Privacy & Confidentiality Policies
Privacy Policy
1. Introduction
At the Centre for ADHD Research and Excellence (CARE ADHD), we take the privacy and confidentiality of your personal information very seriously. This Privacy Policy outlines how we collect, use, store, and protect your data in compliance in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, NHS Digital information governance and security standards, and Information Commissioner's Office (ICO) guidelines.
2. Data Controller
The data controller responsible for your personal data is:
30 Churchill Place
London
England
E14 5RE
Email: informationrights@careadhd.co.uk
Data Controller: Centre for ADHD Research & Excellence Ltd, Registered in England and Wales (Company No. 14535089)
Data Protection Officer (DPO): Mason Fitzgerald, Chief Governance Officer
3. What Information We Collect
We only collect the minimum data necessary to provide safe and effective ADHD and Autistic Spectrum Condition (ASC) care.
| Category | Examples | Why We Collect It |
|---|---|---|
| Personal Information | Name, date of birth, address, NHS number, ethnicity and contact information | To identify you and provide healthcare services |
| Health Data | ADHD and ASC assessments, treatment records, prescriptions, clinician notes, Summary Care Records (SCRs) (where opted in) | To diagnose, treat, and manage ADHD and ASC care |
| Appointments & Referrals | Appointment bookings, referral details | To efficiently manage your treatment journey |
| Questionnaires | ADHD and ASC symptom forms completed online | To support assessments and treatment plans |
| Communication Logs | Emails, messages, call logs with our staff | To provide customer support and clinical updates |
| Payment Information | Transaction records (amount, date, status), invoices, refunds | To process payments and provide receipts |
| Research Data | If you participate in our research studies, we may collect additional data with your explicit consent. | To conduct research and analysis aimed at improving our services and contributing to scientific knowledge in the field of ADHD and ASC, with your consent. |
We may receive some information from trusted external sources such as your GP, referrers, pharmacies, or NHS systems including Summary Care Records (where enabled). This helps ensure we have accurate and up to date information when providing your care.
4. How We Use Your Data
We use your personal data for the following purposes:
- Healthcare Services: To provide you with healthcare services, including diagnosis, treatment, and follow-up care.
- Appointment Management: To manage your appointments and consultations.
- Communication: To communicate with you regarding your healthcare, send appointment reminders, and handle administrative matters.
- Service Quality: To ensure the safety and quality of our healthcare services.
- Research and Analysis: To conduct research and analysis aimed at improving our services and contributing to scientific knowledge in the field of ADHD and ASC, with your consent.
- Service Monitoring and Audit: To review and improve the quality, safety, and effectiveness of our services. Any analysis is carried out using the minimum data necessary and does not identify patients unless required for clinical or legal purposes.
5. Where and How We Store Your Data
Your data is stored securely in NHS-compliant systems, with encryption, access controls, and usage restrictions in place.
We use the following systems to store and manage your information:
| System | Purpose | Security Features |
|---|---|---|
| EMIS Web | Patient records, treatment plans, Summary Care Records (SCRs) (where opted in), appointments | NHS-approved encryption, Smartcard access, direct NHS Spine access |
| DrDoctor | Patient questionnaires, appointment data for reminders | Secure patient login, encrypted data, role-based access control |
| Airtable | Internal tracking of patient progress | Data stored in the US, compliant with UK GDPR & data protection laws, encrypted and access-controlled |
| Outlook and Front | Secure communication between staff and shared inbox management | End-to-end encryption, security includes access controls and monitoring appropriate to user roles |
| Heidi Healthcare | Transcripts of assessments to support with note taking only | Encrypted data, role-based access control |
Our commitment to security:
- We take every reasonable step to ensure patient data is not stored on personal devices. Staff use centrally managed, encrypted laptops with controlled access.
- We avoid sending sensitive information by email wherever possible. If email is necessary, we use secure methods and minimise the data shared.
- We apply strict role-based access controls (RBAC) so that only authorised team members can access the information they need to perform their duties.
5a. AI Notetakers and Ambient Voice Scribes
Heidi Healthcare is a speech technology and generative AI tool that can convert spoken words into structured medical notes and letters.
Where these tools process personal data, such processing is carried out under the relevant lawful bases set out in Section 2 (Article 6 UK GDPR). Where health data (special category data) is processed, we rely on the condition in Article 9(2)(h) UK GDPR. For limited supporting purposes (e.g. IT security and auditing), we may also rely on Article 6(1)(f) UK GDPR (Legitimate Interests). All processing is subject to data minimisation, strict access controls, and appropriate safeguards ensuring compliance with data protection principles.
We use AI note‑taking tools to help clinicians reduce administrative workload so they can focus more on your care. These tools support note writing only and do not assess, diagnose, guide treatment, or make any decisions about your care. They are not used for automated decision making or profiling. Your clinician reviews, checks, and finalises all notes before anything is added to your medical record, and all clinical decisions are always made by qualified healthcare professionals.
6. Sharing Your Data / Legal Basis for Processing
We may share your personal data with the following recipients:
| Recipient | Purpose | Legal Basis |
|---|---|---|
| Your GP or referring clinician | To coordinate and oversee your care | Provision of healthcare services 9(2)(h) |
| Pharmacies & prescribing services | To provide ADHD medication | Provision of healthcare services 9(2)(h) |
| NHS Digital & regulators | When required for safety audits | Provision of healthcare services 9(2)(h) |
| Third-party IT providers (e.g. DrDoctor, EMIS Web, Airtable) | To maintain our secure IT systems | Provision of healthcare services 9(2)(h) |
| Public Authorities | To coordinate and oversee your care as required by law or for safeguarding purposes | Provision of healthcare services 9(2)(h) |
| Integrated Care Boards (ICBs) and health and care partners | To coordinate and oversee your care | Provision of healthcare services 9(2)(h) |
All third‑party IT providers enter into a Data Processing Agreement (DPA) with CARE ADHD. This agreement requires them to handle personal data safely, act only on our instructions, and maintain security measures that meet UK GDPR and other applicable legal requirements. We carry out due diligence checks to ensure that any organisation processing data on our behalf is trustworthy, operates to recognised compliance standards, and provides appropriate safeguards to keep your information secure.
7. Data Retention
We follow NHS data retention policies, ensuring that data is only kept for as long as necessary.
| Data Type | Retention Period | Disposal Method |
|---|---|---|
| Medical Records (EMIS Web) | 8 years after last contact | NHS-approved deletion |
| Referrals (e-RS) | 8 years | Secure NHS Digital deletion |
| Questionnaires (DrDoctor) | 8 years | Securely deleted from system |
| Emails | 8 years | Automatic archiving |
8. Your Rights
You have the following rights regarding your personal data:
- Right to Access: You can request access to your personal data and information about how it is processed.
- Right to Rectification: You can request corrections to any inaccurate or incomplete data.
- Right to Erasure: You can request the deletion of your personal data under certain circumstances.
- Right to Restrict Processing: You can request restrictions on the processing of your data in certain situations.
- Right to Data Portability: You can request a copy of your data in a commonly used, machine-readable format.
- Right to Object: You can object to the processing of your data based on legitimate interests or for direct marketing purposes.
If you object to data processing based on our legitimate interests, we will review your request and consider whether we can stop or limit the processing. Some types of processing are essential for providing safe healthcare, so we may not always be able to agree to a request; however, we will always explain our decision and discuss available options with you.
- Right to Withdraw Consent: If we process your data based on consent, you can withdraw your consent at any time.
9. How to Contact Us
If you have any questions, concerns, or requests regarding your personal data or this policy — including data subject access requests (DSARs) or any other information access requests — please contact our Data Protection Officer at:
Telephone: 020 4525 0709
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Any updates will be published on our website and communicated to you as appropriate.
Confidentiality Policy
1. Introduction
At the Centre for ADHD Research and Excellence (CARE ADHD), we are committed to maintaining the confidentiality of all personal and sensitive information entrusted to us by our patients, staff, and stakeholders. This Confidentiality Policy outlines our commitment to safeguarding the privacy of individuals' information in accordance with legal and ethical standards.
2. Policy Statement
CARE ADHD aims to:
- Respect Privacy: Respect the privacy and confidentiality of all individuals associated with our clinic, including patients, staff, volunteers, and stakeholders.
- Secure Handling: Ensure that all personal and sensitive information is handled securely and disclosed only on a need-to-know basis for legitimate purposes.
- Legal Compliance: Comply with relevant data protection legislation and professional standards governing the handling of confidential information.
3. Confidential Information
3.1 Definition
Confidential information includes, but is not limited to:
- Personal details (e.g., name, address, contact information)
- Medical records and health information
- Financial information
- Staff records and employment details
- Any other information deemed sensitive or confidential
3.2 Handling
All confidential information must be stored, transmitted, and accessed securely to prevent unauthorised disclosure or access.
4. Access to Confidential Information
4.1 Authorised Access
Access to confidential information is restricted to individuals who require it for legitimate purposes, such as providing healthcare services, conducting administrative tasks, or fulfilling legal requirements.
4.2 Confidentiality Agreements
All staff, volunteers, and third-party contractors with access to confidential information must sign confidentiality agreements acknowledging their responsibilities and obligations.
5. Disclosure of Information
5.1 Disclosure Purpose
Confidential information may be disclosed only for purposes consistent with the individual's consent or as required by law, regulatory authorities, or professional standards.
5.2 Patient Consent
Patient consent must be obtained before disclosing any confidential information, except where disclosure is necessary to protect the individual's or others' health and safety.
5.3 Medication Information Sharing
If you are initiated on medication treatment, CARE ADHD will share relevant information with other healthcare professionals, such as your GP, in accordance with the General Medical Council (GMC) guidelines on safe prescribing of medication.
5.4 Objections to Sharing
If a patient objects to the sharing of personal information, we will not disclose it unless justified in the public interest or if it benefits a patient who lacks capacity. Patients will be informed of the potential consequences of such a decision.
6. Data Security and Protection
6.1 Security Measures
CARE ADHD employs appropriate technical and organisational measures to ensure the security and protection of confidential information against unauthorised access, loss, or disclosure.
6.2 Data Breach Response
In the event of a data breach or unauthorised disclosure, CARE ADHD will promptly investigate, mitigate any potential harm, and notify affected individuals and regulatory authorities as required by law.
7. Training and Awareness
7.1 Staff Training
All staff, volunteers, and contractors receive training on confidentiality policies and procedures during induction and ongoing professional development.
7.2 Awareness Campaigns
CARE ADHD conducts regular campaigns to reinforce the importance of confidentiality and privacy.
8. Policy Review
This Confidentiality Policy will be reviewed regularly to ensure compliance with relevant legislation, professional standards, and best practices. Updates or revisions will be communicated to all staff and stakeholders.
9. Patient Portal
9.1 How We Use Information
Our Patient Portal allows us to securely collect and manage information so we can provide safe and effective care. It also enables secure communication between the young person, their authorised representatives, and our clinical team. When a young person has the capacity to make their own decisions, we will seek their explicit consent before creating or granting access to their portal account. If capacity is unclear or not established, we will obtain consent from a parent or legal guardian who has the appropriate authority to act on the young person's behalf.
9.2 Compulsory Sharing of Outcomes with GPs
To maintain clinical safety and ensure appropriate oversight, it is now a requirement of our service that assessment outcomes and relevant updates are shared with the young person's GP. This ensures that their primary healthcare provider is aware of our involvement and can support coordinated care. This requirement applies to all individuals accessing or continuing to access our services.
9.3 Lawful Basis for Processing
We process personal information through the CYP Portal under the UK GDPR. Our primary lawful basis is Article 6(1)(e), which allows processing necessary for tasks carried out in the public interest, specifically the provision of health and social care. For special category data such as health information, we rely on Article 9(2)(h), which permits processing necessary for the assessment, diagnosis, and delivery of health or social care.
In limited circumstances, such as the creation of a portal account or communication via a representative, we may rely on explicit consent. Where consent is used, it may be withdrawn at any time, although doing so may affect access to the portal or elements of the service.
9.4 International Transfers
Some of our digital systems may process or store information outside the UK, for example, if a secure cloud provider hosts its servers in another country. When this happens, we ensure that your data remains fully protected.
Any international transfers are carried out in compliance with UK GDPR, using legally approved safeguards. These safeguards require the provider to keep your information secure, use it only for our purposes, and protect it to the same standard as if it were processed in the UK.
We only work with trusted suppliers who meet strict privacy, security, and contractual requirements.
9.5 Keeping You Informed
If we introduce new uses of personal data or make changes that affect how your information is processed, we will update this notice and inform relevant service users so that our processing remains transparent, fair, and compliant.
These Privacy and Confidentiality Policies are designed to protect your rights and ensure the highest standards of privacy and confidentiality at CARE ADHD. If you have any questions, please do not hesitate to contact us.