Patient privacy policy

Scope and overview

This privacy notice issued by the controller ICS Operations limited trading as Xyla.

When we mention “we”, “us” or “our” in this privacy notice, we are referring to ICS Operations limited trading as Xyla.

Please contact us, using the details below if you have any questions about this privacy notice or personal data that we use about you:

  • by email to: Tracy Cherrington,; or
  • by writing to: Data Protection Officer, 9 Appold Street, London, EC2A 2AP

If you have any concerns about the personal data we use about you, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, by contacting them at We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please feel free to contact us in the first instance.

We regularly review this privacy notice and will update it where necessary. We will notify you of any significant changes.  This privacy notice was last updated on 17/06/2021.

1. When will this privacy notice apply?

This privacy notice will apply to personal data we collect from you when:

  • Your NHS IAPT service, university, GP or mental health service refer you to Xyla to undertake an assessment or a course of treatment.

We are committed to ensuring that your privacy is protected. If you provide us with personal data, you can be assured that it will only be used in accordance with this privacy notice.

2. What is the lawful basis for using your personal data?

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data for the purposes below. These are commonly called the lawful basis for processing.

  • Processing is necessary for the performance of a public task carried out in the public interest or in the exercise of official authority vested in the controller – by processing your data we are able to provide the public task of health promotion and disease prevention.
  • Legitimate Interests – processing is necessary for the purpose of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose in this privacy notice.

The table below sets out the personal data that we collect and use about you and the lawful basis we will rely on as set out above.

Personal data we obtainPurpose for processingLawful basis
Basic contact details: *  
– Full legal name
– Telephone number
– Address
– Home number
– Mobile number
– Email address    
– To enable you to have a preference as to how we contact you
– To enable us to communicate and manage our relationship with you while we deliver the assessment and talking therapies for which you are referred. This will include booking and confirming your appointment, sending you clinical questionnaires in readiness for your appointment and communicating with you throughout the course of your assessment and treatment, and sending information upon discharge and completion with our service.
The performance of a public task carried out in the public interest or in the exercise of official authority vested in the controller 
– Sex*
– Ethnicity
– Religious group
– Relationship status
– Any long-term health conditions or disabilities
– To fully populate a patient record on our clinical case management system, which is used by the patient’s therapist in preparation for their appointment
– To monitor results and feedback for demographics and improve our services in the future
Legitimate interest
NHS Number* (NHS referrals only)   – To have a unique identifier for yourself when we communicate with you
– To have an identifier used to identify you between our service and the referring service for continuity of record keeping and clinical safety
The performance of a public task carried out in the public interest or in the exercise of official authority vested in the controller 
Date of Birth *– To determine your eligibility for our service; we are unable to support any persons under 18 years old
– To have a unique identifier for yourself when we communicate with you
Legitimate interest
– Reason for referral and tests referred for*
– Clinical history*
– Prescribed drugs*
 – To support the ability for comprehensive Digital Therapies service delivery and support via our therapists and clinical teamThe performance of a public task carried out in the public interest or in the exercise of official authority vested in the controller 
– Referring GP
– Referring Doctor
– Name of GP Practice
– Name of Hospital/Department
– Clinic/hospital/GP Code
• Referrers:
– Telephone No
– Address
– Email
– Clinician 

*all of the above  
– To be able to communicate directly with referrer in the interest of the patient’s clinical safety and progress in treatment and at the point of discharge.
– To communicate directly in the event of an urgent risk or an emergency
– To seek approval from the referring service in the case additional sessions are required
– To ensure we are able to compile comprehensive clinical reporting for our service performance and the referring service with all referring details included in report
 The performance of a public task carried out in the public interest or in the exercise of official authority vested in the controller 
Opinions and evaluations of the service that we have provided– To enable us to provide a service that meets the individual’s needs and to address any concerns and improve our service
– To enable us to improve and strategically develop the service going forwards
Legitimate Interests
– Any complaints on the service provided via email, letter or verbally
– Completed and returned patient satisfaction surveys
– Any incidents determined    
– Investigate or prevent any complaints or incidents raised

– To carry out or assist with any legal or regulatory investigation
Legitimate Interests

Legal obligations

3. What personal data must you provide to us as part of a statutory/regulatory or contractual requirement?

In certain circumstances, you may be obliged to provide us with personal data for us to be able to provide a therapeutic intervention to you. Where this is the case, we have identified these instances in the table above with an “*”.

4. What special category do we process about you?

Throughout your initial referral and throughout the patient’s assessment and/or course of treatment, it will be necessary for us to collect and use personal data about you, including the reason for referral, your clinical history and prescribed medication. This information is called “special category data.” We will only process special category data when necessary for the provision or the treatment of health or social care treatment.

5. How long do we keep your personal data for?

We will only keep your personal data for as long as is necessary for the purposes for which it was collected. In order to determine the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of your personal data. We will also consider legal and regulatory requirements. Under the Record Management Code of Practice 2020, we will keep your data securely for eight years post-discharge from the service, unless there are other lawful contractual obligations in relation to retention of your data.

6. Will we share your data with third parties?

Your data will be shared by Xyla with the referring service and your GP practice. Should you wish for your information not to be shared with the GP practice please notify our Patient Services Team during the booking of your appointment and we will ensure your notes are updated accordingly.

Throughout your referral, we may share your data, when required, with –

  • The referring service
  • Your GP,
  • Our clinical team of therapists, supervisors
  • Our Patient Services Team
  • Auditors
  • Third parties who provide services or online platforms
  • Regulators

We require all third parties to respect the security of your data and to treat it in accordance with data protection laws. Where we share your data with third parties who provide operational or online platforms to us, we only permit them to process your personal data for specified purposes in accordance with our instructions.

7. Will we transfer your data outside of the European Economic Area?

Your data will not be shared outside of the European Economic Area.

8. How do we safeguard your personal data?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, altered, disclosed, used, or accessed in an unauthorised way.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

In addition, we limit access to your personal data to only those who have a business or clinical need to know, they will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

9. What rights do you have in relation to your personal data?

Xyla work with a variety of organisations in different contractual ways in relation to your data. To this end, requests regarding your rights should be directed to in the first instance. Xyla will work in partnership with your referring service and yourself for any such request.

You have the following data protection rights when we use your personal data:

a) Your right to request access to your personal data – this enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

b) Your right to request correction of the personal data that we hold about you – this enables you to have any incomplete or inaccurate personal data we hold about you corrected, though we may need to verify the accuracy of the new personal data you provide to us.

c) Your right to request erasure of your personal data – this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing under Section (d) where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

d) Your right to object to processing of your personal data – this enables you to object to the processing of your personal data where we are relying on the performance of a public task carried out in the public interest or in the exercise of official authority vested in the controller  or Legitimate Interests and there is something about your situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

e) Your right to request restriction of processing of your personal data – this enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the personal data is unlawful but you do not want us to erase it; (c) where you need us to hold the personal data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.

f) Your right to withdraw consent – this right arises at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

g) Your right to data portability – You have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances.

If you would like to exercise any of these rights, please contact In most cases, we will deal with a request as soon as possible and at the latest within one calendar month of the request. If we need to extend the time period for responding to your request, we will let you know within the one-month period. We do not charge a fee for any such requests unless there are exceptional circumstances.

Xyla is a trading name of ICS Operations Ltd (Registered No 4793945), Pulse Healthcare Limited (Registered No 3156103), Carehome Selection Limited (Registered No 3091598), Independent Clinical Services Limited (Registered No 4768329) and CHS Healthcare Software Limited (Registered No 11582111)