ICS Operations Limited (trading as Xyla – CYP) (we or us are a ‘controller’ for the purposes of the Data Protection Act 2018, General Data Protection Regulation 2016 and other legislation relating to privacy (Data Protection Laws). We are a part of the Acacium Group of companies.
We are responsible for, and control the processing of, your personal information as we operate our business as follows: We deliver digital assessments and interventions for children and young people aged between 5 and 25 who are experiencing mild to moderate mental health difficulties.
Working together with local health services, we’re able to provide experienced teams of clinicians to deliver high quality, safe and effective digital interventions. Upon receiving a referral for assessment and/or treatment from one of our partner organisations, it will be reviewed by our team within 48 hours.
Reducing wait times for mental health support in the UK has become vital. Our service will allow young people who need intervention to access it quicker. Key features include:
DESIGNED FOR YOUNG PEOPLE, BY YOUNG PEOPLE
We understand how vital customer engagement is and, from the outset, enlisted a group of young volunteers (aged 13 to 21) to help us design and develop an accessible service that truly meets their needs.
We heard how important privacy and confidentiality are to them, that the service must feel customisable, and that the language must not feel dismissive. They advised on the portal’s features, ensuring accessibility and acceptability. Their insights have been invaluable, and their involvement continues to guide us as we develop the service further.
For all our other services, we act as a ‘processor’, so for information about how your data is used, you should refer to your hospital’s or doctor’s privacy notice.
We take your privacy very seriously and we ask that you read this Privacy Notice carefully as it contains important information on:
For the processing of information relating to children, please click here.
Please contact us if you have any questions about this Privacy Notice, the information we hold about you, want to raise any concerns or to exercise any of your rights.
Tracy Cherrington: DPO@acaciumgroup.com
If you would like this notice in another format (for example: audio, large print, braille) please contact us
We may change this Privacy Notice from time to time. You should check this Privacy Notice occasionally to ensure you are aware of how we need to use your information.
We collect the following categories of information about our service users:
Basic details | Name, address, email address, NHS number, date of birth, gender, phone number, GP surgery, school, marital status, ethnicity, occupation, language, religion, carer, next of kin, other person / professional relationships |
Contact history | Details of contact we have had with you, referrals received, assessments, treatment appointments and any other form of contact (e.g. phone call to book). / |
Medical information | Notes and reports about your mental health and any relevant assessments by our practitioners Details of your mental health condition and treatment given Information about historical health conditions which relate to your mental health. Relevant information from people who care for you and know you well such as health care professionals and relatives |
It is essential that your details are accurate and up to date. You can always check that your personal details are correct when we visit you or when you speak to us. Please inform us of any changes to your contact details as soon as possible. This minimises the risk of you not receiving important correspondence or other communications from us.
Where may we get this information from:
How we use your personal information
In order to provide our services to you, we need to keep records about you and any advice you receive from us. These records help to ensure that you receive the best possible advice and care.
In general, your records are used to direct, manage and deliver the advice and care that you receive through our services. Under Data Protection Laws, there are specific grounds we have to use to process your data, which we have to tell you about. As we process health data, there are additional grounds that we have to satisfy in order to process this.
Service | What do we use data for? | Lawful grounds for processing |
Digital mental health service providing assessments and treatment for children and young people aged between 5 and 25 under iThrive ‘Getting Help’ and ‘Getting More Help’. | We use your data to enable us to assess your needs and plan your support to meet these needs safely and effectively, we keep a record of the support that we provide for you in your health record. | Consent Legitimate interest Provision of health treatment. |
We will only collect and process the minimum amount of personal data necessary to achieve the specified purpose.
We will notify you on the privacy notice for any changes to the purpose for which data is collected.
We do not use automated system to analyse personal data, assess behaviour, predict individual preferences, or make decisions that impact individuals without human intervention.
If we were ever subject to a legal claim or needed to exercise our legal rights, we would need to use your information to exercise and defend our legal rights.
Please be aware that you have the right to object to the processing of your data where we process based on our legitimate interests.
If you have given consent to our processing, you can withdraw your consent at any time, but you should be aware that we will not be able to provide our services without knowing your medical history.
We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.
The Records Management Code of Practice for Health and Social Care 2020 is a guide for the NHS to use in relation to the practice of managing records. It is relevant to organisations who work within, or under contract to, NHS organisations in England and this includes CHS Healthcare.
The Code is based on current legal requirements more broadly than just Data Protection Laws for all medical records and professional best practice.
All patient records are destroyed in accordance with the NHS Records Retention Schedule (which forms part of the Records Management Code of Practice for Health and Social Care 2020), which sets out the appropriate length of time each type of NHS record is retained.
All records are destroyed confidentially once their retention period has expired unless there is a specific reason to retain them e.g. ongoing public inquiries, litigation.
We share information about you with companies who provide business-as-usual services to us to enable us to provide our services, such as hosting of our software and systems, providing IT support and service services. We are responsible for their processing and we have contractual controls in place to ensure that your data is protected. You can contact us at the details at the top of this Privacy Notice for more details on suppliers we use.
Everyone working for us, our group of companies and the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us also has a legal duty to keep it confidential.
We may need to share some information about you with other organisations involved in your care or advice that we give to you about your care if they have a genuine need for it or we have your permission so we can all work together for your benefit. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:
We also use information we hold about you to:
Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as secondary uses, on the NHS England and NHS Digital’s websites:
You have the following rights under the Data Protection Laws:
These rights are explained in more detail below. If you want to exercise any of your rights or if you have any comments, concerns or complaints about our use of your personal data, please contact us at the details set out at the top of this Privacy Notice. We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.
You may ask to see what personal data we hold about you and be provided with:
To help us find the information easily, please give us as much information as possible about the type of information you would like to see and provide evidence of your identity e.g. copy of passport or driving licence.
You can require us to correct any mistakes in your information which we hold free of charge. If you would like to do this, please let us have enough information to identify you and let us know the information that is incorrect and what it should be replaced with.
You can ask us to stop contacting you for direct marketing purposes. If you would like to do this, please contact dpo@acaciumgroup.com
You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing. If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section headed “How we use your personal information”. The key point to note is that much of the processing under this heading is beneficial to you, so we can find a care home suitable for your needs or assess your financial situation for funding to assist with your care.
You may request that we stop processing your personal data temporarily if:
You can ask us to erase your personal data where:
A key element of consent is that you can withdraw it. If you want to withdraw your consent, please contact us at the details at the top of this Privacy Notice,
The possible consequences of refusing consent will be fully explained to you at the time, and could include delays in receiving our advice or care.
It is important that you ensure you have read this Privacy Notice – and if you do not think that we have processed your data in accordance with this notice – you should let us know as soon as possible. Similarly, you may complain to the Information Commissioner’s Office. Information about how to do this is available on his website at www.ico.org.uk.
Your records contain confidential information, which can be used to help with research and planning. If you would like this to stop, you can opt out of this yourself or on behalf of someone else.
If you choose not to allow your confidential patient information to be used for research and planning, your data may still be used in some situations.
Your confidential patient information may still be used when there is a legal requirement to provide it, such as a court order.
Your confidential patient information may still be used when you have given your consent. Such as, for a medical research study.
Your confidential patient information may still be used in an emergency or in situations where there is an overriding benefit to others. For example, to help manage contagious diseases and stop them spreading, like meningitis. In these situations, the safety of others is most important.
Information about your health care or treatment may still be used in research and planning if the information that can identify you is removed first.
Your choice does not apply to a small number of specific exclusions. In these cases, your confidential patient information may still be used at any time. For example, when information is used to collect official national statistics, like the Population Census.
ISO27001 UKAS accredited/certified.
Cyber essentials and cyber essentials plus IASME accredited/certified.
Xyla is a trading name of ICS Operations Ltd (Registered No 4793945), Pulse Healthcare Limited (Registered No 3156103), Carehome Selection Limited (Registered No 3091598), Independent Clinical Services Limited (Registered No 4768329) and CHS Healthcare Software Limited (Registered No 11582111)