Legal

Data Protection Policy

GDPR Compliance & Data Processing Information

Last updated: January 2025

No PII Collected

We never collect patient names, DOBs, or identifiable information

Privacy by Design

Data minimisation is built into our architecture

EU Data Storage

All data stored in GDPR-compliant EU facilities

1. Introduction and Scope

This Data Protection Policy outlines how RSD-RS complies with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018. It should be read in conjunction with our Privacy Policy and Terms of Service.

This policy applies to all personal data processed by RSD-RS in connection with the provision of our clinical assessment platform.

2. Data Controller and Processor Roles

2.1 RSD-RS as Data Controller

RSD-RS acts as a Data Controller for:

  • Clinic account information (email, organisation name, country)
  • Aggregated research data (where research mode is enabled)
  • Platform usage analytics

2.2 RSD-RS as Data Processor

RSD-RS acts as a Data Processor for:

  • Anonymous patient assessment data entered by clinics
  • Calculated scores and reports generated from assessment data

2.3 Clinics as Data Controllers

Registered clinics remain the Data Controller for any patient information they hold outside our platform, including the link between our system-generated patient IDs and actual patient identities. Clinics are responsible for:

  • Maintaining the mapping between RSD-RS patient IDs and patient records
  • Obtaining appropriate consent from patients for assessments
  • Handling any data subject requests from patients
  • Ensuring compliance with their own data protection obligations

3. Data Minimisation Principles

RSD-RS is designed around the principle of data minimisation. We collect only what is strictly necessary for clinical and research purposes.

3.1 What We Do NOT Collect

  • Patient names or initials
  • Dates of birth (only age bands)
  • Addresses or postcodes
  • NHS numbers or other health identifiers
  • Email addresses of patients
  • Phone numbers
  • Photos or biometric data

3.2 What We DO Collect

  • System-generated anonymous ID (e.g., RSD-4X7K-2M9P-AB)
  • Age band (e.g., 18-25, 36-45)
  • Sex (male, female, other, prefer not to say)
  • ADHD status (diagnosed, under assessment, suspected)
  • Country (for research stratification)
  • Assessment responses (numerical scores 0-4)

4. Lawful Basis for Processing

We process personal data under the following lawful bases:

Contract (Article 6(1)(b))

Processing clinic account data necessary to provide the platform service

Legitimate Interests (Article 6(1)(f))

Processing for security, fraud prevention, and service improvement where not overridden by data subject rights

Consent (Article 6(1)(a))

Marketing communications and research data contribution (where clinic opts in)

Scientific Research (Article 89)

Processing of anonymised aggregate data for scientific research with appropriate safeguards (pseudonymisation, data minimisation)

4.1 Special Category Data

Assessment data constitutes health data (a special category under GDPR). However, because we do not collect any identifying information, the data we hold cannot be linked to identifiable individuals by us. The processing is covered by:

  • Article 9(2)(j): Scientific research purposes with appropriate safeguards
  • Article 9(2)(h): Healthcare purposes (via the clinic as controller)

5. Technical and Organisational Measures

We implement appropriate technical and organisational measures to ensure data security:

5.1 Technical Measures

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Access Control: Row-level security policies, role-based access
  • Authentication: Secure authentication with password hashing (bcrypt)
  • Infrastructure: Enterprise-grade hosting with SOC 2 compliance
  • Monitoring: Automated threat detection and logging
  • Backups: Encrypted backups with point-in-time recovery

5.2 Organisational Measures

  • Privacy by design methodology in all development
  • Regular security training for team members
  • Documented incident response procedures
  • Regular review of data processing activities
  • Vendor due diligence for all sub-processors

6. Sub-Processors

We use the following sub-processors to deliver our service:

Sub-ProcessorPurposeLocationSafeguards
SupabaseDatabase & AuthenticationEU (Frankfurt)DPA, SOC 2
VercelWeb HostingGlobal CDNDPA, SCCs
Resend/PostmarkEmail DeliveryUSDPA, SCCs

All sub-processors are bound by data processing agreements that require them to implement appropriate security measures and process data only according to our instructions.

7. International Data Transfers

Our primary data processing occurs within the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure compliance through:

  • Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
  • Standard Contractual Clauses (SCCs): EU-approved contractual safeguards
  • Supplementary Measures: Additional technical measures where required

8. Data Retention

We retain data only as long as necessary for the purposes for which it was collected:

Data TypeRetention PeriodReason
Clinic AccountsActive + 7 yearsLegal/tax requirements
Assessment DataWhile account activeService provision
Research DataIndefinitelyScientific research (Art. 89)
Security Logs90 daysSecurity monitoring

9. Data Subject Rights

We respect and facilitate data subject rights under GDPR:

Right of Access

Request copies of your data

Art. 15

Right to Rectification

Correct inaccurate data

Art. 16

Right to Erasure

Delete your data

Art. 17

Right to Restrict

Limit processing

Art. 18

Right to Portability

Receive data in usable format

Art. 20

Right to Object

Object to certain processing

Art. 21

To exercise these rights, contact privacy@rsdrs.com. We will respond within one month.

Note for Patient Requests

Since we hold no identifiable patient data, patient data subject requests should be directed to the clinic that conducted the assessment. The clinic maintains the link between our anonymous IDs and patient identities.

10. Data Breach Procedures

In the event of a personal data breach:

  1. Detection & Assessment: Immediate investigation to determine scope and risk
  2. Containment: Steps to prevent further unauthorised access
  3. Notification to ICO: Within 72 hours if the breach poses a risk to rights and freedoms (as required by Article 33)
  4. Notification to Data Subjects: Without undue delay if high risk to individuals (as required by Article 34)
  5. Documentation: Full record of breach, effects, and remedial actions
  6. Review: Post-incident review to prevent recurrence

11. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that may result in high risk to individuals, including:

  • New features involving health data processing
  • Changes to data sharing arrangements
  • Introduction of new sub-processors
  • Significant changes to research data usage

12. Data Processing Agreements

Enterprise customers requiring a formal Data Processing Agreement (DPA) can request one by contacting legal@rsdrs.com.

Our standard DPA includes:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the controller
  • Security measures and sub-processor arrangements
  • Audit rights and cooperation obligations

13. Contact Information

Data Protection Enquiries

Email: privacy@rsdrs.com

Legal Enquiries: legal@rsdrs.com

Supervisory Authority

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
ico.org.uk

14. Policy Updates

This policy is reviewed annually and updated when necessary. Material changes will be communicated via email to registered users. The current version is always available at rsdrs.com/data-protection.

Related Documents

Terms of ServicePrivacy Policy