CYP Privacy Notice

ICS Operations Limited (trading as Xyla – CYP) (we or us  are a ‘controller’ for the purposes of the Data Protection Act 2018, General Data Protection Regulation 2016 and other legislation relating to privacy (Data Protection Laws). We are a part of the Acacium Group of companies.

We are responsible for, and control the processing of, your personal information as we operate our business as follows: We deliver digital assessments and interventions for children and young people aged between 5 and 25 who are experiencing mild to moderate mental health difficulties.  

Working together with local health services, we’re able to provide experienced teams of clinicians to deliver high quality, safe and effective digital interventions. Upon receiving a referral for assessment and/or treatment from one of our partner organisations, it will be reviewed by our team within 48 hours.  

Reducing wait times for mental health support in the UK has become vital. Our service will allow young people who need intervention to access it quicker. Key features include:  

  • Accessibility via a smartphone, tablet or computer
  • Choice of appointments, mainly after school and weekends
  • Clinicians who speak many different languages
  • A portal enabling the user to book appointments and track progress  


We understand how vital customer engagement is and, from the outset, enlisted a group of young volunteers (aged 13 to 21) to help us design and develop an accessible service that truly meets their needs.  

We heard how important privacy and confidentiality are to them, that the service must feel customisable, and that the language must not feel dismissive. They advised on the portal’s features, ensuring accessibility and acceptability. Their insights have been invaluable, and their involvement continues to guide us as we develop the service further.

For all our other services, we act as a ‘processor’, so for information about how your data is used, you should refer to your hospital’s or doctor’s privacy notice.

We take your privacy very seriously and we ask that you read this Privacy Notice carefully as it contains important information on:

  • the personal information we collect about you 
  • what we do with your personal information
  • security and retention of personal information
  • who your information might be shared with and 
  • your rights.

For the processing of information relating to children, please click here.

Contact details 

Please contact us if you have any questions about this Privacy Notice, the information we hold about you, want to raise any concerns or to exercise any of your rights.

Tracy Cherrington:

If you would like this notice in another format (for example: audio, large print, braille) please contact us

Changes to the privacy notice 

We may change this Privacy Notice from time to time.  You should check this Privacy Notice occasionally to ensure you are aware of how we need to use your information.

What information do we collect?

We collect the following categories of information about our service users:

Basic detailsName, address, email address, NHS number, date of birth, gender, phone number, GP surgery, school, marital status, ethnicity, occupation, language, religion, carer, next of kin, other person / professional relationships
Contact historyDetails of contact we have had with you, referrals received, assessments, treatment appointments and any other form of contact (e.g. phone call to book). /
Medical informationNotes and reports about your mental health and any relevant assessments by our practitioners   Details of your mental health condition and treatment given   Information about historical health conditions which relate to your mental health.   Relevant information from people who care for you and know you well such as health care professionals and relatives

It is essential that your details are accurate and up to date. You can always check that your personal details are correct when we visit you or when you speak to us.   Please inform us of any changes to your contact details as soon as possible. This minimises the risk of you not receiving important correspondence or other communications from us.

Where may we get this information from:

  • you
  • your family members (such as family guardians or carers)
  • your primary care giver and other third parties when you give us permission to do so such as
  • NHS Trusts and hospitals that are involved in your care
  • NHS Digital and other NHS bodies.
  • General Practitioners (GPs).
  • Ambulance Services.
  • Private Sector Providers
  • Voluntary Sector Providers
  • Social Care Services
  • Education Services.
  • Local Authorities.

How we use your personal information

In order to provide our services to you, we need to keep records about you and any advice you receive from us. These records help to ensure that you receive the best possible advice and care. 

In general, your records are used to direct, manage and deliver the advice and care that you receive through our services. Under Data Protection Laws, there are specific grounds we have to use to process your data, which we have to tell you about. As we process health data, there are additional grounds that we have to satisfy in order to process this.

ServiceWhat do we use data for?Lawful grounds for processing
Digital mental health service providing assessments and treatment for children and young people aged between 5 and 25 under iThrive ‘Getting Help’ and ‘Getting More Help’.We use your data to enable us to assess your needs and plan your support to meet these needs safely and effectively, we keep a record of the support that we provide for you in your health record.Consent Legitimate interest Provision of health treatment.

We will only collect and process the minimum amount of personal data necessary to achieve the specified purpose.

We will notify you on the privacy notice for any changes to the purpose for which data is collected.

We do not use automated system to analyse personal data, assess behaviour, predict individual preferences, or make decisions that impact individuals without human intervention.

If we were ever subject to a legal claim or needed to exercise our legal rights, we would need to use your information to exercise and defend our legal rights.

Please be aware that you have the right to object to the processing of your data where we process based on our legitimate interests.

If you have given consent to our processing, you can withdraw your consent at any time, but you should be aware that we will not be able to provide our services without knowing your medical history. 

Security and retention of information

We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

The records management code of practice

The Records Management Code of Practice for Health and Social Care 2020 is a guide for the NHS to use in relation to the practice of managing records. It is relevant to organisations who work within, or under contract to, NHS organisations in England and this includes CHS Healthcare.

The Code is based on current legal requirements more broadly than just Data Protection Laws for all medical records and professional best practice.

How long health records are retained 

All patient records are destroyed in accordance with the NHS Records Retention Schedule (which forms part of the Records Management Code of Practice for Health and Social Care 2020), which sets out the appropriate length of time each type of NHS record is retained.

All records are destroyed confidentially once their retention period has expired unless there is a specific reason to retain them e.g. ongoing public inquiries, litigation.

When do we share information about you?

We share information about you with companies who provide business-as-usual services to us to enable us to provide our services, such as hosting of our software and systems, providing IT support and service services. We are responsible for their processing and we have contractual controls in place to ensure that your data is protected. You can contact us at the details at the top of this Privacy Notice for more details on suppliers we use.

Everyone working for us, our group of companies and the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us also has a legal duty to keep it confidential.

Direct care purposes

We may need to share some information about you with other organisations involved in your care or advice that we give to you about your care if they have a genuine need for it or we have your permission so we can all work together for your benefit. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:

  • NHS Trusts and hospitals that are involved in your care
  • NHS Digital and other NHS bodies.
  • General Practitioners (GPs).
  • Ambulance Services.
  • Private Sector Providers
  • Voluntary Sector Providers
  • Social Care Services
  • Education Services.
  • Local Authorities.

Indirect care purposes

We also use information we hold about you to:

  • Review the care and advice that we provide to ensure it is of the highest standard and quality
  • Ensure our services can meet your needs in the future
  • Investigate your queries, complaints and legal claims
  • In rare circumstances where we believe you, or another, is at risk of harm, if we are instructed to do so by a court, in connection with a crime, or where required to do so for public health reasons e.g. infectious diseases

Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as secondary uses, on the NHS England and NHS Digital’s websites:

Your rights

You have the following rights under the Data Protection Laws: 

  • the right of access to your personal data; 
  • the right to correct any mistakes in your information;
  • the right to ask us to stop contacting you with direct marketing;
  • the right to object to processing where it is based on our legitimate interests;
  • the right to restrict or prevent your personal data being processed;
  • the right to erasure; and
  • The right to withdraw consent

These rights are explained in more detail below. If you want to exercise any of your rights or if you have any comments, concerns or complaints about our use of your personal data, please contact us at the details set out at the top of this Privacy Notice.  We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.

Right to access your personal data 

You may ask to see what personal data we hold about you and be provided with:

  • a copy;
  • details of the purpose for which it is being or is to be processed; 
  • details of the recipients or classes of recipients to whom it is or may be disclosed, including if they are overseas and what protections are used for those overseas transfers; 
  • the period for which it is held (or the criteria we use to determine how long it is held); 
  • any information available about the source of that data; and
  • whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling.

To help us find the information easily, please give us as much information as possible about the type of information you would like to see and provide evidence of your identity e.g. copy of passport or driving licence. 

Right to correct any mistakes in your information

You can require us to correct any mistakes in your information which we hold free of charge.  If you would like to do this, please let us have enough information to identify you and let us know the information that is incorrect and what it should be replaced with.

Right to ask us to stop contacting you with direct marketing

You can ask us to stop contacting you for direct marketing purposes.  If you would like to do this, please contact

Right to object to processing where it is based on our legitimate interests

You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing. If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section headed “How we use your personal information”. The key point to note is that much of the processing under this heading is beneficial to you, so we can find a care home suitable for your needs or assess your financial situation for funding to assist with your care. 

Right to prevent processing of personal data

You may request that we stop processing your personal data temporarily if: 

  • You do not think that your data is accurate.  We will start processing again once we have checked whether or not it is accurate;
  • the processing is unlawful but you do not want us to erase your data;
  • we no longer needs the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
  • you have objected to processing because you believe that your interests should override our legitimate interests.

Right to erasure

You can ask us to erase your personal data where:

  • you do not believe that we need your data in order to process it for the purposes set out in this privacy notice;
  • if you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data; 
  • you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
  • your data has been processed unlawfully or have not been erased when it should have been.

Right to withdraw consent

A key element of consent is that you can withdraw it. If you want to withdraw your consent, please contact us at the details at the top of this Privacy Notice, 

The possible consequences of refusing consent will be fully explained to you at the time, and could include delays in receiving our advice or care.

Complaints to the regulator

It is important that you ensure you have read this Privacy Notice – and if you do not think that we have processed your data in accordance with this notice – you should let us know as soon as possible.  Similarly, you may complain to the Information Commissioner’s Office.  Information about how to do this is available on his website at

National data opt out

Your records contain confidential information, which can be used to help with research and planning. If you would like this to stop, you can opt out of this yourself or on behalf of someone else.

If you choose not to allow your confidential patient information to be used for research and planning, your data may still be used in some situations.

  • When required by law

Your confidential patient information may still be used when there is a legal requirement to provide it, such as a court order.

  • When you have given consent

Your confidential patient information may still be used when you have given your consent. Such as, for a medical research study.

  • Where there is an overriding public interest

Your confidential patient information may still be used in an emergency or in situations where there is an overriding benefit to others. For example, to help manage contagious diseases and stop them spreading, like meningitis. In these situations, the safety of others is most important.

  • When information that can identify you is removed

Information about your health care or treatment may still be used in research and planning if the information that can identify you is removed first.

  • Where there is a specific exclusion

Your choice does not apply to a small number of specific exclusions. In these cases, your confidential patient information may still be used at any time. For example, when information is used to collect official national statistics, like the Population Census.

ISO27001  UKAS accredited/certified.

Cyber essentials and cyber essentials plus IASME accredited/certified. 

Xyla is a trading name of ICS Operations Ltd (Registered No 4793945), Pulse Healthcare Limited (Registered No 3156103), Carehome Selection Limited (Registered No 3091598), Independent Clinical Services Limited (Registered No 4768329) and CHS Healthcare Software Limited (Registered No 11582111)