top of page

Privacy Notice

​

Last Update June 2025

 

Introduction 

As part of the services we offer, we are required to process personal data about our service users or potential service users and in some instances, their friends’ and family members’ personal data.  

“Processing” can mean collecting, recording, organising, storing, sharing and destroying the data.  

As data controllers, we are committed to being transparent about why we need your personal data and what we do with it.  

This Privacy Notice sets out the information about our data processing activities and your rights to your personal data.  

If you have concerns or questions, please contact us at:  

 specialist@autismdoctor.co.uk  

Service Users 

What data do we have? 

So that we can provide a safe and professional service, we need to keep certain records about you. The data we collect and process may include: 

  • Your basic details and contact information, e.g. your name, address, date of birth and next of kin; 

  • Your financial details, e.g. details of how you pay us for your care or your funding arrangements. 

We also record the following data, which is classified as “special category”: 

  • Health and social care data about you, which might include both your physical and mental health data, medical history data and medication prescriptions data. 

Why do we have this data? 

The personal data we process is used only to provide high-quality care and support. Make appropriate assessments and recommendations. Schedule and manage appointments. Communicate with you about your care or services. Maintain accurate records for clinical and legal purposes. Respond to enquiries and manage client relationships. Improve our services and website functionality. Adhering to the UK GDPR, DPA (2018) and other legislation, principles and best practices relevant to the healthcare industry sector, we have identified the lawful bases for processing personal data, including: 

  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 

  • “Consent” in some instances, explicit, specific and freely given, for example, for the referrals process, we collect your consent, we may maintain some of our marketing activities, customer satisfaction review forms, or if and where applicable, record some of the assessments for diagnostic purposes or treatment analysis. 

  • “Legal obligation” generally under the Health and Social Care Act 2012, Common Law Duty of Confidentiality (CLDC), and the Mental Capacity Act 2005.  

  • A contract where processing is necessary to deliver our services. 

  • Legitimate interests  to manage our business and client relationships (only where your rights are not overridden). 

We process your special category data because: 

  • It is necessary due to social security and social protection law (generally, this would be in safeguarding instances); 

  • It is necessary for us to provide and manage health and social care services. 

  • We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations. â€‹

Use of Digital Tools in Clinical Assessment – Information for Patients and Families 

As part of the assessment process for conditions such as autism and other neurodevelopmental disorders, we use an online platform that incorporates digital tools (including but not limited to Grammarly and Large Language Models) to support the preparation, organisation, and recording of clinical information. These tools are designed to assist clinicians in improving the clarity and quality of written records. They do not make any clinical decisions, nor do they provide diagnostic conclusions. 

To provide this service, the platform may process certain categories of personal data, including sensitive (special category) data such as health information. In some cases, this may include information about family members, where relevant to the assessment. Wherever possible, such information is anonymised so that individuals cannot be identified. 

We collect and process only the data that is necessary for the purpose of your or your child’s assessment. All processing is conducted in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws. Appropriate technical and organisational measures are in place to safeguard your information and to ensure it remains secure. 

By proceeding with the assessment, you acknowledge that you have been informed of the use of this platform and the nature of the data being processed. â€‹

Common law duty of confidentiality 

In our use of health and care information, we satisfy the common law duty of confidentiality because: 

  • The contract for providing healthcare services is signed, and our terms and conditions are accepted. 

  • You have provided us with your consent (either implicitly to provide you with care, or explicitly for other uses). 

  • We have a legal requirement to collect, share and use the data. 

  • The public interest in collecting, sharing and using the data overrides the public interest served by protecting the duty of confidentiality (for example, sharing information with the police to support the detection or prevention of serious crime). 

How do we store and process your data? 

All the personal data we process about you may be collected: 

  • Directly from you or your legal representative 

  • From third-party organisations involved in your care 

We may collect your personal and sensitive data personally when you attend one of our clinics, via phone, via email, via our website, via post, via application forms, or via apps.  

Security  

The information we collect and process about you is stored securely. We use strong technical and organisational measures to protect your data from unauthorised access, misuse, loss, or damage. This includes steps such as secure systems, restricted access, and regular checks to make sure your information stays safe and is handled properly 

The personal data may be shared, internally, only with the team members who are involved in the care service we provide. All our staff is: 

  • Provided access to the personal data based on the “least privilege” principle 

  • We maintain regular induction and refresher training for data confidentiality, General Data Protection Regulation, Caldicott Principles etc. 

  • We closely monitor all the records and keep them accurate and up to date 

  • Our database is regularly monitored, and data is backed up 

  • All devices in use are password protected and not taken off the premises 

We maintain a very limited amount of paperwork, predominantly prescriptions, which are destroyed via secure methods when no longer required.  Sharing your personal data with third-party organisations?  

Sharing data with third-party organisations may include: 

  • Other parts of the health and care system include local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals. 

  • Organisations we have a legal obligation to share information with, i.e. for safeguarding, the CQC.  

  • Schools consented to share the outcome of an assessment. 

  • The Local Authority; 

  • Your family or friends, with your permission; 

  • Legal authorities where there is a legal obligation to share personal data. 

  • The police or other law enforcement agencies, if we have to, by law or court order. 

How long do we retain your personal data? 

In most cases, we retain the data of our service users up to 25 years of age or 26 if the care service has started when the service user was 17 years old. 

As a healthcare provider, we adhere to the retention periods defined by the NHS Transformation Directorate for all information record types (Records Management Code of Practice - NHS Transformation Directorate).After the retention period, we:  

  • Securely dispose of your information by shredding paper records or wiping hard drives to legal standards of destruction. 

Your rights 

The data that we keep about you is your data, and we ensure that we keep it confidential and that it is used appropriately. You have the following rights when it comes to your data: 

  1. You have the right to be informed about how we collect and process your personal data. 

  1. You have the right to access your personal data – known as a Data Subject Access Request you may request details about certain records we process. Your request will be acknowledged and information delivered within one month or an additional two months if the request is excessive or complex. 

  1. You have the right to rectify your personal data – if for any reason an error has occurred in your personal information, the record, on your request, must be corrected.  

  1. You have the right to restrict all processing of your personal data or only one part of it for a certain period, while rectifying some of the data, for example.  

  1. You have the right to erasure, meaning you can request the deletion of your personal data. However, erasure of healthcare records is not an absolute right and applies only under certain circumstances, for example, when an individual has provided details on their “patient story” to be used as promotional material. They may ask you to delete that information.  

Erasure of the records is not possible, considering that each healthcare provider must comply with the Records Management Code of Practice - NHS Transformation Directorate, including: 

  • To comply with the legal obligations 

  • To perform a task in the public interest 

  • For individual health and care purposes 

  • For reasons of public health  

  • Where erasure is likely to seriously impact or prevent scientific research from achieving its objectives 

  1. Right to data portability allows individuals to access their data in a structured, machine-readable format and request transfer to another healthcare provider. 

  1. Right to object is applicable only if the processing is based on “consent” as a lawful basis for processing.  

  1. Right related to automated decision-making and profiling – meaning right not to be subject to a decision solely based on automated processing that may result in legal effect on individuals or significantly affect the way they are receiving care. 

For any data subject access request, we need to verify the identity of the requestor, for example, by asking for a photograph ID, passport or driving licence to ensure that personal data is not shared inappropriately. 

If you would like to complain about how we have dealt with your request, please contact: 

Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF https://ico.org.uk/global/contact-us/ 

Monitoring  

This policy will be reviewed regularly (at least every 2 years) to ensure it remains relevant and effective. All the updates will be published on our website.  

Opening Hours

Mon – Fri  17.00 – 20.00

Saturday   09.00 – 13.00

Sunday     Closed

Locations

Spire Bushey Hospital

Heathbourne Road

Bushey

Hertfordshire

WD23 1RD

​

Attenborough Surgery

London Road

Bushey

Hertfordshire

WD23 2NN

​

Contact Details

specialist@autismdoctor.co.uk

07486531240

Powered by Autism Doctor

Copyright: All rights reserved. The content on this website is for informational use only. It should not be considered as a part of medical consultation, diagnosis or treatment. No part of this website information can be reproduced or used commercially or non-commercially without our explicit written permission.

Privacy Notice  

Cookie Notice  

bottom of page