is the right to receive details of the personal data held by an organisation that relates to you. The sensitive nature of many legal cases in which we are instructed has been recognised in the DPA and there are several exemptions that apply to our work, particularly where children are involved. In such cases we will generally provide information rather than documents so where specific documents are required, we would advise that you approach the court or your legal advisors for disclosure. 

The right to rectification. This right allows you to request correction or completion of personal data held about you. We are happy to receive requests to correct or update basic contact information from you. However, we may be unable to rectify personal data received in relation to court proceedings particularly those relating to children. Where you are interviewed by a Mental Health Provider you have the opportunity to raise concerns of inaccuracy which they will consider alongside the instructions. Beyond this, the court is generally the best venue to challenge the inclusion of information or conclusions in any medico-legal report that you believe are incorrect.  

The right to erasure. Often called the right to be forgotten, this right would generally only apply where we were relying on your consent, for example if we obtained this to enable us to provide direct marketing to you concerning services unrelated to those we provide at present. 

The right to restrict processing. This right will rarely apply as our involvement will be governed by contract. However, if you wish for us to contact you in a particular manner, we would be happy to restrict communications to your preferred method and will of course consider any other requests in line with the UK GDPR. 

The right to data portability requires us to provide your data in a manner that allows you to pass it to another organisation who may process it through their systems. As the majority of the data we store is in scanned documents this has little application. We do not use computer processing to deal with data in this way, focusing instead on the provision and development of human expertise. 

The right to object allows you to raise issue with how your data is processed but does not apply where it can be demonstrated that there are legitimate grounds for continued processing. The circumstances in which we receive instructions will generally provide legitimate grounds and we would set these out in response to any objection received that could not be dealt with as a result. 

The right to not be subject to a decision made automatically by a computer. As noted above, we do not use automated processing but rather the experience and expertise of our Mental Health Provider. 

We deal with every rights request individually and the information above is not exhaustive, merely providing an indication of the common reasons that our response to a request may be restricted. 

No fee usually required 

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances. 

What we may need from you 

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. 

Time limit to respond 

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

Contact details 

If you have any questions about this Privacy Policy or about the use of your personal data or you want to exercise your privacy rights, please contact our Data Protection Lead at the details given above.  

Complaints 

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. 

Changes to the Privacy Policy and your duty to inform us of changes 

We keep our Privacy Policy under regular review. This version was last updated on 12.02.2024 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address. 

The New ADHD Clinic Ltd 

February 2024