Fair Processing Notice: How We Use Your Data
Effective Date: 11 March 2025
Last Updated: 10 March 2025
At CARE ADHD, we take your privacy seriously. This Fair Processing Notice explains how we collect, use, store, and protect your personal information in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, NHS Digital security standards, and Information Commissioner’s Office (ICO) guidelines.
This notice also provides details about our transition from Pabau to our new systems (DrDoctor, EMIS Web, Airtable), and how this affects your data.
1. Who We Are
Care ADHD provides ADHD assessment, diagnosis, and treatment services. We ensure that your personal data is stored securely in NHS-approved systems and processed in full compliance with UK GDPR and NHS Digital security standards.
Data Controller: Centre for ADHD Research & Excellence Ltd, Registered in England and Wales (Company No. 14535089)
Data Protection Officer (DPO): Bobby Pratap, enquiries@careadhd.co.uk (FAO Bobby Pratap)
2. Lawful Basis for Processing Your Data
Under UK GDPR, we process your personal data under the following lawful bases:
Public Task (Article 6(1)(e)) – Processing is necessary to provide healthcare services.
Legal Obligation (Article 9(2)(h)) – Processing is required for medical diagnosis, treatment, and healthcare management.
📌 ADHD care involves processing health-related data, which is classed as special category data under UK GDPR. We process this under Article 9(2)(h) (Healthcare & Medical Diagnosis).
📌 We do not rely on consent as the primary basis for processing your data, except where legally required (e.g., marketing communications).
3. What Information We Collect
We only collect the minimum data necessary to provide safe and effective ADHD care.
| Category | Examples | Why We Collect It |
|---|---|---|
| Personal Information | Name, date of birth, NHS number, contact details | To identify you and provide healthcare services |
| Health Data | ADHD assessments, treatment records, prescriptions, clinician notes, Summary Care Records (SCRs) (where opted in) | To diagnose, treat, and manage ADHD care |
| Appointments & Referrals | Appointment bookings, referral details | To efficiently manage your treatment journey |
| Questionnaires | ADHD symptom forms completed online | To support assessments and treatment plans |
| Communication Logs | Emails, messages, call logs | To provide customer support and clinical updates |
| Payment Information | Transaction records (amount, date, status), invoices, refunds | To process payments and provide receipts |
📌 We do not collect or store payment card details. Payments are processed securely by Stripe, an external payment provider. We only retain transaction records necessary for accounting and refunds.
4. Where And How We Store Your Data
Your data is stored securely in NHS-compliant systems, with encryption, access controls, and usage restrictions in place.
| System | Purpose | Security Features |
|---|---|---|
| EMIS Web | Patient records, treatment plans, Summary Care Records (SCRs) (where opted in), appointments | NHS-approved encryption, Smartcard access, direct NHS Spine access |
| DrDoctor | Patient questionnaires, appointment data for reminders | Secure patient login, encrypted data, role-based access control |
| Airtable | Internal tracking of patient progress | Data stored in the US, compliant with UK GDPR & data protection laws, encrypted and access-controlled |
| NHSmail | Secure communication between staff | End-to-end encryption |
Our commitment to security
✅ No patient data is stored on personal devices—staff use centrally managed, encrypted laptops.
✅ Sensitive patient data is never sent via email unless absolutely necessary.
✅ We enforce Role-Based Access Control (RBAC) to ensure only authorised personnel can view data.
5. Transition From Pabau To New Patient Portal And Record Systems
From 11 March 2025, Care ADHD is transitioning to DrDoctor and EMIS Web for all new patient registrations and medical record management.
How this affects you:
Registered before 10 March 2025? → Your records may still be partially stored in Pabau, but will be securely migrated to EMIS Web by no later than January 2026
Registered on or after 10 March 2025? → Your data is stored entirely in DrDoctor and EMIS Web.
Referrals: Moving forward, referrals will be processed via the NHS Electronic Referrals Service (e-RS) as the default, instead of email-based submissions.
Security Measures During Transition
✅ Limited Access to Pabau: Only essential staff can access legacy patient data until migration is complete.
✅ Secure Data Migration: All data transfers are encrypted and monitored.
✅ Permanent Data Deletion: Once migration is complete, all Pabau data will be securely erased in line with NHS and ICO guidelines.
6. How Long We Keep Your Data
We follow NHS data retention policies, ensuring that data is only kept for as long as necessary.
| Data Type | Retention Period | Disposal Method |
|---|---|---|
| Medical Records (EMIS Web) | 8 years after last contact | NHS-approved deletion |
| Referrals (e-RS) | 5 years | Secure NHS Digital deletion |
| Questionnaires (DrDoctor) | 3 years | Securely deleted from system |
| Customer service emails | 90 days | Automatic archiving |
📌 When data is no longer required, it is securely erased using NHS-compliant methods.
7. Who We Share Your Data With
We follow NHS data retention policies, ensuring that data is only kept for as long as necessary.
| Recipient | Purpose | Legal Basis |
|---|---|---|
| Your GP or referring clinician | To coordinate and oversee your care | Public Task (UK GDPR Article 6(1)(e)) |
| Pharmacies & prescribing services | To provide ADHD medication | Legal Obligation (Article 9(2)(h)) |
| NHS Digital & regulators | When required for safety audits | Legal Compliance |
| Third-party IT providers (e.g., Handsfree IT, DrDoctor, EMIS Web, Airtable) | To maintain our secure IT systems | Legitimate Interest |
📌 All third-party IT providers sign a Data Processing Agreement (DPA) to ensure full UK GDPR compliance.
📌 We do not sell your data or share it with advertisers.
8. Automated Decision-Making
📌 Care ADHD does not use automated decision-making for clinical assessments or diagnoses.
🔹 AI tools may be used to assist administrative processes (e.g., extracting and organising data to support clinicians), but all diagnoses and treatment decisions are made by qualified clinicians.