Neurodevelopment services privacy policy

About us

For our services, the legal entity and who we trade under will be one of the below: 

  • Carehome Selection Limited. 
  • Independent Clinical Services Limited trading as Thornbury Community Services. 
  • Carehome Selection Limited trading as Xyla. 
  • ICS Operations Limited trading as Xyla. 

Xyla and Thornbury Community Services are part of Acacium Group of companies

We or us are a ‘controller’ for the purposes of the Data Protection Act 2018, General Data Protection Regulation 2016 and other legislation relating to privacy (Data Protection Laws). 

When we are the data controller for your data, we are responsible for, and control the processing of your personal information as we operate our business as follows: 

  1. Attention Deficit Hyperactivity Disorder (ADHD) Assessments and treatment : we use your personal information to arrange and carry out the assessment and treatment if required and provide information on this to other services who need to be involved in the gathering of information or the provision of further services to you in order for this to be completed. 
  1. Autism Spectrum Disorders (ASD) Assessments: we use your personal information to arrange and carry out the assessment and provide information on this to other services who need to be involved in the gathering of information or the provision of further services to you in order for this to be completed. 
  1. Marketing: We may request your feedback about our services and ask permission to use this for marketing purposes.  
  1. Enquiries: general enquiries made by potential patients when you contact us.  

For services where we act as a ‘processor’, you should refer to your Data Controller for information about how your data is used. We can help you identify who this is if required. 

We take your privacy very seriously and we ask that you read this Privacy Notice carefully as it contains important information on: 

  • The personal information we collect about you   
  • What we do with your personal information  
  • Security and retention of personal information  
  • Who your information might be shared with    
  • Your rights 

Contact details

Please contact us if you have any questions about this Privacy Notice, the information we hold about you, want to raise any concerns or to exercise any of your rights please email:  DPO@acaciumgroup.com  

A couple of points to note: 

  • If you are under 13 your parent or carer would need to do this.  
  • If you are between the ages of 13-18, we think it would be best if you discussed this with your parent or carer first, and that you copied them into any emails you send. 

If you would like this notice in another format, please submit any requests to DPO@acaciumgroup.com  and we will do our best to provide. Although this cannot be guaranteed we do try to meet all accessibility requirements.  

Changes to the Privacy Notice 

We may change this Privacy Notice from time to time.  You should check this Privacy Notice occasionally to ensure you are aware of how we need to use your information. 

This privacy Notice was last updated on 16/01/2025. 

What information do we collect?  

We collect the following categories of information about our patients:  

Basic details  Name, address, email address, NHS number, date of birth, next of kin, etc  
Contact history  Details of contact we have had with you, for example enquiries on our website, questions you contacted us to answer or recommendations we made to you. 
Medical information  Notes and reports about your health and any relevant assessments by a health professional. Details of diagnosis and treatment given. Information about any allergies or health conditions.  Relevant information from people who care for you and know you well such as health care professionals and relatives. 

It is essential that your details are accurate and up to date. You can always check that your personal details are correct when we visit you or when you speak to us.  Please inform us of any changes to your contact details as soon as possible. This minimises the risk of you not receiving important correspondence or other communications from us.  

We will only collect and process the minimum amount of personal data necessary to achieve the specified purpose. 

We will notify you on the privacy notice for any changes to the purpose for which data is collected. 

Where we may get this information from:

We get information mainly from you, but if you are under 13 then your parent or carer has to give it to us on your behalf. 

Below are a list of potential sources of data: 

  • You  
  • Your family members (such as family guardians or carers)  
  • Your primary care giver and other third parties when you give us permission to do so such as:  
  • NHS trusts and hospitals that are involved in your care  
  • NHS digital and other NHS bodies 
  • General Practitioners (GPs) 
  • Ambulance services 
  • Private sector providers  
  • Voluntary sector providers  
  • Social care services  
  • Education services 
  • Local authorities 

Medication prescribing partner. 

How we use your personal information

To provide our services to you, we need to keep records about you and any advice you receive from us. These records help to ensure that you receive the best possible advice and care.  

  In general, your records are used to direct, manage and deliver the advice and care that you receive through our services. Under Data Protection Laws, there are specific grounds we must use to process your data, which we have to tell you about. As we process health data, there are additional grounds that we must satisfy in order to process this. 

  Service  What do we use data for?  Lawful grounds for processing  
ADHD and ASD Assessment  To enable the contact to make appointments for assessment and to carry out the assessment. To provide feedback to the service which has referred you for an assessment  To maintain accurate records for your ongoing care  Legitimate Interest   
 Surveys To provide feedback to the commissioners of our services   To provide information that will allow us to improve the services that we offer    Legitimate Interest 
Treatment For certain contracts you may be eligible to receive treatment. Treatment is in the form of: Psychoeducation interventions (PDI Sessions) run by Xyla directly. Medication prescribing, run by a Partnering company, Boots.  In the event you opt for medication: Your medication will be shared with Boots. Boots will make contact with yourself to progress your treatment. Boots will share updates back to Xyla & your GP.  

You have the following data protection rights: 

  1. Your right to request access to your personal data – this enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. 
  1. Your right to request correction of the personal data that we hold about you – this enables you to have any incomplete or inaccurate personal data we hold about you corrected, though we may need to verify the accuracy of the new personal data you provide to us. 
  1. Your right to request erasure of your personal data – this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing under Section (d) where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. 
  1. Your right to object to processing of your personal data – this enables you to object to the processing of your personal data where we are relying on the performance of a public task carried out in the public interest or in the exercise of official authority vested in the controller  or Legitimate Interests and there is something about your situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. 
  1. Your right to request restriction of processing of your personal data – this enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the personal data is unlawful but you do not want us to erase it; (c) where you need us to hold the personal data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it. 
  1. Your right to withdraw consent – this right arises at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. 
  1. Your right to data portability – You have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances. 

We do not use automated system to analyse personal data, assess behaviour, predict individual preferences, or make decisions that impact individuals without human intervention. 

If we were ever subject to a legal claim or needed to exercise our legal rights, we would need to use your information to exercise and defend our legal rights. 

If you would like to exercise any of these rights, please contact us: dpo@acaciumgroup.com. In most cases, we will deal with a request as soon as possible and at the latest within one calendar month of the request. If we need to extend the time period for responding to your request, we will let you know within the one-month period. We do not charge a fee for any such requests unless there are exceptional circumstances. 

Security and retention of information: 

We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. 

  The Records Management Code of Practice  

The Records Management Code of Practice for Health and Social Care is a guide for the NHS to use in relation to the practice of managing records. It is relevant to organisations who work within, or under contract to, NHS organisations in England and this includes CHS Healthcare.  

The Code is based on current legal requirements more broadly than just Data Protection Laws for all medical records and professional best practice.  

  https://www.gov.uk/government/publications/records-management-code-of-practice-for-health-and-social-care  

How long health records are retained 

  All patient records are destroyed in accordance with the NHS Records Retention Schedule (which forms part of the Records Management Code of Practice for Health and Social Care 2020), which sets out the appropriate length of time each type of NHS record is retained.  

All records are destroyed confidentially once their retention period has expired unless there is a specific reason to retain them e.g. ongoing public inquiries, litigation. 

When do we share information about you? 

  We share information about you with companies who provide business-as-usual services to us to enable us to provide our services, such as hosting of our software and systems, providing IT support and service services. We are responsible for their processing and we have contractual controls in place to ensure that your data is protected. You can contact us at the details at the top of this Privacy Notice for more details on suppliers we use.  

Everyone working for us, our group of companies and the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us also has a legal duty to keep it confidential.  

Direct care purposes 

We may need to share some information about you with other organisations involved in your care or advice that we give to you about your care if they have a genuine need for it or we have your permission so we can all work together for your benefit. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:  

We also use information we hold about you to: 

  • Review the care and advice that we provide to ensure it is of the highest standard and quality  
  • Ensure our services can meet your needs in the future  
  • Investigate your queries, complaints and legal claims  
  • In rare circumstances where we believe you, or another , is at risk of harm, if we are instructed to do so by a court, in connection with a crime, or where required to do so for public health reasons e.g. infectious diseases  

Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as secondary uses, on the NHS England and NHS Digital’s websites: 

Complaints to the regulator

It is important that you ensure you have read this Privacy Notice – and if you do not think that we have processed your data in accordance with this notice – you should let us know as soon as possible.  Similarly, you may complain to the Information Commissioner’s Office.  Information about how to do this is available on his website at www.ico.org.uk.  

National data opt out  

Your records contain confidential information, which can be used to help with research and planning. If you would like this to stop, you can opt out of this yourself or on behalf of someone else.  

If you choose not to allow your confidential patient information to be used for research and planning, your data may still be used in some situations. 

  • When required by law  

Your confidential patient information may still be used when there is a legal requirement to provide it, such as a court order. 

  • When you have given consent  

Your confidential patient information may still be used when you have given your consent. Such as, for a medical research study.  

  • Where there is overriding public interest  

Your confidential patient information may still be used in an emergency or in situations where there is an overriding benefit to others. For example, to help manage contagious diseases and stop them spreading, like meningitis. In these situations, the safety of others is most important.  

  • When information that can identify you is removed  

Information about your health care or treatment may still be used in research and planning if the information that can identify you is removed first. 

  • Where there is a specific exclusion  

Your choice does not apply to a small number of specific exclusions. In these cases, your confidential patient information may still be used at any time. For example, when information is used to collect official national statistics, like the Population Census 

ISO27001  UKAS accredited/certified. 

Cyber essentials and cyber essentials plus IASME accredited/certified. 

Xyla is a trading name of ICS Operations Ltd (Registered No 4793945), Pulse Healthcare Limited (Registered No 3156103), Carehome Selection Limited (Registered No 3091598), Independent Clinical Services Limited (Registered No 4768329) and CHS Healthcare Software Limited (Registered No 11582111)