top of page

Data Protection Impact Assessment

Date Completed: (14/07/2025)
Completed By: Neuroshine
ICO Registration Number: [Insert, if registered]

1. Purpose of Processing

Neuroshine processes personal and special category data (health-related information) to provide ADHD assessments, Diagnosis, Titration, Treatments, Therapy and educational services online.

2. Description of the Processing

  • Data collected: Name, contact info, session notes, ADHD-related health information, payment and technical usage data

  • Sources: User input, forms, scheduling tools

  • Storage: Secure cloud-based storage (UK or GDPR-compliant providers)

  • Retention: 7 years for health data, 1–3 years for general user data

  • Sharing: Limited to third-party service providers (e.g., scheduling, hosting) under strict agreements

3. Lawful  Basis for Processing

  • Article 6(1)(a) – Consent

  • Article 6(1)(b) – Performance of a contract

  • Article 9(2)(a) – Explicit consent for special category data

  • Article 9(2)(h) – Provision of health/social care (if applicable)

4. Risk to Individuals

  • Unauthorised access to sensitive information

  • Data breach or loss

  • Inadequate consent mechanisms for children

5. Mitigation Measures

  • Encryption of data in transit and at rest

  • Two-factor authentication for staff

  • Staff confidentiality training

  • Use of GDPR-compliant processors (e.g., Calendly, Stripe, Google Workspace)

  • Consent management for minors in line with Children’s Code

6. Consultation

  • Internal consultation with data protection lead

  • ICO guidance reviewed (Children’s Code, DPIA templates)

  • Third-party legal review recommended

7. Outcome

Processing is necessary, risks are identified and mitigated, and Neuroshine can proceed with implementation under UK GDPR.

We provide services "as is" and make no guarantees of specific outcomes. We are not liable for indirect or consequential damages, except where required by law.

bottom of page