Oxford ADHD and Autism Centre Limited (“we”) are committed to protecting and respecting your privacy.
We understand that the information you share with us is personal and often sensitive. Protecting your privacy is important to us. This policy explains how we collect, use, and protect your information, and the choices you have about how it is used.
IMPORTANT INFORMATION AND WHO WE ARE
DATA CONTROLLER
For the purposes of data protection laws, we are the “controller” of the processing of your personal data. This means that we decide why and how your personal information is processed. It also means that we are responsible to you under the law for that processing.
Oxford ADHD and Autism Centre Limited is a company registered in England and Wales under company number 09551560 and registered office at Unit 6, Chaldicott Barns, Tokes Lane, Semley, Wiltshire, SP7 9AW. Oxford ADHD and Autism Centre Limited is registered with the Information Commissioner’s Office (ICO) with registration number ZA136399. Notification details can be accessed by searching the Data Protection Public Register.
We are part of a group of companies made up of different legal entities, details of which can be provided on request.
We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.
CONTACT DETAILS
FAO Data Protection Officer
Email address: [email protected]
Postal address: 40 Windmill Road Headington Oxford OX3 7BX
Telephone number: + 44 (0) 1865 744144
By submitting personal data to us and/or by using our website, you are giving your consent for us to process your information in the ways described in this policy.
Definitions
· Data: Any data you use our services to provide, for example, answers to forms, results from assessments, or information shared in appointments.
· Personal information: Information about you that we collect or look after, such as your contact details or medical history.
Information we collect about you
We collect information so we can provide you with safe, effective, and personalised care.
At initial contact, we may ask for:
· Name
· Postal address
· Email address
· Telephone number
· Date of birth
· School details (where relevant)
· GP details
· Health insurance details (if applicable)
· NHS number
We may also ask for details about:
· The difficulties you/your child are experiencing
· Your family circumstances
· Past medical history and current difficulties
· Any concerns or risks (this is classed as sensitive information and helps us provide the right support)
Other sources of data: If our services are commissioned by third parties (such as your child’s school, GP, local authority, or Integrated Care Board), they may share your name, address, contact details, and relevant medical or educational history with us.
Additional data collected when you use our services:
· Usage information: pages you visit on our website, links you click, when you perform those actions, and your language preferences.
· Device and browser data: IP address, operating system, device type, performance information, browser type, and for mobile devices, a unique device identifier (UUID).
· Information from page tags: data collected through cookies and web beacons to help us understand how visitors use our site.
· Log data: your IP address, internet service provider, files viewed on our site, operating system, time spent on site, device type, and timestamps.
· Medical records and test results: previous medical records, reports, tests, questionnaires, or psychometrics we request as part of your care.
If you contact us by phone, email, or through our website contact form, we will keep a record of that correspondence.
How we use your data
We only use your information for purposes you would expect and in ways that help us provide you with safe, effective, and personalised care. This includes to:
· Communicate with you about appointments (by email, letter, or SMS)
· Provide the right service to you or your child
· Carry out thorough and appropriate assessments
· Provide the information or services you have requested
· Invoice you or your insurance company (financial records are kept for 7 years, as required by HMRC)
· Share information (with your consent) with others involved in your care, such as your GP, school, or other health professionals
· Notify you about changes to our services
· Make sure our website works well on your device
· Improve our services and carry out troubleshooting, testing, and data analysis
We will never share your personal information with third parties for marketing purposes.
Sharing your data
We will only share your data when it is necessary for your care or when we are legally required to do so. This may include:
· Clinicians who will be providing your care
· Your GP, school, CAMHS/PCAMHS, Social Services, psychiatrists, or other professionals involved in your care (with your consent unless there is a serious risk or legal obligation)
· Analytics and search engine providers that help us improve our website
· Legal or regulatory bodies where required to protect rights, property, or safety, including fraud prevention
· With Trustpilot, an independent review platform, so we can invite you to share feedback about your experience with us. We do this because your views are an important part of how we deliver safe, effective, and compassionate care
To send you this invitation, we may share your email address to confirm that you are a genuine patient. Trustpilot will process this data as a data processor on our behalf and in line with their own Privacy Policy.
We use the feedback you provide through Trustpilot to:
· Follow up with you if we think we can offer further support or help resolve an issue you have raised
· Identify where our processes can be improved so that the experience is better for future patients
· Recognise and share examples of good practice among our teams
· Monitor the quality and safety of our services over time
Feedback from Trustpilot is combined with other patient experience measures to give us a full picture of what we are doing well and where we can improve.
We engage Yoti Limited as a third-party data processor to verify and validate your electronic identity documentation. You can find out more about this company, the measures they take to protect your data and the logic involved in the algorithm here Privacy at Yoti • Yoti
We also work with certain business partners and other organisations in developing and delivering our services to develop as a business and deliver the core services that we offer. Where this is the case, these partners with their associated privacy policies will be shared.
Further details about the specific third parties we engage can be provided on request.
We will always ensure that any third party we share your data with has appropriate safeguards in place.
Data retention
We keep your information for as long as it is needed to provide your care and meet legal requirements.
· Medical records: 20 years from your last appointment, or 8 years after your death (whichever comes sooner).
· Children’s records: until their 25th birthday, or 26th if they were 17 when treatment ended.
Marketing Exclusion Audiences
As part of our commitment to responsible marketing we may process limited data (contact details and a generic listing of the service you receive from us through) to ensure we do not add you to mailing lists regarding or provide you with updates on our services that you are already utilising or not relevant for you.
As with all aspects of our marketing you may object to the use of your data for this purpose by contacting us. Similarly, our service communications and updates sent for these purposes feature the opportunity for you to unsubscribe.
Legal basis for using your data
The law sets out several reasons why we can use your personal data:
· Consent: when you have clearly agreed (e.g. ticking a box to receive our newsletter)
· Contractual obligations: when using your data is necessary for us to provide a service you have requested
· Legal obligations: when we must use your data to comply with the law
· Vital interests: when it is necessary to protect someone’s life
· Legitimate interests: when we have a business or clinical reason to use your data, unless your rights override those interests
· Legitimate interests: we use your contact details to invite you to provide feedback through Trustpilot after your appointment. This helps us to support patients who may need further help, improve our processes, recognise good practice, and ensure our care is safe, effective, and responsive. You can opt out of these invitations at any time.
Your rights
You have the right to:
· Access the personal data we hold about you (free of charge, unless unfounded or excessive)
· Receive a copy of your data within 30 days of your request (a small admin fee may apply)
· Ask us to correct inaccurate or incomplete information (and we will inform anyone we’ve shared it with)
· Ask us to delete your data, where legally possible
· Ask us to stop using your data for specific purposes, such as appointment reminders or marketing
· Withdraw your consent where processing is based on consent
· Ask us to transfer your data electronically to another health professional
· Object to your data being used for direct marketing
· Complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have handled your data
We may ask you to verify your identity before acting on your request.
Data breaches
We work hard to keep your information safe. In the unlikely event of a data breach that risks your rights or freedoms, we will:
· Notify the ICO within 72 hours
· Inform you if your information has been affected
· Take steps to reduce any risks and prevent it from happening again
Where we store your data
All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted.
Please note that some of the data we collect may be transferred to, and stored at, a destination outside the UK and EEA. This data may be processed by staff operating outside the UK/EEA who work for us or one of our suppliers (such as Meta for advertising exclusion audiences).
To ensure your personal data remains protected during these transfers, we will only transfer data outside the UK/EEA where one of the following safeguards is in place:
- Adequacy Regulations: We transfer the data to a country that the UK has deemed to provide an adequate level of protection for personal data.
- Appropriate Safeguards: We ensure the transfer is governed by appropriate safeguards, primarily through the use of the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs). These contracts legally bind the recipient to protect your data to the standard required by UK GDPR.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.
Cookies
Our website uses cookies to improve your experience and our services. A cookie is a small piece of data transferred from a web server to your web browser or hard drive when you visit a website. If your web browser is set to accept cookies, they will be stored in the web browser or hard drive until their expiration date is reached, or you delete the cookies yourself. We will inform you if we use any cookies that collect your personal information and request your consent prior to doing so. You can remove cookies from your computer at any time and can also choose to disable cookies in your internet browser settings.
Links to other websites
Our website may contain links to other websites that we do not operate. These are provided for your convenience and do not mean we endorse the site or its operators. We encourage you to read the privacy policy of any website you visit before sharing your personal information.
Unsubscribe
We hope you find our updates and information helpful. However, if you would prefer not to receive emails from us, please email [email protected] with “email unsubscribe” in the subject line.
If you would also like to be removed from our postal mailing list, please email us with “mail unsubscribe” in the subject line or write to us at the address in this policy.
We will always respect your preferences about how we contact you.
Contacting the Regulator
If you have concerns about how we use your information, we would like the chance to put things right. If you still feel unhappy, you can contact the Information Commissioner’s Office (ICO):
· Call: 0303 123 1113 · Visit: www.ico.org.uk/concerns (this will open in a new window – please note we cannot be responsible for the content of external websites).
Questions?
We’re here to help. If you have any questions about this policy or how we use your information, please contact our Data Protection Officer:
· Email: [[email protected]]
· Phone: [+44 1865 744144]
Notification of changes to privacy policy
We may update this privacy policy from time to time. Any changes will be posted on this page, so please check back periodically.
Governing Law
This privacy policy forms part of our website Terms of Use and is governed by the laws of England and Wales.
Imagery
The people featured in the images used on our website and marketing materials are models and do not have any direct connection to Oxford ADHD & Autism Centre or any specific mental health condition.
Use of your Data for Research
As part of our commitment to service improvement and supporting the advancement of health care in our specialist treatment areas we will from time to time participate in research activity.
The type of research we conduct
As part of our commitment to service improvement and supporting the advancement of healthcare in our specialist treatment areas, we will from time to time participate in research activity.
This will include the following:
- Internal Service Improvement: Oxford ADHD and Autism Centre Limited undertake internal activities focused on improving clinical pathways and better understanding trends in patient data. For this purpose, we process your data under the basis of Legitimate Interests. We aggregate and anonymise patient data prior to conducting analysis, which means you will not be identifiable from the resulting dataset.
- External Health Research: We may partner with third-party research institutions to conduct specific research projects to gain further insights into our treatments. This processing falls into two categories:
- Identifiable Studies (Consent-Based): If we identify you as a potential participant in a study involving your identifiable personal data, we will provide you with information about the specific research project and ask for your informed consent prior to using your data. You are under no obligation to take part in the study.
- HRA-Approved Studies (Public Interest/Non-Identifiable Data): Where a research study relies on non-identifiable or pseudonymised data and is considered to be of substantial public interest, we will ensure that the study has obtained the necessary ethical and legal approvals, including Health Research Authority (HRA) Approval.
Our Legal Basis for Processing Your Data
To process your personal data for research, we rely on the following legal bases:
- Legitimate Interests: We may process your data when it is necessary for our legitimate interests as a business or those of a third party, provided your fundamental rights and freedoms are not overridden. This includes using your information to improve and develop our service offerings.
- Consent: We rely on your explicit consent when you volunteer to participate in a specific research study involving your identifiable data.
- Public Task: We rely on Public Task when processing is necessary to conduct research that is considered to be of substantial public interest and has received HRA Approval.
For special category data such as health information, we rely on the following legal bases:
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- Explicit Consent
If you are taking part in a specific research study, please read this privacy notice alongside any informed consent forms, study specific privacy notices, and/or study documents that are provided to you in relation to the collection, use, and transfer of your personal data for the stated research purpose.
Data We Collect
If you choose to take part in a research study, the entity which is conducting the research related activity with us will collect personal data about you including your name, contact information and further details about your treatment. Please refer to the research study documentation for further information about the type of data collected in the study.
For research undertaken internally, we aggregate and anonymise patient data prior to conducting analysis, which means you will not be directly identifiable from the data set.
How Long We Retain Your Data
If you choose to take part in a research study with our external partners, details of how long your data will be retained in identifiable format will be provided in the study specific documentation ascertaining your consent.
For research undertaken internally, we may store our anonymised datasets indefinitely to allow for long-term trend analysis, historical comparisons, and future studies without the need to recollect or re-anonymise the data.
Where Your Data is Stored
If you choose to take part in a research study with our external partners, details of where the data will be stored will be detailed in the study specific documentation.
For our internal research activities, we only store your healthcare information on servers located in the UK.
Your Rights in relation to Research
When we use your data for research or to improve our services, you have the following rights:
1. If You Take Part in a Specific Research Study
- Right to Stop: If you volunteer to take part in a specific clinical study and give your consent, you have the right to withdraw your consent at any time.
- What this means: We will stop using your data for the study from that point forward. Withdrawing consent will not affect your ongoing medical care or the lawfulness of any research done before you withdrew.
2. If We Use Your Data for Public Interest Research or Service Improvement
- Right to Object: You have the right to object to us using your data for general public health research (approved by groups like the HRA) or for our own internal service improvement and evaluation.
- What this means: If you object, we will stop using your data for these purposes. However, because this research is often carried out for essential public health reasons or legal requirements, we may sometimes have the right to continue processing your data if we can demonstrate that the compelling public interest in conducting the research outweighs your objection.