Neurodevelopment services privacy policy
1. Introduction
We are committed to protecting the privacy and security of personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws.
This Privacy Notice explains how
- ICS Operations Limited (trading as Xyla),
- Pulse Healthcare Limited (trading as Xyla and Pulse Nursing at Home),
- Ellea,
- Carehome Selection Limited (trading as Xyla),
- Independent Clinical Services Limited (trading as Thornbury community Services) and
- CHS Healthcare Software Limited (trading as Xyla), collect, use, store, and share personal data when we act as:
- A Data Controller – when we determine the purpose and means of processing personal data, such as when we provide direct services to individuals.
- A Joint Data Controller – when we, in conjunction with another party, determine the purpose and means of processing personal data.
- A Data Processor – when we process personal data on behalf of and under the instructions of another organisation (such as the NHS, local authorities, or care commissioning groups).
2. What Personal Data We Collect and Process
Depending on our role as a data controller or processor, we may process the following types of personal data:
a) When Acting as a Data Controller/Joint Data Controller
We process personal data to provide health and social care services; manage patient records; recruit healthcare professionals; and meet legal obligations. This may include:
- Personal Identifiers: Name, date of birth, gender, address, contact details, photos, account user information, NHS number.
- Health and Medical Information: Diagnosis, treatment history, prescriptions, weight, height, blood pressure, resting heart rate, care plans, test results etc.
- Social Care Data: Support plans, safeguarding information, social worker reports.
- Next of Kin & Emergency Contact Details.
- Financial Information: Billing details, funding arrangements.
b) When Acting as a Data Processor
We process personal data on behalf of third-party organisations (such as NHS Trusts, local authorities, or care providers) under a formal data processing agreement. In these cases, we process data, including diversity and inclusion data, strictly according to their instructions and do not determine the purpose of processing.
- Purpose of Processing: We do not determine why or how the data is collected or used; we only carry out processing activities as directed by the data controller.
- Scope of Processing: The type of personal data we process, the categories of individuals it relates to, and the specific ways in which it is used are all defined by the data controller.
- Limited Use: We do not use the personal data for any purpose other than fulfilling the controller’s instructions, and we do not share it with third parties except under the instructions of the data controller.
- Retention and Deletion: We only retain personal data for as long as required by the data controller’s instructions and delete or return it upon their request or at the end of our agreement. However, in certain circumstances, we may hold personal data in fulfilment of our legal obligation.
For information on who your data controller is, please contact dpo@acaciumgroup.com.
3. Lawful Basis for Processing
We process personal data under one or more of the following lawful bases, depending on our role:
a) When Acting as a Data Controller/Joint Data Controller
- Article 6(1)(c) (Legal Obligation): When required to comply with legal or regulatory obligations.
- Article 6(1)(b) (Contractual Obligation): When providing care or recruitment services under a contract or in order to take steps prior to entering into a contract with you.
- Article 6(1)(f) (Legitimate Interest): When it is necessary for the purposes of the interests pursued by us.
- Article 6(1)(a) (Consent): when you have given consent for one or more specific purposes.
- Article 9(2)(h) (Provision of Health and Social Care): When processing special category data for the management of healthcare and social care services.
b) When Acting as a Data Processor
We process data based on the lawful basis provided by the data controller and under their instructions. We do not determine the purpose or legal basis for processing in this capacity, this information can be found on the data controller’s privacy notice, if you need help to locate this please contact dpo@acaciumgroup.com
4. How We Use Personal Data
We use personal data for purposes including, but not limited to:
- Delivering healthcare and social care services.
- Managing patient and service user records.
- Coordinating care with other health and social care providers.
- Processing referrals and funding requests.
- Processing job applications.
- Continuous reviews, e.g. service reviews, surveys and feedback
- Meeting legal and regulatory requirements.
- Investigating complaints or safeguarding concerns.
5. How We Keep Data Secure
We take appropriate technical and organisational measures to protect personal data, including:
- Access Controls: Limiting access to authorised personnel only.
- Encryption: Protecting data in storage and transmission.
- Regular Security Audits: Monitoring and improving data protection measures.
- Data Minimisation: Collecting only the necessary information for specific purposes.
- Secure Disposal: Ensuring data is safely destroyed when no longer needed.
6. Who We Share Data With
We may share personal data where necessary for the provision of care, legal compliance, or safeguarding purposes. This may include:
- NHS Trusts, GPs, and Healthcare Providers (to ensure continuity of care).
- Local Authorities and Social Care Services (for care assessments and safeguarding).
- Regulatory Bodies (such as the Care Quality Commission, NHS Digital).
- Other providers and suppliers that support the services we offer.
- Commissioning Bodies (for funding and service management).
- Educational settings you attend.
- IT and Cloud Service Providers (for secure data storage and management).
We may also share personal data between entities within our corporate group for several legitimate reasons, including:
- Service Delivery & Operational Efficiency – Ensuring smooth operations by sharing data for administrative, HR, IT, finance or customer service purposes.
- Regulatory Compliance & Risk Management – Meeting legal obligations, conducting internal audits, and managing risks across the organisation.
- Security & Fraud Prevention – Protecting against security threats, cyber risks, and fraud by implementing centralised monitoring and threat detection.
- Research & Analytics – Using aggregated or pseudonymised data to improve products, services, and customer experiences.
To ensure that intra-group data sharing is lawful, transparent, and secure, we implement the following safeguards:
- Data Sharing Agreements (DSAs) – We establish formal agreements between group entities that define the purpose, scope, and legal basis for data sharing.
- Lawful Basis for Processing – Data is shared only where there is a valid legal basis.
- Purpose Limitation – Personal data is only used for the intended and disclosed purposes, preventing unauthorised or excessive use.
- Access Controls – Only authorised personnel with a legitimate need can access shared data, following strict role-based access policies.
- Cross-Border Transfers – If data is transferred between group entities in different countries, we ensure compliance with international data protection laws through mechanisms such as International Data Transfer Agreement (IDTA).
Any third parties that process data on our behalf must comply with strict data protection requirements.
7. International Data Transfers
We may share personal information to third parties outside of the United Kingdom (UK). Any personal information transferred will only be processed on our instruction and we ensure that information security at the highest standard would be used to protect any personal information as required by the Data Protection laws.
Where personal data is transferred outside of the UK to a country without an adequacy decision, we will ensure appropriate safeguards are in place prior to the transfer. These could include:
- Standard Contractual Clauses plus International Data Transfer Addendum
- International Data Transfer Agreement
- An exception as defined in Article 49 of the UK GDPR
8. How Long We Keep Personal Data
We retain personal data in accordance with the NHS Records Management Code of Practice and other relevant guidelines. Retention periods vary depending on the type of record and legal requirements. Once retention periods expire, data is securely deleted or anonymised.
9. Your Data Protection Rights
Under data protection laws, you have rights regarding your personal data, including:
- Right to Access: You can request a copy of your personal data.
- Right to Rectification: You can ask us to correct inaccurate or incomplete data.
- Right to Erasure: You can request deletion of your data where appropriate.
- Right to Restrict Processing: You can ask us to limit processing in certain circumstances.
- Right to Data Portability: You can request a transfer of your data to another provider.
- Right to Object: You can object to processing based on legitimate interests.
If we are acting as a data processor, you should contact the data controller (e.g., NHS Trust, local authority) to exercise these rights.
10. Data Breaches and Incident Reporting
We have procedures in place to manage data breaches. If a data breach occurs:
- We will assess the impact and take action to contain the breach.
- If acting as a data processor, we will notify the data controller without undue delay.
- If required, we will report the breach to the Information Commissioner’s Office (ICO) and affected individuals.
11. How to Complain
If you have any concerns about our use of your personal data, you can make a complaint to us using our contact details below.
If you remain unhappy with how we have used your data after raising a complaint with us, you can also complain to the ICO here.
12. Contact Information
If you have questions about this Privacy Notice or wish to exercise your data rights, please contact:
Data Protection Officer (DPO)
Acacium Group
9 Appold Street
London
EC2A 2AP
Email: dpo@acaciumgroup.com
If you are below 13 years, your parent or carer would need to do this.
13. Policy Review and Amendments
We keep this Policy under regular review. This Policy was last updated on 25/03/25
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.