Xyla Teledermatology Privacy Notice

1. About Us

ICS Operations Ltd trading as Xyla services are a ‘controller’ for the purposes of the Data Protection Act 2018, UK General Data Protection Regulation and other legislation relating to privacy  
(Data Protection Laws). We are a part of Acacium Group of companies https://acaciumgroup.com/privacy-policy/ 

We are responsible for, and control the processing of, your personal information as we operate our business as follows: 

  1. Teledermatology services: Where a patient is referred to and participates in our teledermatology services. 
  1. Enquiries: general enquiries made by potential patients when you contact us.

We take your privacy very seriously and we ask that you read this Privacy Notice carefully as it contains important information on: 

  • the personal information we collect about you  
  • what we do with your personal information 
  • security and retention of personal information 
  • who your information might be shared with and  
  • your rights. 

2. Contact Details

Please contact us if you have any questions about this Privacy Notice, the information we hold about you, or want to raise any concerns or to exercise any of your rights.


If you would like a printed version of this notice please contact us. 

3. Changes to the Privacy Notice

We may change this Privacy Notice from time to time.  You should check this Privacy Notice occasionally to ensure you are aware of how we need to use your information.

Last updated September 2024. 

4. Collection of Information

What information do we collect?

We collect the following categories of information about our patients:  

Basic details Name, address, email address, NHS number, date of birth, next of kin, 
Contact history Details of contact we have had with you during the course of the receipt of your referral and the service we supply to you. 
Medical information Notes and reports about your health and your referral and where necessary any relevant assessments by a health professional Details of diagnosis and treatment given Information about any allergies or health conditions. Relevant information from people who care for you and know you well such as health care professionals and relatives where necessary. 

We may send surveys to you, in order to evaluate the service that you have received from us. These emails are classed as marketing and you can contact us if you do not want to receive these. 

It is essential that your details are accurate and up to date. You can always check that your personal details are correct when you contact us.   Please inform us of any changes to your contact details as soon as possible. This minimises the risk of you not receiving important correspondence or other communications from us relating to the service that we provide to you. 

Where may we get your information from

  • you
  • your family members (such as family guardians or carers) 
  • your primary care giver and other third parties where it is necessary and when you give us permission to do so such as : 
  • NHS Trusts and hospitals that are involved in your care. NHS Digital and other NHS bodies. General Practitioners (GPs). 

How we use your personal information

In order to provide our services to you, we need to keep records about you and any advice you receive from us. These records help to ensure that you receive the best possible advice and care. 

In general, your records are used to direct, manage and deliver the advice and care that you receive through our services. Under Data Protection Laws, there are specific grounds we have to use to process your data, which we have to tell you about. As we process health data, there are additional grounds that we have to satisfy in order to process this.

Data we process What do we use data for? Lawful grounds for processing 
Contact details  To facilitate arranging appointments and outcomes.  To ensure you receive the best possible care, your records are used to facilitate the care you receive, including contacting you It is necessary for the performanc of a task caried out in the public interest 
Name, address, NHS number, date of birth Personal Identifiable Data is kept to essential minimum but used when we need to speak to, or contact other doctors, consultants, nurses or any other medical/healthcare professional or organisation during the course of your diagnosis or treatment or on going healthcare It is necessary for the performanc of a task caried out in the public interest 
Personal medical history   To process and facilitate appropriate care in a safe and effective manner.  Necessary for the provision of a healthcare service 

If we were ever subject to a legal claim or needed to exercise our legal rights, we would need to use your information to exercise and defend our legal rights. 

Please be aware that you have the right to object to the processing of your data where we process based on our legitimate interests. 

If you have given consent to our processing, you can withdraw your consent at any time, but you should be aware that we will not be able to provide our services without knowing your medical history.  

5. Security and Retention of Information

We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. 

The Records Management Code of Practice 

The Records Management Code of Practice for Health and Social Care is a guide for the NHS to use in relation to the practice of managing records. It is relevant to organisations who work within, or under contract to, NHS organisations in England and this includes CHS Healthcare. 

The Code is based on current legal requirements more broadly than just Data Protection Laws for all medical records and professional best practice.  


How long health records are retained? 

All patient records are destroyed in accordance with the NHS Records Retention Schedule (which forms part of the Records Management Code of Practice for Health and Social Care), which sets out the appropriate length of time each type of NHS record is retained. 

All records are destroyed confidentially once their retention period has expired unless there is a specific reason to retain them e.g. ongoing public inquiries, litigation. 

When do we share information about you? 

We share information about you with companies who provide business-as-usual services to us to enable us to provide our services, such as hosting of our software and systems, providing IT support and service services. We are responsible for their processing and we have contractual controls in place to ensure that your data is protected. You can contact us at the details at the top of this Privacy Notice for more details on suppliers we use. 

Everyone working for us, our group of companies and the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us also has a legal duty to keep it confidential. 

Direct Care Purposes 

We may need to share some information about you with other organisations involved in your care or advice that we give to you about your care if they have a genuine need for it or we have your permission so we can all work together for your benefit. Therefore, we may also share your information, subject to strict agreement about how it will be used, with: 

  • NHS Trusts and hospitals that are involved in your care 
  • NHS Digital and other NHS bodies. 
  • General Practitioners (GPs). 
  • Private Sector Providers 

Indirect Care Purposes 

We also use information we hold about you to: 

Review the care and advice that we provide to ensure it is of the highest standard and quality 

  • Ensure our services can meet your needs in the future 
  • Investigate your queries, complaints and legal claims 
  • In rare circumstances where we believe you, or another , is at risk of harm, if we are instructed to do so by a court, in connection with a crime, or where required to do so for public health reasons e.g. infectious diseases 

Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as secondary uses, on the NHS England and NHS Digital’s websites: 



6. Your Rights

You have the following rights under the Data Protection Laws:  

  • the right of access to your personal data;  
  • the right to correct any mistakes in your information; 
  • the right to ask us to stop contacting you with direct marketing; 
  • the right to object to processing where it is based on our legitimate interests; 
  • the right to restrict or prevent your personal data being processed; 
  • the right to erasure; and 
  • The right to withdraw consent 

These rights are explained in more detail below. If you want to exercise any of your rights or if you have any comments, concerns or complaints about our use of your personal data, please contact us at the details set out at the top of this Privacy Notice.  We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months. 

Right to access your personal data  

You may ask to see what personal data we hold about you and be provided with: 

  • a copy; 
  • details of the purpose for which it is being or is to be processed;  
  • details of the recipients or classes of recipients to whom it is or may be disclosed, including if they are overseas and what protections are used for those overseas transfers;  
  • the period for which it is held (or the criteria we use to determine how long it is held);  
  • any information available about the source of that data; and 
  • whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling. 

To help us find the information easily, please give us as much information as possible about the type of information you would like to see and provide evidence of your identity e.g. copy of passport or driving licence. 

Right to correct any mistakes in your information 

You can require us to correct any mistakes in your information which we hold free of charge.  If you would like to do this, please let us have enough information to identify you and let us know the information that is incorrect and what it should be replaced with. 

Right to ask us to stop contacting you with direct marketing 

You can ask us to stop contacting you for direct marketing purposes.  If you would like to do this, please contact  DPO@acaciumgroup.com 

Right to object to processing where it is based on our legitimate interests 

You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing. If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section headed “How we use your personal information”. The key point to note is that much of the processing under this heading is beneficial to you, so we can find a care home suitable for your needs or assess your financial situation for funding to assist with your care.  

Right to prevent processing of personal data 

You may request that we stop processing your personal data temporarily if:  

  • You do not think that your data is accurate.  We will start processing again once we have checked whether or not it is accurate; 
  • the processing is unlawful but you do not want us to erase your data; 
  • we no longer needs the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or 
  • you have objected to processing because you believe that your interests should override our legitimate interests. 

Right to erasure 

You can ask us to erase your personal data where: 

  • you do not believe that we need your data in order to process it for the purposes set out in this privacy notice; 
  • if you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;  
  • you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or 
  • your data has been processed unlawfully or have not been erased when it should have been. 

Right to withdraw consent 

A key element of consent is that you can withdraw it. If you want to withdraw your consent, please contact us at the details at the top of this Privacy Notice.

The possible consequences of refusing consent will be fully explained to you at the time and could include delays in receiving our advice or care.  

7. Complaints to the Regulator

It is important that you ensure you have read this Privacy Notice – and if you do not think that we have processed your data in accordance with this notice – you should let us know as soon as possible.  Similarly, you may complain to the Information Commissioner’s Office.  Information about how to do this is available on his website at www.ico.org.uk

Xyla is a trading name of ICS Operations Ltd (Registered No 4793945), Pulse Healthcare Limited (Registered No 3156103), Carehome Selection Limited (Registered No 3091598), Independent Clinical Services Limited (Registered No 4768329) and CHS Healthcare Software Limited (Registered No 11582111)