Privacy Policy

The ADHD and Autism Clinic provides medical services for Expert Court Reports Ltd.  Expert Court Reports Ltd is committed to protecting and respecting your privacy when dealing with your personal information.

This privacy policy will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

  1. Important information and who we are
  2. Your Personal Data
  3. When do we collect personal data about you?
  4. Why do we collect your personal data
  5. Lawful Basis
  6. The security and storage of your personal data
  7. Disclosure of your personal data
  8. Health information collected during provision of treatment or services
  9. CCTV
  10. Your Legal Rights

Purpose of this privacy policy

This privacy policy sets out the basis on which any personal data we collect from you, or that you provide to us, is used, stored, disclosed and processed by us.  Please read the following carefully together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.  This privacy policy supplements other notices and privacy policies and is not intended to override them.  By providing your personal data to us or by using our services, website or other online or digital platform(s) you are accepting or consenting to the practices as described or referred to in this privacy policy.  If you do not consent, please do not submit any personal data to us.

Who we are

When we refer to ‘we’, ‘us’ and ‘our’, we mean Expert Court Reports Ltd operating in the UK.  We are registered in England and Wales under company number 10776380.

Controller

Expert Court Reports Ltd is the controller and responsible for your personal data (collectively referred to as “Expert Court Reports Ltd”, “we”, “us” or “our” in this privacy policy).

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy.  If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Contact details

If you have any questions about this privacy policy or our privacy practices, please contact our DPO in the following ways:

Full name of legal entity: Expert Court Reports Ltd

Email address: office@adhdandautismclinic.co.uk

Postal address: Office 2, 266 Banbury Road, Oxford, OX2 7DL

Telephone number: 01865 630111

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).  We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to our privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review and as a result it may be amended from time to time without notice.  As a result, we encourage you to review this privacy policy regularly.

It is important that the personal data we hold about you is accurate and current.  Please keep us informed if your personal data changes during your relationship with us.

When we refer to personal data in this policy, we mean information that can or has the potential to identify you as an individual.  It does not include data where the identity has been removed (anonymous data).

We may hold and use personal data about you as a customer, a patient or in any other capacity.  Depending on what services you receive from us this may include sensitive personal data such as information relating to your health (collectively referred to in this privacy policy as “health data”).  In this privacy policy references to personal data/information include any health data.

We collect information about criminal convictions and offences as part of psychiatric history taking.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
  • Contact Data includes billing address, delivery address, email address and telephone numbers.
  • Financial Data includes bank account and payment card details.
  • Health data includes:
    • personal history (information about birth, schooling, childhood experiences, employment etc.);
    • family history (information about immediate family members, including names, ages, jobs, the nature of their relationships and family history of mental disorder, addiction and criminality);
    • social history (information about living situation, current employment, state benefits, who is at home etc.);
    • relationship history (information about current and former intimate partners/spouses, gender orientation, gender identity, friends, colleagues etc.);
    • medical history (information about current and past medical and surgical treatment, e.g.  diagnoses, medication, history of surgery, history of childbirth etc.);
    • psychiatric history (information about past psychiatric treatment including past detention under the Mental Health Act etc.);
    • drug and alcohol history (information about use of alcohol, illegal substances, prescribed medication, over-the-counter and other medications);
    • forensic history (information about past and pending cautions, convictions, sentences etc.);
    • risk history (information about risk of self-harm and suicide, risk of harming others, safeguarding information e.g.  neglect of a child etc.);
  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website].
  • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.    
  • Usage Data includes information about how you use our website, products and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose.  Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity.  For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.  However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with psychiatric services).  In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.

We may collect personal data about you if you:

  • register to be a patient or customer with us or book to receive any of our psychiatric services
  • you are referred by a clinician, the NHS or any other organisation when you attend for a consultation/appointment
  • visit our website
  • enquire about any of our services
  • use or request to use any of our online services
  • fill in a form or survey for us
  • carry out a transaction on our website
  • participate in a competition or promotion or marketing activity
  • make online payments
  • contact us, for example by email, telephone or social media
  • participate in interactive features on our website

We may also collect personal data about you from third parties or publicly available sources.  We will receive personal data about you from various third parties and public sources as set out below:

Technical Data from the following parties:

  1. analytics providers such as Google based outside the EU;
  2. advertising networks based inside OR outside the EU; and
  3. search information providers such as based inside OR outside the EU.

Contact, Financial and Transaction Data from providers of technical, payment and delivery services based inside OR outside the EU.

Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register based inside the EU.

Please note in the interests of training and continually improving our services, calls to Expert Court Reports Limited may be monitored or recorded.

  • to enable us to carry out our obligations to you in connection with the services we provide and/or arising from any contract entered into between you and us including relating to the provision by us of services to you and related matters such as, billing, accounting and audit, credit or other payment card verification, anti-fraud screening.
  • provide you with information, products or services that you request from us.
  • allow you to participate in interactive features of our services, when you choose to do so.
  • notify you about changes to our products or services.
  • respond to requests where we have a legal or regulatory obligation to do so.
  • check the accuracy of information about you and the quality of your care, including auditing medical and billing information for insurance claims as well as part of any claims or litigation process.
  • support your reporting clinician and other clinical staff.
  • assess the quality and/or type of care you have received (including giving you the opportunity to complete customer satisfaction surveys) and any concerns or complaints you may raise, so that these can be properly investigated.
  • to ensure that content from our website is presented in the most effective manner for you and for your computing device.

To process your information in accordance with the data protection laws, we must establish a lawful basis for doing so which must be at least one of the following:

  • performance of a contract
  • legal obligation
  • for the protection of our and your vital interest
  • legitimate interest and/or
  • with your consent

Information on a patient’s health record (referred in this policy as “health data”) is likely to be special category data for the purposes of the GDPR.  Where special category data are being used, we must establish that at least one of the conditions in Article 9 of the GDPR must also be met.

We process your personal information, including health data, for a number of legitimate interests as set out within this privacy policy having assessed and taken into account your interests, rights and freedoms.

For the General Data Protection Regulation (GDPR) purposes, Expert Court Reports Limited’s basis for lawful processing of your information, including health data are:

  • the data subject has given consent (Article 6(1)(a))
  • Necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1b))
  • Necessary because of a legal obligation that applies to the data controller (except an obligation imposed by a contract) (Article 6(1)(c))
  • Article 6(1)(d) of the GDPR – Necessary to protect the vital interests of the data subject
  • Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1e))
  • Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services (Article 9(2h))
  • Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy Article 9(2i))
  • the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 9(2)(j)).

Data security

Your personal data will be kept confidential and secure and will, unless you agree otherwise, only be used for the purpose(s) for which it was collected and in accordance with this privacy policy, applicable data protection laws, clinical records retention periods and clinical confidentiality guidelines.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.  They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Organisational and technical security Measures

We have appropriate organisational and technical security measures in place to prevent unauthorised access or unlawful processing of personal data and to prevent personal data being lost, destroyed or damaged.  We currently store all personal data on our electronic health record WriteUpp which is ISO27001 compliant, on Office 365 for Business and on other cloud-based services such as Xero.  We also currently store all your correspondence and documents on our secure hard drive.  We continually audit our information systems to make sure that the ongoing security is robust.

Data retention

Any personal data you provide will be held for as long as is necessary having regard to the purpose for which it was collected and in accordance with all applicable data protection laws and/or appropriate guidance.  We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances you can ask us to delete your data: see your legal rights below for further information.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

We may disclose your personal data (to the extent necessary) to certain third-party organisations used to support the delivery of our services during our usual course of business.  These may include the following:

  • business partners, suppliers and sub-contractors for the performance of services we provide to you.
  • organisations on whose premises we see you for your consultations for the administration of the services we provide to you e.g. Priory Wellbeing Centres; if subsequently we see you at a different setting, your personal data will then be shared with the new organisation of the new setting.
  • organisations providing IT systems support and hosting in relation to the IT systems on which your information is stored.
  • third party debt collectors for the purposes of debt collection.
  • delivery companies for the purposes of transportation.
  • third party service providers for the purposes of storage of information and confidential destruction, third party marketing companies for the purpose of sending marketing emails, subject to obtaining appropriate consent.

Where a third-party data processor is used, we make sure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under data protection laws.

We may also disclose your personal data to third parties in the event that we sell or buy any business or assets or where we are required by law to do so.

Sensitive personal data (including information relating to your health) will only be disclosed to third parties in accordance with this privacy policy.  That includes third parties involved with your care, or in accordance with data protection laws and guidelines of appropriate professional bodies.  Where applicable, it may be disclosed to any person or organisation who may be responsible for meeting your expenses or their agents.  It may also be provided to external service providers and regulatory bodies (unless you object) for the purpose of clinical audit to ensure the highest standards of care and record keeping are maintained.

Clinical professionals working with us:  We share clinical information about you with our clinical professionals (those health professionals involved in, or to be involved in your treatment or care, including, but not limited to, other medical and surgical specialists, nurses, allied health professionals (e.g.  dieticians) and A&E) as we think necessary for your care.  Clinical professionals working with us might be our employees, or they might be independent consultants in private practice.  In the case of independent consultants, the consultant is the data controller of your personal data, either alone or jointly with us and will be required to maintain their own records in accordance with data protection laws and applicable clinical confidential guidelines and retention periods.  In all circumstances, those individual consultants will only process your personal data for the purposes set out in this privacy policy or as otherwise notified to you.

Your GP:  If the clinician providing your care believes it to be clinically advisable, we may also share information about your care with your GP.  If your GP requests information regarding your care or copies of any relevant records then we may also share this information with them.  You can ask us not to do this, in which case we will respect that request if we are legally permitted to do so, but you should be aware that it can be potentially very dangerous and/or detrimental to your health to deny your GP full information about your medical history, and we strongly advise against it.

Referring GP: in event that you were seen out-of-hours, out-of-area, or by a private GP, we may also share information about your care with your referring GP.

Your Insurer:  We share with your medical insurer information about your treatment, its clinical necessity and its cost, only if they are paying for all or part of your treatment with us.  We provide only the information to which they are entitled.  If you raise a complaint or a claim, we may be required to share personal data with your medical insurer for the purposes of investigating any complaint/claim.

The NHS:  If you are referred to us for care by the NHS, we will share the details of your treatment with the part of the NHS that referred you to us, as necessary to perform, process and report back on that care.

Healthcare and clinical and other regulators:  We may be requested – and in some cases can be required – to share certain information (including personal data and sensitive personal data) about you and your care with healthcare and clinical or other regulators such as the General Medical Council, the Health and Care Professions Council, the Care Quality Commission, the Multi-Agency Safeguarding Hub or the police.  For example, if you make a complaint, or the conduct of a clinician involved in your treatment is alleged to have fallen below the appropriate standards and the regulator wishes to conduct an investigation.  We will ensure that we do so within the framework of the law and with due respect for your privacy.

In an emergency and if you are incapacitated, we may also process your personal data (including sensitive personal data) or make personal data available to third parties on the basis of protecting your ‘vital interest’ (i.e.  your life or your health).

We participate in national audits and initiatives to help ensure that patients are getting the best possible outcomes from their treatment and care.  The highest standards of confidentiality will be applied to your personal data in accordance with data protection laws and confidentiality.  Publishing of this data will be in a pseudonymised, statistical format.  Anonymous, pseudonymous or aggregated data may be used by us, or disclosed to others, for research or statistical purposes.

Many of our premises are surveyed by CCTV for the purposes of security and the safe provision of care.  Images and videos may be retained for a limited period.

You have the following rights in relation to your personal data

  • Right of access: the right to make a written request for details of your personal information and a copy of that personal information (commonly known as a “data subject access request”).  This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Right to rectification: the right to have inaccurate information about you corrected or removed.  This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Right to erasure (‘right to be forgotten’): the right to have certain personal information about you erased.  This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.  You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.  Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Right to object to processing: the right to object to processing of your personal information in cases where our processing is based on the performance of a task carried out in the public interest or we have let you know the processing is necessary for our or a third party’s legitimate interest.  You also have the right to object where we are processing your personal data for direct marketing purposes.  In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Right to restriction of processing: the right to request that your personal information is only used for restricted purposes.  This enables you to ask us to suspend the processing of your personal data in the following scenarios:
    • If you want us to establish the data’s accuracy.
    • Where our use of the data is unlawful but you do not want us to erase it.
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Right to data portability: the right to ask for the personal information you have made available to us to be transferred to you or a third party in machine-readable formats.  Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Right to withdraw consent: the right to withdraw any consent you have previously given us to handle your personal information.  If you withdraw your consent, this will not affect the lawfulness of Expert Court Reports Limited’s use of your personal information prior to the withdrawal of your consent.  If you withdraw your consent, we may not be able to provide certain products or services to you.  We will advise you if this is the case at the time you withdraw your consent.
  • Right in relation to automated decisions: you have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you, unless it is necessary for entering into a contract with you, it is authorised by law or you have given your explicit consent.  We will let you know when such decisions are made, the lawful grounds we rely on and the rights you have.

Please note: Your rights are not absolute: they do not always apply in all cases and we will let you know in our correspondence with you how and whether we will be able to comply with your request.

If you want to exercise your rights in respect of your personal data, the best way to do so is to contact us by email at office@adhdandautismclinic.co.uk or to write to us for the attention of the data protection officer at the address below.  In order to protect your privacy, we may ask you to prove your identity before we take any steps in response to such a request.

Office 2, 266 Banbury Road, Oxford, OX2 7DL

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights).  However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.  Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights).  This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.  We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month.  Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests.  In this case, we will notify you and keep you updated.

Further process

If you are not satisfied with how we handle your request, you can contact the Information Commissioner’s Office on 0303 123 1113 or visit their website (http://www.ico.org.uk).

Menu