Neurodevelopmental Services Limited
External Privacy Notice
Last Updated: 04.01.2024
Who we are and what we do
We are Neurodevelopmental Services Limited (“Autism Doctor”, “us”, “we”, “our”). We are a limited company registered in England and Wales under registration number 12197807 and we have our registered office at Spire Bushey Hospital, Heathbourne Road, Bushey, Hertfordshire, WD23 1RD. We are registered with the UK supervisory authority, Information Commissioner’s Office (“ICO”), in relation to our processing of Personal Data under registration number ZA560187.
We offer Neuroaffirmative assessment, diagnosis, and management advice for a variety of Neurodevelopmental conditions in children. The assessments we offer include Autism, DHD, Developmental Delay, Dyspraxia and Learning Difficulties.
Unless we notify you otherwise, we are the controller of the Personal Data we process about you. This means that we decide what Personal Data to collect and how to process it.
Purpose of this privacy notice
The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions, you can contact us using the information provided below under the ‘How to contact us’ section.
Who this privacy notice applies to
This privacy notice applies to you if:
You visit our website
You enquire about our services
You book an appointment via our booking form app
You sign up to receive newsletters and/or other promotional communications from us
Please note that we have a separate privacy notice for our existing clients, along with a child-appropriate version for our younger patients.
What Personal Data is
‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier.
‘Special Category Personal Data’ is more sensitive Personal Data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation.
Personal Data we collect
The type of Personal Data we collect about you will depend on our relationship with you. For the type of Personal Data we collect see the table below in the section entitled ‘Purposes for which we use personal data and the legal bases’.
How we collect your Personal Data
We collect most of the Personal Data directly from you in person, by telephone, text, email and/or via our website.
However, we may also collect your Personal Data from third parties such as:
sub-contractors in technical, payment and delivery services;
analytics providers; and
search information providers
Purposes for which we use personal data and the legal bases
We will only use your Personal Data when the law allows. Most commonly, we will use your Personal Data in the following circumstances:
Lawful Basis for Processing
Responding to correspondence from you
It is in our legitimate interest to respond to enquiries made via our website, by email, phone, text, through our social channels, or by any other means.
Sending you information, such as our service information, which may be of interest
If you are an existing client or have expressed an interest in our or services, we will rely on legitimate interests to contact you for marketing purposes.
You may object to the processing for this purpose by emailing email@example.com. If we have captured your consent for the purposes of marketing, that consent may be withdrawn at any time by emailing firstname.lastname@example.org or using the unsubscribe option.
Processing your booking
We shall process your personal data with your consent or may otherwise process where it is necessary for the performance of a contract between us.
Where you have provided special category data within your booking form, we shall process this data with your explicit consent.
To maintain a record of contact for current service user engagement
It is our legitimate interest to maintain a record of the contact we have with you within our database.
Business management, forecasting and statistical purposes
It is our legitimate interest to identify areas for managing current business relationships, develop new products and services, and for managing our business.
Improving our websites and the overall website visitor and user experience
It is our legitimate interest to allow analytics and search engine providers to help improve and optimise our website.
Improving our websites and the overall website visitor and user experience.
Where Personal Data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.
Sharing your Personal Data
We may also disclose your information to third parties in connection with other purposes set out in this privacy notice. These third parties may include:
business partners, suppliers and sub-contractors who may process information on our behalf
referral partners, legal partners, and other support services
analytics and search engine providers
IT service providers
Where we are under a legal or regulatory duty to do so, we may disclose your details to the police, regulatory bodies or legal advisors, and/or, where we consider necessary to protect the rights, property or safety of Autism Doctor, its personnel, users or others.
Your Personal Data may be processed outside of the UK. This is because the organisations we use to provide our services to you are based outside the UK.
However, we have taken appropriate steps to ensure that the Personal Data processed outside the UK has an essentially equivalent level of protection to that guaranteed in the UK. We do this by ensuring that:
Your Personal Data is only processed in a country which the ICO has confirmed has an adequate level of protection (an adequacy regulation), or
We enter into an International Data Transfer Agreement (“IDTA”) with the receiving organisation and adopt supplementary measures, where necessary. (A copy of the IDTA can be found here international-data-transfer-agreement.pdf (ico.org.uk)).
How long we keep your data
We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims.
At the end of the retention period, your personal data will be securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning.
How we protect your data
We implement appropriate technical and organisational measures to protect data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
In addition to the technical and organisational measures we have put in place, there are simple things you can do to in order to further protect your personal information, such as:
1. Never share One Time Passcodes (OTPs).
2. Never enter your details after clicking on a link in an email or text message.
3. Always send confidential information by encrypted email to reduce risk of interception.
4. If you’re logged into any online service do not leave your computer unattended.
5. Close down your internet browser once you’ve logged off.
6. Never download software or let anyone log on to your computer or devices remotely, during or after a cold call.
7. You can easily identify secure websites by looking at the address in the top of your browser which will begin https:// rather than http://.
Your rights and how to complain
You have certain rights in relation to the processing of your Personal Data, including the:
Right to be informed
Individuals have the right to be informed about the collection and use of their personal data.
Right of access
Individuals have the right to receive a copy of their personal data, and other supplementary information.
Right to rectification
Individuals have the right to have inaccurate personal data rectified or completed if it is incomplete.
Right to erasure (the ‘right to be forgotten’)
Individuals have the right to request their personal information to be erased, in certain circumstances.
Right to restrict processing.
Individuals have the right to request the restriction or suppression of their personal data, in certain circumstances, in particular:
if your data is not accurate,
if your data has been used unlawfully but you do not want us to delete it;
if your data is no longer needed, but you want us to keep it for use in legal claims; or
if you have already asked us to stop using your data but you are waiting to receive confirmation from us as to whether we can comply with your request.
Right to data portability
Individuals have the right to obtain and reuse their personal data, in a machine-readable format, for their own purposes across different services, in certain circumstances.
Right to object
Individuals have the right to object to the processing of their personal data, in certain circumstances.
Where we are using your personal data because it is in our legitimate interests to do so, you can object to us using it this way.
Where we are using your personal data for direct marketing, including profiling for direct marketing purposes, you have an absolute right to ask us to stop doing so.
Rights with respect to automated decision-making and profiling
Individuals have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
How to exercise your rights
You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.
We do offer our services to children, however we do not knowingly collect Personal Data of children without parental consent (unless permitted by law). If you are a child, you must have your parent’s permission to use our services. If you believe that a child has provided us with their Personal Data without parental consent, please contact us, and if appropriate, we will securely and permanently delete it in accordance with applicable law.
How to contact us and our Data Protection Officer
If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, please use the details below:
Dr Deepshikha Thakur
c/o Spire Bushey Hospital
Our telephone number is +44 (0) 7486531240.
Alternatively, you can email us at email@example.com.
We have also appointed a Data protection Officer (“DPO”), Evalian Limited, who can be contacted by using the email or postal address above. Please send your communication clearly indicating ‘FAO the ‘Data Protection Officer’, and your message will be passed directly to Evalian Limited for attention.
How To Complain
You have the right to lodge a complaint with the relevant supervisory authority if you are concerned about the way in which we are handling your Personal Data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at https://ico.org.uk/make-a-complaint/ or by telephone on 0303 123 1113.
Changes to this privacy notice
We may update this notice (and any supplemental privacy notice) from time to time, and shall notify you of the changes where we are required by the applicable law to do so.