This Privacy Notice was last updated on 16 July 2023
1.1 Policy statement
ADHD Specialist Limited has a duty to advise service users of the purpose of personal data and the methods by which service user personal data will be processed.
ADHD Specialist Limited aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have in regard to the individual protected characteristics of those to whom it applies.
This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment.
1.3 Training and support
ADHD Specialist Limited will provide guidance and support to help those to whom it applies to understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy.
2.1 Who it applies to
This document applies to all who work at ADHD Specialist Limited and other individuals performing functions in relation to ADHD Specialist Limited.
2.2 Why and how it applies to them
Everyone should be aware of the practice privacy notice and be able to advise service users, their relatives and carers what information is collected, how that information may be used and with whom ADHD Specialist Limited will share that information.
The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to service users about how their personal data is used is a key element of the General Data Protection Regulation.
3 Definition of terms
3.1 Privacy notice
A statement that discloses some or all of the ways in which ADHD Specialist Limited gathers, uses, discloses and manages a service user’s data. It fulfils a legal requirement to protect a service user’s privacy.
3.2 Data Protection Act 2018 (DPA18)1
The Data Protection Act (DPA18) will ensure continuity by putting in place the same data protection regime in UK law pre- and post-Brexit.
3.3 Information Commissioner’s Office (ICO)2
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
3.4 General Data Protection Regulation (GDPR)3
The GDPR replaced the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy. The GPDR came into effect in May 2018.
3.5 Data controller
The entity that determines the purposes, conditions and means of the processing of personal data.
3.6 Data subject
A natural person whose personal data is processed by a controller or processor.
4 Compliance with regulations
In accordance with the GDPR, ADHD Specialist Limited will ensure that information provided to subjects about how their data is processed will be:
• concise, transparent, intelligible, and easily accessible,
• written in clear and plain language, particularly if addressed to a child, and
• free of charge.
4.2 Article 5 compliance
In accordance with Article 5 of the GDPR, ADHD Specialist Limited will ensure that any personal data is: • processed lawfully, fairly and in a transparent manner in relation to the data subject, • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, • adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed, • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay, • kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed, and • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
Article 5 also stipulates that the controller shall be responsible for, and be able to demonstrate compliance with, the above.
4.3 Communicating privacy information
At ADHD Specialist Limited, the privacy notice is displayed on our website, through signage in the waiting room and in writing during service user registration. We will inform service users how their data will be used and for what purpose.
4.4 What data will be collected?
At ADHD Specialist Limited, the following data will be collected:
• service user details (name, date of birth, NHS number),
• address and NOK information,
• medical notes (paper and electronic)
• details of treatment and care, including medications,
• results of tests (pathology, X-ray, etc.), and
• any other pertinent information.
4.5 Privacy notice checklists
The ICO has provided a privacy notice checklist which can be used to support the writing of ADHD Specialist Limited’s privacy notice. The checklist can be found by following this link.
4.6 Privacy notice template
A privacy notice template can be found at Annex A.
It is the responsibility of all staff at ADHD Specialist Limited to ensure that service users understand what information is held about them and how this information may be used. Furthermore, ADHD Specialist Limited must adhere to the DPA18 and the GDPR to ensure compliance with extant legal rules and legislative acts.
Annex A – ADHD Specialist Limited privacy notice
ADHD Specialist Limited has a legal duty to explain how we use any personal information we collect about you, as a service user, at ADHD Specialist Limited. Staff at ADHD Specialist Limited maintain records about your health and the care you receive in electronic or paper format.
What information do we collect about you?
We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, health records, treatment, etc. and any other relevant information to enable us to deliver effective care.
How we will use your information
Your data is collected for the purpose of providing care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest.
Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.
Maintaining confidentiality and accessing your records
We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR) as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.
In accordance with our Codes of Practice for Records Management, your records will be retained for 10 years after death or, if a service user emigrates, for 10 years after the date of emigration. BMA recommends "Mental health records in England, Wales, and Northern Ireland to be kept for 20 years or 10 years after the patient has died (in Northern Ireland it is 8 years after death)
Whilst we will take all the reasonable efforts to protect your information, we are aware of the limitations of transmitting information via the Internet. Therefore, we cannot offer a 100% guarantee of the safety of personal data which is transferred to you or from you via this method. Our systems are designed to be paperless, and cloud-based, however, the controlled prescriptions remain paper-based and are sent to the pharmacy in person or via secure mail.
What to do if you have any questions
1. contact ADHD Specialist Limited’s data controller via email at firstname.lastname@example.org,
2. write to the data controller at ADHD Specialist Limited
3. ask to speak to a manager, Dr Stefan-Valentin Ivantu
The Data Protection Officer (DPO) for ADHD Specialist Limited is the Registered Manager - Dr Stefan-Valentin Ivantu.
In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit www.ico.org.uk and select “Raising a concern”.
How to contact us:
If you have any questions, or would like to make a request or complaint, please contact us by: