1 Who we are
Centre for Forensic Neuroscience Limited is a company registered in England and Wales (company number 04493298). Our registered office is Ground Floor Units 6&7 Eastway Business Village, Olivers Place, Preston, Lancashire, United Kingdom, PR2 9WT.
We are the data controller for personal information collected through our website, direct enquiries, business administration and our own client administration.
Depending on the nature of a particular instruction, we may act as an independent controller, joint controller or processor in relation to legal, workplace, regulatory, corporate, expert witness, forensic, investigative or consultancy matters.
Where a separate engagement letter, court order, contract, confidentiality agreement, expert instruction, data processing agreement or client-specific privacy notice applies, that document may provide additional or case-specific information about how personal data is handled in that context.
2 Scope of this Privacy Policy
This policy applies to:
- Website visitors
- People who contact us
- Clients and prospective clients
- Instructing parties
- Examinees, participants or assessment subjects
- Witnesses
- Employees, contractors or representatives of client organisations
- Professional contacts
- Suppliers
- Other individuals whose personal information is provided to us
Forensic and expert work may involve information supplied by solicitors, courts, employers, regulators, insurers, public bodies, corporate clients, private clients, medical or professional advisers, or the individual directly.
3 Personal information we may collect
Depending on the context, we may collect and process some or all of the following:
- Identity data (name, title, date of birth, identification documents)
- Contact data (address, email, telephone number)
- Professional and organisational data (employer, job title, professional role)
- Enquiry information (details of your question or request)
- Client and matter information (engagement details, reference numbers, instructions)
- Case and instruction information (background facts, allegations, issues in dispute)
- Records of communications (emails, letters, notes of calls or meetings)
- Billing and payment administration data
- Website technical data (IP address, browser type, device, operating system)
- Usage data (pages visited, referring URL, time on site)
- Marketing preferences
- Professional notes, opinions, reports and working records
- Documents, bundles, evidence, correspondence and materials supplied in connection with an instruction
- Information supplied for forensic, legal, psychological, behavioural, polygraph, workplace, regulatory, safeguarding or investigative purposes
4 Special category data
Some matters may involve special category data, including:
- Physical or mental health information
- Psychological, neuropsychological or behavioural information
- Medical history
- Disability information
- Sex life or sexual orientation where relevant to the instruction
- Racial or ethnic origin where relevant to the instruction
- Religious or philosophical beliefs where relevant to the instruction
- Biometric or genetic data where relevant to the instruction
Special category data is processed only where there is a lawful basis under Article 6 UK GDPR and an additional condition under Article 9 UK GDPR. Further detail is set out in section 8 below.
5 Criminal offence and investigation-related data
Forensic, legal, workplace and investigative matters may involve:
- Allegations or suspected offences
- Criminal offence data, convictions and cautions
- Criminal or regulatory investigations
- Court proceedings and regulatory proceedings
- Safeguarding concerns
- Workplace misconduct
- Security or risk information
Such data is processed only where permitted by UK GDPR, the Data Protection Act 2018, legal obligations, legal proceedings, legal claims, substantial public interest, safeguarding, regulatory requirements, contractual necessity or another applicable condition and safeguard.
6 How we collect personal information
We may collect personal information:
- Directly from the individual
- Through website forms
- By email, telephone, post, video call or meeting
- From instructing solicitors or legal representatives
- From courts and tribunals
- From employers
- From regulators
- From insurers
- From public bodies
- From corporate or private clients
- From professional advisers
- From documents, bundles, reports, interviews, assessments, examinations or case materials
- From website cookies, analytics, server logs and security tools where used
7 Why we use personal information and lawful bases
The following table summarises the main purposes for which we process personal information and the lawful bases we typically rely on. The exact lawful basis may vary depending on the specific matter or instruction.
| Purpose | Examples | Lawful basis |
|---|---|---|
| Responding to enquiries | Answering website, email or telephone enquiries | Legitimate interests; pre-contractual steps |
| Conflict checks | Checking for conflicts of interest before accepting an instruction | Legitimate interests; legal obligation |
| Client onboarding | Identity verification, engagement letters, terms of business | Contract; legal obligation; legitimate interests |
| Assessing instructions | Determining whether we are able to accept an instruction | Legitimate interests; pre-contractual steps |
| Providing professional services | Forensic, psychological, behavioural, polygraph, consultancy, expert witness or advisory services | Contract; legitimate interests; legal obligation; legal claims; consent where applicable |
| Preparing reports and records | Expert reports, opinions, case notes, correspondence | Contract; legitimate interests; legal claims |
| Managing client relationships | Contract administration, communications, file management | Contract; legitimate interests |
| Legal and regulatory compliance | Court orders, regulatory requirements, professional obligations | Legal obligation; public task where applicable |
| Safeguarding and risk management | Safeguarding referrals, fraud prevention, security | Legal obligation; legitimate interests; vital interests in urgent cases |
| Billing and tax administration | Invoicing, accounting, tax records | Contract; legal obligation |
| Legal claims | Defending, bringing or supporting legal claims | Legitimate interests; legal claims |
| Insurance and audit | Professional indemnity, audit, compliance | Legitimate interests; legal obligation |
| Website operation | Security, troubleshooting, maintenance | Legitimate interests |
| Analytics and improvement | Understanding website usage, improving services | Legitimate interests; consent for non-essential cookies |
| Business-to-business marketing | Professional updates to business contacts | Legitimate interests; consent where required |
8 Additional conditions for special category data
Where we process special category data, we rely on one or more of the following Article 9 UK GDPR conditions, depending on the instruction and the nature of the data:
- Explicit consent where appropriate and freely given
- Establishment, exercise or defence of legal claims, or where courts are acting in their judicial capacity
- Substantial public interest, with appropriate safeguards as set out in Schedule 1 of the Data Protection Act 2018
- Health or social care purposes where applicable
- Employment, social security and social protection law where applicable
- Safeguarding of children or individuals at risk where applicable
- Vital interests where necessary and the individual is unable to give consent
The applicable condition depends on the specific instruction and the nature of the data involved.
9 Additional conditions for criminal offence data
Criminal offence data is processed only where authorised by law or where a relevant condition under Schedule 1 of the Data Protection Act 2018 applies. Examples include:
- Establishment, exercise or defence of legal claims
- Judicial acts and court proceedings
- Legal proceedings, legal advice or alternative dispute resolution
- Safeguarding of children or individuals at risk
- Regulatory requirements and compliance
- Preventing or detecting unlawful acts
- Protecting the public against dishonesty, malpractice or other seriously improper conduct
- Insurance purposes where applicable
- Substantial public interest where applicable
10 Sharing personal information
We may share personal information with:
- Instructing clients
- Solicitors, barristers and legal representatives
- Courts, tribunals, arbitrators or inquiry bodies
- Experts, consultants and professional advisers
- Insurers and professional indemnity insurers
- Regulators, law enforcement or public authorities where required or appropriate
- IT, hosting, email, cloud storage, secure file transfer and case management providers
- Payment, accounting and administrative providers
- Auditors and compliance advisers
- Safeguarding bodies or emergency services where necessary
We do not sell personal information. We share personal information only where it is necessary for the relevant purpose and in accordance with applicable law.
11 Confidentiality and forensic sensitivity
Forensic, psychological, behavioural, polygraph and investigative work may involve highly sensitive information. We are committed to handling such information with the care and discretion it requires.
- Access to case materials is restricted to authorised personnel and advisers with a need to know.
- Case materials, reports and professional records are handled with appropriate confidentiality and security controls.
- Certain records may need to be retained for legal, evidential, regulatory, insurance, safeguarding, court, contractual or professional reasons, even after a matter has concluded.
- We may be unable to erase or amend certain professional records where doing so would undermine evidential integrity, legal obligations, professional duties, legal claims or court requirements.
12 International transfers
Personal data is intended primarily to be processed in the United Kingdom. If personal data is transferred outside the UK, we will ensure that appropriate safeguards are in place, such as:
- UK adequacy regulations
- UK International Data Transfer Agreement
- UK Addendum to EU Standard Contractual Clauses
- Another lawful transfer mechanism recognised under UK data protection law
[INSERT INTERNATIONAL TRANSFER DETAILS IF APPLICABLE]
13 Data security
We take appropriate technical and organisational measures to protect personal information. These include:
- Access controls and role-based permissions
- Confidentiality obligations for staff and contractors
- Secure physical and electronic storage
- Encryption where appropriate
- Secure transmission methods where appropriate
- Supplier due diligence
- Data minimisation
- Retention controls and periodic review
- Backup and recovery measures
- Incident detection and response procedures
No system can be guaranteed absolutely secure. If you have concerns about the security of your information, please contact us using the details in section 18.
14 Retention
We retain personal information only for as long as necessary for the relevant purpose. Typical retention periods are set out below, although actual retention may vary depending on legal, regulatory, evidential or professional requirements.
| Record type | Typical retention period | Notes |
|---|---|---|
| Website enquiry records | Up to 2 years | Unless converted to a client matter or needed longer |
| Client and matter files | 6–7 years after matter closure | Unless longer retention required by legal, regulatory, evidential or professional obligations |
| Expert witness, forensic, safeguarding, regulatory or evidential records | May be retained longer | Where required by legal, court, evidential, regulatory, insurance, safeguarding, contractual or professional reasons |
| Financial and tax records | 6 years plus current accounting year | As required by HMRC and applicable tax legislation |
| Website technical and security logs | Up to 12 months | Unless needed for security investigation or incident response |
| Marketing preferences | Until opt-out, suppression or periodic review | Suppression records may be retained to ensure preferences are respected |
[INSERT RETENTION SCHEDULE IF DIFFERENT]
15 Cookies and analytics
Our website may use cookies and similar technologies:
- Essential cookies are necessary for the website to function and cannot usually be switched off.
- Analytics cookies help us understand how visitors use the website. These are only placed with your consent where required by law.
- Embedded third-party services may set their own cookies. We will identify these where applicable.
Non-essential cookies require your consent before they are placed. You can control cookies through your browser settings and through any cookie consent tool provided on the website.
| Cookie / Provider | Purpose | Type | Duration |
|---|---|---|---|
| [INSERT COOKIE TOOL / ANALYTICS DETAILS IF APPLICABLE] | |||
[INSERT WEBSITE FORM PROVIDER IF APPLICABLE]
[INSERT HOSTING PROVIDER IF APPLICABLE]
[INSERT EMAIL PROVIDER IF APPLICABLE]
16 Direct marketing
- We may send professional updates or information in response to business enquiries where it is lawful to do so.
- You can opt out of marketing communications at any time by contacting us or using any unsubscribe mechanism provided.
- We will not sell your personal data for marketing purposes.
- Your marketing preferences will be respected promptly.
17 Individual rights
Under UK data protection law, you may have the following rights in relation to your personal information:
- Access — request a copy of the personal information we hold about you
- Rectification — ask us to correct inaccurate or incomplete information
- Erasure — ask us to delete your personal information in certain circumstances
- Restriction — ask us to restrict how we use your information in certain circumstances
- Objection — object to our processing of your information in certain circumstances
- Portability — receive your personal information in a structured, commonly used format in certain circumstances
- Withdrawal of consent — withdraw consent at any time where consent is the basis for processing (this does not affect the lawfulness of processing before withdrawal)
- Complaint — lodge a complaint with the Information Commissioner's Office (see section 19)
These rights may be limited in some forensic, legal, expert, safeguarding or regulatory contexts, including where legal privilege, court rules, legal claims, evidential integrity, third-party confidentiality, safeguarding duties, regulatory obligations or professional obligations apply. We will explain any limitations if they arise.
18 How to make a data protection request
To exercise any of your rights or to raise a data protection query, please contact:
Data protection contact
Centre for Forensic Neuroscience Limited
Ground Floor Units 6&7 Eastway Business Village
Olivers Place, Preston, Lancashire
United Kingdom, PR2 9WT
Email: [INSERT PRIVACY CONTACT EMAIL]
Telephone: [INSERT PRIVACY CONTACT TELEPHONE]
ICO registration number: [INSERT ICO REGISTRATION NUMBER IF APPLICABLE]
We may need to verify your identity before responding to a request. We aim to respond to valid requests within one month, although this may be extended by up to two further months for complex or numerous requests, in accordance with UK GDPR.
19 Complaints
If you have a concern about how we have handled your personal information, we encourage you to contact us first so that we can try to resolve the matter.
You also have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF
Website: https://ico.org.uk
Telephone: 0303 123 1113
20 Children and vulnerable individuals
Our website is not directed at children. However, professional instructions may involve children or vulnerable individuals. In those cases, we handle personal information with heightened care and apply appropriate legal, safeguarding and professional safeguards.
21 Automated decision-making
We do not make solely automated decisions through our website that produce legal or similarly significant effects on individuals. Where specialist assessment technology or tools are used in the course of professional services, human professional judgement remains central to the process. Case-specific information about any such tools will be provided where required.
22 Changes to this Privacy Policy
This policy may be updated from time to time. The latest version will always be available on our website. Where changes are significant, we will take reasonable steps to draw them to your attention.
Effective date: 28 April 2026
Last reviewed: 28 April 2026