(Dr Srinivas Gada, Consultant in Paediatric Neurodisability)
At Oxford Neurodevelopment, we understand that we have a responsibility to protect and respect your privacy and look after your personal data.
This Privacy Notice explains what personal data we collect, how we use your personal data, reasons we may need to disclose your personal data to others and how we store your personal data securely.
For clarity, Oxford Neurodevelopment may be both data controller and data processor for your personal data under certain circumstances.
We must advise that this policy is subject to change, so please check our website on a regular basis for any further changes.
Data Protection law changed in May 2018
This Privacy Notice sets out your rights under the new laws.
Who are we?
Oxford Neurodevelopment, part of Vejovis Ltd, is a provider of neurodevelopmental consultations, neurodevelopmental assessments, medicolegal expertise and other services, based in Oxford.
How the law protects you
Data protection laws state that we are only able to process personal data if we have valid reasons to do so. The reasons we process your personal data include, but are not limited to, your consent, performance of a contract, billing, your vital interests and to contact you.
How do we collect personal data from you?
We receive information about you from you when you use our website, complete forms on our website, if you contact us by phone, email or otherwise in respect of any of our services.
If you provide us with personal data about a third party (for example when registering for an appointment on their behalf, or when registering a minor), you warrant that you have obtained the express consent from the third party for the disclosure and use of their personal data or are legally responsible for that person.
What type of data do we collect from you?
The personal data that we may collect from you includes your name, address, email address, phone numbers, payment information and medical information provided by yourself or referring clinicians. We may also keep details of your visits to our website including, but not limited to traffic data, location data, weblogs and other communication data. We also retain records of your queries and correspondence, in the event you contact us.
Please be aware that any video, image, or other content uploaded or otherwise made available by you through our website or via mail/e-mail, is not subject to our Privacy Notice.
We merely process such data on your behalf, subject to our Terms and Conditions and you are responsible for any applicable legal requirements in respect of the data.
How do we use your data?
We use information about you in the following ways:
- To process orders that you have submitted to us;
- To provide you with information and services;
- To comply with our contractual obligations, we have with you;
- To help us identify you and any accounts you hold with us;
- To enable us to review, develop and improve our website and services;
- To provide customer care, including responding to your requests if you contact us with a query;
- To administer accounts, process payments and keep track of billing and payments;
- To detect fraud and to make sure what you have told us is correct;
- To carry out marketing and statistical analysis;
- To notify you about changes to our website and services;
- To provide you with information about products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes; and
- To inform you of service and price changes.
Retention periods
We will keep your personal data for the duration of the period you are a customer of Oxford Neurodevelopment. We shall retain your data only for as long as necessary in accordance with applicable laws: for 7 years following discharge, or until 18 if a minor, as is our legal obligation or longer if your condition requires it.
We may not be able to delete your data before this time due to our legal and/or accountancy obligations. We may also keep it for research or statistical purposes. We assure you that your personal data shall only be used for these purposes stated herein.
Who has access to your personal data?
Here is a list of all the ways that we may use your personal data and how we share the information with third parties. For clarity, we have grouped them into the specific products and services that we offer:
Medserv.co.uk
The team at Medserv administer and process the payments for services between yourself, any relevant health insurers, Mr Chris Abela and any other relevant third parties. Here are their Terms and Conditions regarding privacy:
Medserv acknowledges that the provision of the Specified Services will involve the processing of Personal Data on behalf of the Customer. In such circumstances, Medserv acknowledges that the Customer is the Controller and Medserv is the Processor and Medserv agrees that:
(a) Medserv processes the Personal Data set out in Appendix 1 on behalf of the Customer in the context of providing the Specified Services for the duration of the term of the Agreement. The obligations and rights of the Customer shall be as set out in this Agreement;
(b) Medserv will only process the Personal Data in accordance with the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country and solely as strictly necessary for the performance of its obligations under this Agreement;
(c) Medserv shall ensure that the persons authorised by Medserv to process the Personal Data are bound by appropriate confidentiality obligations;
(d) Medserv shall implement such technical and organisational security measures as are required to comply with the data security obligations under Data Protection Law;
(e) Medserv shall not engage any sub- processor without the prior general written authorisation of the Customer and where the Customer has provided a general authorisation to the appointment of sub-processors, Medserv shall inform the Customer if it intends to replace a sub-processor, and shall provide the Customer with an opportunity to object to such changes;
(f) where any sub-contractor of Medserv will be processing the Personal Data on behalf of the Customer, Medserv shall ensure that a written contract exists between Medserv and the sub- contractor containing clauses equivalent to those imposed on Medserv in this clause 10. In the event that any sub-processor fails to meet its data protection obligations Medserv shall remain fully liable to the Customer for the performance of the sub- processor’s obligations;
(g) Medserv shall, taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organisational measures (insofar as this is possible) to assist the Customer to comply with requests from data subjects to exercise their rights under Data Protection Law and any such assistance may be at the cost of the Customer
(h) Medserv shall assist the Customer in ensuring compliance with its obligations in respect of security of personal data, data protection impact assessments and prior consultation requirements under Data Protection Law [and any such assistance shall be at the cost of the Customer];
(i) Medserv shall: (i) at the choice of the Customer, delete or return the Personal Data to the Customer when Medserv ceases to provide services relating to data processing; and (ii) delete all existing copies of such personal data unless EU law or the laws of an EU Member State require storage of the personal data [and any such return or deletion of data shall be at the cost of the Customer];
(j) Medserv shall: (i) make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this clause 10; and (ii) allow for and assist with audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in order to ensure compliance with the obligations laid down in this clause 10 provided that, in connection with (i) [and (ii)] of (i) above, Medserv shall inform the Customer immediately if, in its opinion, it receives an instruction from the Customer which infringes Data Protection Law. For the purposes of demonstrating compliance with the data security obligations under Data Protection Law, the Customer agrees that it shall be sufficient for Medserv to provide evidence of adherence by Medserv to an approved code of conduct or an approved certification mechanism;
(k) taking into account the nature of the processing and the information available to Medserv, Medserv shall notify the Customer without undue delay after becoming aware of any personal data breach or breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and provide the Customer with such reasonable co-operation and assistance as may be required to mitigate against the effects of, and comply with any reporting obligations which may apply in respect of, any such breach [and any such assistance shall be at the cost of the Customer]; and
(l) Personal Data may only be transferred outside of the European Economic Area by Medserv or any of its agents or sub-processors in circumstances were such transfers were envisaged by the nature of the Specified Services being provided by Medserv under this Agreement and such transfer is effected in accordance with a mechanism which is compliant with Data Protection Law, e.g. where the data importer enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub- processors contained in such model contracts of any sub processors.
Google.co.uk
Google Drive backs up all our data, within the cloud for access on the move in order to facilitate your care and response to queries from yourself and relevant third parties involved in your care. Google email accounts facilitate communication between members of the team and yourself. Their Terms and Conditions regarding privacy are available at: https://policies.google.com/privacy
Clinical Photography
This is held on the device with which it is taken for 7 days prior to electronic filing with your record and deleting from the device.
Dictations
This is processed through mobile phone and the medserv.co.uk mobile app and is handled in concordance with their privacy policy as a data processor. Their Terms and Conditions regarding privacy are available at: https://www.medserv.ie/privacy_policy.php
SSL certificates
We process your data for administration, billing, support and the provision of services using SSL certificates.
Use of Cookies
Oxford Neurodevelopment use “cookies” to help you personalize your online experience. A cookie is a text file that is placed on your hard disk by a Web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie to you.
One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page.
You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the Healthcare Specialists Ltd. services or Web sites you visit.
Security of your Personal Information
Oxford Neurodevelopment secures your personal information from unauthorized access, use or disclosure. Oxford Neurodevelopment secures the personally identifiable information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure. When personal information (such as a credit card number) is transmitted to other Web sites, it is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol.
Third Parties
For the avoidance of doubt, we do not and never shall sell your personal data to third parties for marketing or advertising purposes.
We work closely with a number of third parties (including business parties, service providers and fraud protection services).
We may pass your personal data to third parties for the provision of services on our behalf (for example processing your payment). However, we will only ever share information about you that is necessary to provide the service and we have specific contracts in place, which ensure your personal data is secure and will not be used for any marketing purposes.
Your rights
In preventing the use or processing of your personal data, it may delay or prevent us from fulfilling our contractual obligations to you. It may also mean that we shall be unable to provide our services or process the cancellation of your service.
You have the right to object to our use of your personal data, or ask us to delete, remove or stop using it if there is no need for us to keep it. This is known as your right to be forgotten. There are legal and accountancy reasons why we will need to keep your data, but please do inform us if you think we are retaining or using your personal data incorrectly.
Our Privacy Notice shall be made clear to you at the point of collection of your personal data.
You have the right to ask us not to process your personal data for marketing purposes. If you choose not to receive marketing communications from us about our products and services, you will have the choice not to choose these by ticking the relevant boxes situated on the pages either at sign up or in your control panel.
We will not contact you for marketing purposes unless you have given us your prior consent. You can change your marketing preferences at any time within your Fasthosts control panel.
Accessing and updating your data
You must maintain the accuracy of your information and ensure all your details, including but not limited to, name, address, title, phone number, e-mail address and payment details are kept up to date at all times. You must do this by updating your personal details with my team.
You have the right to access the information we hold about you. Please email your requests to drgada@theclinic.co.uk so that we can obtain this information for you.
Links to other sites
Oxford Neurodevelopment may provide links to third party sites. Since we do not control those websites, we encourage you to review the privacy policies of these third-party sites. Any information that is supplied on these sites will not be within our control and we cannot be responsible for the privacy policies and practices of these.
Where we store your personal data
We follow accepted ISO standards to store and protect the personal data we collect, including the use of encryption if appropriate.
From time to time, your information may be transferred to and stored in a country outside the EEA in relation to provision of the services. The laws in these countries may not provide you with the same protection as in the EEA; however, any third party referred to above outside of the EEA has agreed to abide by European levels of data protection in respect of the transfer, processing and storage of any personal data. By providing your data to us, you agree to this transfer and storage. However, we will ensure that reasonable steps are taken to protect your data in accordance with this privacy notice.
As the transmission of information via the internet is not completely secure, we cannot guarantee the security of your data transmitted to our site and any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Any sensitive data (payment details for example) are encrypted and protected.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping the password confidential. We ask you not to share a password with anyone.
Liability
We agree to take reasonable measures to protect your data in accordance with applicable laws and in accordance with our General Terms and Conditions.
Data Breaches
In the event of a data breach, we shall ensure that our obligations under applicable data protection laws are complied with where necessary.
Contact us
Please e-mail any questions or comments you have about privacy to us at drgada@theclinic.co.uk
Your right to make a complaint
You have the right to make a complaint about how we process your personal data to the Information Commissioner:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF