top of page

Privacy Policy

PRIVACY NOTICE (UK GDPR)

Data Controller

Dr Elizabeth Dundewey

Glasgow NeuroCare

This Privacy Policy applies to Dr Elizabeth Dundewey, trading as Glasgow NeuroCare. We understand that it is important to you how information about you is used, stored and shared, and we take your privacy and confidentiality very seriously.

This Privacy Policy describes how Glasgow NeuroCare collects, stores, processes and shares the information you provide, or are asked to provide, for the purposes of our work together, as well as your rights in relation to that information.

By contacting us and/or using our services, you acknowledge that you have had the opportunity to read this Privacy Policy. This statement will be reviewed and updated regularly.

This Privacy Policy was last updated on: 20 March 2026.

If you have any questions about this Privacy Policy, please email: DrElizabethDundewey@outlook.com.


Dr Elizabeth Dundewey is registered with the Information Commissioner’s Office (ICO), registration number: ZB523368.

How We Collect Data?

We collect information about you (and, where relevant, your child or family member) in a number of ways in order to provide the services you have requested:

  • Website: When you use our website (including contact or referral forms), we may collect personal and technical data (e.g. IP address, browser type).

  • Telephone: We may speak with you, and with others involved in your care, to gather information as part of assessment or intervention.

  • Text and email: We may use email and/or text messages to communicate with you (e.g. about appointments, questionnaires or practical arrangements), and, where relevant, to contact third parties involved in your care.

  • Face to face / online meetings: During appointments (in person or via secure video platforms), we may take written and/or electronic notes to inform our clinical work.

  • Written communications: We may send or receive letters or emails to and from you, and from professionals involved in your care (e.g. GPs, schools, other clinicians).

  • Third‑party sources: With your consent where appropriate, we may receive information from third parties such as GPs, schools, or other health and social care providers. We may also use website analytics tools which collect technical data about how our website is accessed.

 

What Data we Gather?

We collect information about you and/or your child to enable us to:

  • work with you safely and effectively

  • provide the clinical and administrative services you have requested

  • meet our legal, professional and safeguarding obligations

The information we collect may include:

Identity data

  • Name, date of birth, gender, address.

Contact data

  • Postal address, email address, contact telephone number(s), emergency contact details.

Other relevant data

  • GP details.

  • Details of any other health, social care or support agencies (including voluntary and statutory services).

  • Educational and occupational history.

  • Details of private health insurance providers (where relevant).

Financial data

  • Payment/transaction information.

  • We do not store full card details ourselves; these are handled by secure third‑party payment processors (e.g. Stripe).

Technical data

  • Information related to your use of our website (e.g. IP address, browser type), where collected.

Because of the nature of our work, we may also need to collect, store and process special category data, including information about:

  • psychological and physical wellbeing

  • mental health

  • relationships and family context

  • life events and trauma history

  • diagnoses and medical history

  • previous or current treatment and support

  • educational reports and assessments

  • any relevant criminal/forensic history

We only collect information that is relevant for the purposes of our agreed work with you.

 

How We Use The Data We Collect From You?

We will only collect data that is necessary and relevant to providing the services you have sought from us, such as:

  • neurodevelopmental (e.g. autism, ADHD) assessments

  • psychological assessment and/or therapy

  • neuropsychological assessment and cognitive rehabilitation

  • consultation, supervision or training (where applicable)

We use your data to:

  • Determine whether our service is appropriate for your needs.

  • Contact you to arrange appointments.

  • Conduct thorough assessments and provide clinical opinions.

  • Provide recommendations and reports for you and, with consent, relevant professionals.

  • Communicate with other professionals involved in your care, where agreed or required.

  • Invoice you and manage payments.

  • Maintain accurate clinical and administrative records.

The primary lawful bases under the UK GDPR for our processing are:

  • Legitimate Interests – providing requested psychological and neurodevelopmental services and running the business required to support them.

  • Provision of health or social care (special category data) – providing assessment and treatment services as a health professional.

  • Consent – particularly when sharing information with third parties, such as schools or other services, where this is not otherwise legally required.

You can find more information about lawful bases for processing on the ICO website (www.ico.org.uk).

Please also see our Terms and Conditions for information about when we may need to share information without your prior consent (e.g. safeguarding or legal obligations).

Data Sharing

Information may be shared with:

  • Schools, colleges or universities – with your consent (or parental consent), to support educational planning and reasonable adjustments.

  • GPs and other healthcare professionals – with your consent, or where there is a clear clinical or safeguarding need.

  • Associate clinicians and administrative staff – who work with Glasgow NeuroCare and are bound by professional codes of conduct and confidentiality.

  • Regulatory or legal bodies – if legally required (e.g. court orders, regulator investigations).

Any professionals who work with us (e.g. associate psychologists, allied health professionals, assistants, admin staff) are required to comply with UK GDPR and to maintain confidentiality.

Controlling the Information we Hold about you

All personal information we hold about you is stored and processed in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

  • We keep your data for the duration of your work with us.

  • After our work ends, we will store your data securely for seven years from the date of last contact (or longer if we are legally required to, for example for children’s records).

  • We retain this information so that we can respond effectively to any future questions, requests for copies of records, or complaints.

  • After this period, your data will be securely erased or anonymised.

You have the right to request erasure of your data after the retention period, but not usually before, unless specific legal conditions are met.

 

Security

We take the security of your information seriously. In particular:

  • All client records (including personal and special category data) are held on a secure, GDPR‑compliant electronic system.

  • Any paper records are stored securely in a locked cabinet.

  • Clinically relevant emails and documents are uploaded to the secure electronic system and removed from general email where appropriate.

  • We share sensitive information (such as reports) using secure email systems and/or password‑protected documents wherever possible.

  • Access to your information is restricted to individuals directly involved in your care or in essential administrative functions.

In the unlikely event of a data breach, we will follow ICO guidance and notify the ICO and, where appropriate, affected individuals.

 

Data Accuracy

It is important that the information we hold about you is accurate and up to date. If any of your details change (e.g. address, contact information, GP), please let us know as soon as possible so we can update our records. This helps protect your privacy and supports safe care.

 

Accessing your Information

All individuals whom Dr Elizabeth Dundewey collect, store and process personal information about as a client/user of our services are entitled to:

  • Ask what information Dr Elizabeth Dundewey holds about them and why.

  • Ask how to gain access to this information.

  • Be informed about how it is kept up-to-date.

  • Be informed about how Glasgow NeuroCare is meeting data protection regulations.

If you would like to request a copy of the data we hold about you, this is called a Subject Access Request (SAR). Subject Access Requests should be made in writing to the Data Controller at Glasgow NeuroCare (DrElizabethDundewey@outlook.com). We will aim to provide relevant data within 30 days of receipt of the Subject Access Request (SAR). We will always verify the identity of anyone making a Subject Access Request before disclosing any data.

 

Glasgow NeuroCare may use the services of other professionals who, in the service of their work, may access your data for the same legitimate interests. For example, we may work with and/or employ other professionals (including, but not limited to) Associate Psychologists and Allied Health Professionals, Assistant Psychologists and Administrative Staff who also adhere to the General Data Protection Regulations.

Sharing and Disclosing Data

We may share your personal data, including sensitive personal data with other individuals, agencies and third-parties for the purposes of providing safe and effective services to you. We will discuss and explain the rationale and purpose of sharing information with others with you and obtain your consent to this, where necessary. Please also see our Terms and Conditions for further details about the times when we may share your personal data, both with and without your consent.

In certain circumstances, Glasgow NeuroCare may be required to disclose personal data, including sensitive data without the data subject’s consent. These circumstances include:

  • Carrying out legal duty or as authorised by the Secretary of State.

  • Protecting the vital interests of a data subject or other person.

  • If the data subject has already made the information public.

  • Conducting any legal proceedings, obtaining legal advice or defending any legal rights.

  • Monitoring for equal opportunities purposes.

  • Providing a confidential service where the data subject’s consent cannot be obtained or where it would be reasonable to proceed without consent.

Under these circumstances, Glasgow NeuroCare will disclose personal data, including sensitive personal data deemed to be necessary for the particular purpose. We will, however, take reasonable steps to notify the data subject whose personal data is being disclosed about the disclosure, including the rationale for this and with whom the information is being shared. We will also ensure that any personal data sharing is legitimate, reasonable and necessary.

 

Use of AI‑Assisted Tools

To support administrative efficiency and clinical documentation, this service may use secure AI‑assisted tools (such as Microsoft Copilot or Heidi) to assist with tasks such as drafting, summarising, or formatting clinical notes and reports.

These tools are used only as support.
All clinical decisions, interpretations, and diagnostic conclusions are made by a qualified clinician.

AI tools are not used to make automated decisions, provide diagnoses, or replace professional judgement.

Where AI‑assisted tools are used:

  • Information is minimised where possible

  • Identifiable clinical data is not used unless appropriate safeguards are in place

  • Data is processed in line with UK GDPR and data protection requirements

Clients may request further information about the use of such tools at any time.

 

Your Rights

We are fully committed to protecting your rights to privacy. Under the Data Protection Act and General Data Protection Regulations (GDPR), you have certain rights in relation to the personal data collected, stored, processed and shared about you, including the rights to:

  • Request access to your personal data.

  • Request correction of your personal data.

  • Request erasure of your personal data.

  • Object to processing of your personal data.

  • Request restriction of processing of your personal data.

  • Request transfer of your personal data.

  • Right to withdraw consent.

If you wish to exercise any of these rights, please contact the Data Controller at Glasgow NeuroCare (drelizabethdundewey@outlook.com).  

 

Third Party Links

The Glasgow NeuroCare website may contain links to third-party websites and information. Clicking on those links may enable other third-party organisations to gather personal data about you. We do not control these third-party websites and are not responsible for their privacy policies and how they use your personal data once you have chosen to visit their website.

 

Complaints

If you are unhappy with any aspects of the way we collect, store, process and share the information about you, please contact the Data Controller at NeuroCare (drelizabethdundewey@outlook.com).  so we can answer any questions you have and try to resolve the issue. You also have the right to complain to the Information Commissioner’s Office (ICO) which is the United Kingston (UK) supervisory authority for data protection issues. Please see: www.ico.org.uk for further information, if required.

 

Management of Information in the Event of Incapacitation or Death of Psychologist

In the event of incapacitation or death of the psychologist working with you, another allocated professional may be asked to access and manage information related to our work with you with a view to informing you of such an event, supporting you in the transition to another psychologist or service and ensuring continued safe storage and management of records. This psychologist also adheres to the GDPR principles and will only be shared if and when there is a legitimate need for them to access the information.

 

Further Information

You can find further, detailed information about the handing and protection of personal data on the Information Commissioner’s Office (ICO) website at: www.ico.org.uk.

Email Communication

By providing your email address, you consent to Glasgow NeuroCare using email to contact you about your assessment, including sending appointment information and clinically relevant documents (for example, reports or questionnaires). We will usually send sensitive information in password‑protected documents or via other secure methods, and you can tell us at any time if you would prefer to limit email communication.

Accessibility

If you have any difficulties reading and/or understanding this privacy policy, please contact us and we will try to help you understand the information.

 

Online Appointments

Some of our work may be conducted via online video link using programmes such as Zoom and Microsoft Teams. We have taken reasonable steps to ensure the confidentiality of the sessions using this online platform, including the use of client-specific meeting links and a waiting room so all guests of the session are admitted by the host.

These sessions are not audio or video recorded (unless discussed and agreed with the client and clinician) and we would kindly ask our clients not to audio or video record the sessions without prior discussion, agreement and consent from the clinician they are working with.

Clients accessing our services must be able to access the sessions on an appropriate device and be able to set-up and protect the environment in which they access the online session(s) to maintain their confidentiality. For example, this means being able to meet for the specified time duration in a room/environment which is private, confidential and with no interruptions or distractions.

 

Accessibility

If you have difficulty reading or understanding this Privacy Policy, please let us know and we will do our best to support you to access the information in a way that works for you.

bottom of page