The following statement explains how The Retreat York collects (and uses) personal data when being referred, assessed or admitted for either Inpatient or Outpatient treatment.
Our aim is always to respect you and your privacy and to comply with the Data Protection Act 1998 and European Union General Data Protection Regulation (GDPR) and the Caldicott Principles.
In order to deliver our services, The Retreat York requires you (patient and/or representatives) to provide personal information. At The Retreat York we take our responsibilities as custodians of this data very seriously and there are times when it is appropriate for us to share information about you and your healthcare with others. However we will not disclose your information to third parties without your permission unless there are exceptional circumstances such as the health and safety of another person is at risk or where the law requires information to be passed on.
The Retreat York has developed systems and processes to ensure that the standards set out in both documents are met or exceeded.
Who controls your information? and how to contact us
The Retreat York is a company registered in England and Wales under company number 4325622 and with our office at:
107 Heslington Road, York YO10 5BN
Communications regarding Data Protection should be sent to the Data Protection Officer to the above address or via email on:
The Retreat York takes overall responsibility for managing your data, and is a ‘Data Controller’ – you can read more about these responsibilities by visiting The Retreat York page on the Information Commissioners Office’s website (Registration Number Z6470446):
We do not store your data outside of the European Economic Area (EEA).
 Please note that wherever The Retreat York is mentioned this means The Retreat York, The Tuke Centre, the Autism and ADHD Service and The Retreat Living Ltd.
What information is needed and how is it used?
There are some essential pieces of information that are required to enable you to engage with the services that we provide.
The personal information that we may collect and process includes:
For some individuals, in order to effectively and efficiently provide and manage your treatment it is a contractual requirement that your data is captured, stored and updated on our systems.
• For some individuals, it is vital that your data is captured, stored and updated on our systems so that we can monitor, review and evaluate your treatment.
NB. Where patients are under existing treatment consent is and continues to be sought for the purposes of data capture, storage and processing where applicable.
How is it used:
We use this information to:
We will not disclose your information to third parties without your permission unless there are exceptional circumstances such as the health and safety of another person being at risk or where the law requires information to be passed on. Routinely we share information with:
What we do
It is an essential part of our service that we retain records that inform and support the treatment and services that we provide. We analyse this data to inform and enhance the Care and Care Planning that we provide.
In order to perform these services it is essential that the appropriate staff and professional teams are fully advised of your circumstances. In order to do this we retain your data on secure and encrypted systems that are closely controlled for appropriate access only.
We protect your information in the following ways:
Training - Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information.
Access controls - Any member of staff being given access to your information will have received training and will have a log in name and password unique to them. All sensitive data systems are encrypted.
Audit trails - We keep a record of anyone who has accessed a health record or added notes to it.
Investigation - If you believe your information is being viewed inappropriately you have a right to complain and we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.
Records Management - All our paper records are archived in accordance with our Records Management (Information Lifecycle) Policy are stored confidentially in secure locations.
Data Retention: How long we keep your data
We retain your referral data for a period of 10 years from the date of your initial referral.
Assessments & Patients (Out Patient and In Patient)
We retain your assessment and In or Out-Patient record for a period of 20 years from the date of your discharge from the hospital.
Where enquiries are made into The Retreat we log your contact information and a synopsis of the discussion which has taken place - to remind our teams of the information that has already been discussed and to assess our performance as an organisation and to ensure we have the right information to hand.
We retain this data for 3 years.
Subject Access Requests
If you have any concerns regarding the information that we hold about you GDPR provides a number of rights for you in this respect. You may request a copy of the data that we hold about you. This is available by contacting the Administration Lead and completing a Subject Access Request at the contact details listed above.
Correction of incorrect personal data
Should you find any information to be incorrect you have the right to request its correction
Rights to be forgotten or Anonymised
It is an essential part of our service – whilst under our care – that your data be available on our systems.
After discharge, rights to be anonymised can be requested through the contact quoted above.
After 5 years post discharge, rights to be forgotten can be exercised through the contact quoted above.
How your data is kept secure
The Retreat York use SSL encryption to transfer your information, The Retreat York servers and other The Retreat York services that need to access your information. Access to this information is restricted to authorised personnel and your data will never be transferred outside of the European Economic Area. All data is encrypted at rest, meaning that all data stored on our systems have been encrypted.
Website Cookies Policy
The Retreat York uses a technology called ‘Cookies’ across all of its websites in order to deliver the best possible user experience. Cookies are files that are stored on your device each time you visit a website and enables understanding of your preferences and habits.
Cookies do not contain person-identifiable information such as medical information, or personal contact details.
The Retreat York websites are set to ‘allow cookies’ and if you browse the sites you consent to this. If you would prefer to deactivate cookies, you can do so by updating your browser settings. Please note that disabling cookies will limit the service that The Retreat York can provide. For more information on how to update your settings, visit https://ico.org.uk/for-the-public/online/cookies/
The Retreat York uses three types of cookie:
Session cookies: These enable the tracking of your movement across the websites and save information to make life easier. For instance, a session cookie might save an item to your shopping basket, without which you would be forced to order each item separately.
Persistent cookies: These enable your preferences and settings to be saved each time you visit our websites. This makes using the site faster and reduces the need to re-enter data.
Third party cookies: These enable tracking of user activity outside the websites and optimise campaigns and analytics better.
For the purpose of error capture and analysis, we capture log files which contain information about you and/or your computer.
No data processing or transformation is undertaken with this data. We do however analyse usage of the site to ensure our pages and services are relevant and current and that information can be delivered effectively.
The Data Protection Act and GDPR provide you with a number of rights in terms of your data - to learn more about these rights please see the ICO website.
Please address any requests to the Data Protection Officer through the contacts page.
If you are dissatisfied with our response you can complain to the Information Commissioner's Office
Information Commissioner's Office
Telephone: 0303 123 1113 (local rate) or 01625 545 745
Fax: 01625 524 510
Your Data Abroad:
We do not transfer or process data outside the European Economic Area unless we have your specific consent or where the nature of the processing requires it (for example, because you have chosen to use an email or other communications service which routes data outside the EEA).
Last update: March 2018