General enquiries:
01904 412551
Autism and ADHD service:
01904 426043

Make a Referral

Privacy Notice - Patient Services

The following statement explains how The Retreat York collects (and uses) personal data when being referred, assessed or admitted for either Inpatient or Outpatient treatment.

Our aim is always to respect you and your privacy and to comply with the Data Protection Act 1998 and European Union General Data Protection Regulation (GDPR) and the Caldicott Principles.

In order to deliver our services, The Retreat York[1]  requires you (patient and/or representatives) to provide personal information. At The Retreat York we take our responsibilities as custodians of this data very seriously and there are times when it is appropriate for us to share information about you and your healthcare with others. However we will not disclose your information to third parties without your permission unless there are exceptional circumstances such as the health and safety of another person is at risk or where the law requires information to be passed on.

This privacy policy explains what information is collected, how it is used and your rights in this regard.

The Retreat York has developed systems and processes to ensure that the standards set out in both documents are met or exceeded.

Who controls your information? and how to contact us

The Retreat York is a company registered in England and Wales under company number 4325622 and with our office at:

107 Heslington Road, York YO10 5BN

Communications regarding Data Protection should be sent to the Data Protection Officer to the above address or via email on:

The Retreat York takes overall responsibility for managing your data, and is a ‘Data Controller’ – you can read more about these responsibilities by visiting The Retreat York page on the Information Commissioners Office’s website (Registration Number Z6470446):

The Retreat York follows strict data protection protocols. Your information will be processed securely by The Retreat York in order to provide you with the services and for the purposes described in this privacy policy.

We do not store your data outside of the European Economic Area (EEA).

[1] Please note that wherever The Retreat York is mentioned this means The Retreat York, The Tuke Centre, the Autism and ADHD Service and The Retreat Living Ltd.

What information is needed and how is it used?

There are some essential pieces of information that are required to enable you to engage with the services that we provide.

The personal information that we may collect and process includes:

  • Personal information such as your name, address, date of birth and GP details.
  • Contact information, including phone number and email address.
  • Your health condition and status, including medical records and medical history
    • This also includes diagnostic and observational data
  • Details of the appointments you have with our practitioners, including number of appointments, dates and times;
  • Next of kin information and emergency contact details – this may be family members or others you define as your next of kin
  • Referral letter and assessment letters
  • Details regarding the medication you require and your prescription records.
  • Exemption details if you do not pay for NHS prescriptions.
  • Electronic proof of your consent to treatment, so that The Retreat York can request NHS prescriptions on your behalf.
  • Bank details

Lawful Basis:

For some individuals, in order to effectively and efficiently provide and manage your treatment it is a contractual requirement that your data is captured, stored and updated on our systems.

•     For some individuals, it is vital that your data is captured, stored and updated on our systems so that we can monitor, review and evaluate your treatment.

NB. Where patients are under existing treatment consent is and continues to be sought for the purposes of data capture, storage and processing where applicable.

How is it used:

We use this information to:

  • Ensure continuity of your care across the teams and personnel required to refer, assess or treat you.
  • Inform Care and Support Workers, Nurses, Doctors, Psychiatrists, Psychologists and other necessary professional teams of the information required to provide and continue care for you; or for your onward care planning when discharged for our care.
  • Inform ourselves and other professionals and commissioning bodies about the treatment and services we provide we analyse and research with anonymised data to report and show performance and progress by patient group, service and safety.
  • In anonymised format, inform and support research into Mental Health.
  • Ensure that the Safeguarding of individuals across both risk and incident is carefully logged and tracked for appropriate evidence and historic record.

We will not disclose your information to third parties without your permission unless there are exceptional circumstances such as the health and safety of another person being at risk or where the law requires information to be passed on. Routinely we share information with:

  • healthcare professionals associated with your referral, assessment or treatment
    • Including your referrer, GP, care co-ordinator
  • social and welfare organisations
  • NHS England and commissioning teams (CCGs)
  • family, associates and representatives of the person whose personal data we are processing
  • suppliers and service providers
  • other healthcare organisations where you may be discharged to.

 What we do

It is an essential part of our service that we retain records that inform and support the treatment and services that we provide.  We analyse this data to inform and enhance the Care and Care Planning that we provide.

In order to perform these services it is essential that the appropriate staff and professional teams are fully advised of your circumstances.  In order to do this we retain your data on secure and encrypted systems that are closely controlled for appropriate access only.

We protect your information in the following ways:

Training - Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information.

Access controls - Any member of staff being given access to your information will have received training and will have a log in name and password unique to them.  All sensitive data systems are encrypted.

Audit trails - We keep a record of anyone who has accessed a health record or added notes to it.

Investigation - If you believe your information is being viewed inappropriately you have a right to complain and we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records Management - All our paper records are archived in accordance with our Records Management (Information Lifecycle) Policy are stored confidentially in secure locations.

Data Retention: How long we keep your data


We retain your referral data for a period of 10 years from the date of your initial referral.

Assessments & Patients (Out Patient and In Patient)

We retain your assessment and In or Out-Patient record for a period of 20 years from the date of your discharge from the hospital.

Enquiries Data

Where enquiries are made into The Retreat we log your contact information and a synopsis of the discussion which has taken place - to remind our teams of the information that has already been discussed and to assess our performance as an organisation and to ensure we have the right information to hand.

We retain this data for 3 years.

Subject Access Requests

If you have any concerns regarding the information that we hold about you GDPR provides a number of rights for you in this respect.  You may request a copy of the data that we hold about you.  This is available by contacting the Administration Lead and completing a Subject Access Request at the contact details listed above.

Correction of incorrect personal data

Should you find any information to be incorrect you have the right to request its correction

Rights to be forgotten or Anonymised

It is an essential part of our service – whilst under our care – that your data be available on our systems.

After discharge, rights to be anonymised can be requested through the contact quoted above.

After 5 years post discharge, rights to be forgotten can be exercised through the contact quoted above.

How your data is kept secure

The Retreat York use SSL encryption to transfer your information, The Retreat York servers and other The Retreat York services that need to access your information. Access to this information is restricted to authorised personnel and your data will never be transferred outside of the European Economic Area. All data is encrypted at rest, meaning that all data stored on our systems have been encrypted.

Website Cookies Policy

The Retreat York uses a technology called ‘Cookies’ across all of its websites in order to deliver the best possible user experience. Cookies are files that are stored on your device each time you visit a website and enables understanding of your preferences and habits.

Cookies do not contain person-identifiable information such as medical information, or personal contact details.

The Retreat York websites are set to ‘allow cookies’ and if you browse the sites you consent to this. If you would prefer to deactivate cookies, you can do so by updating your browser settings. Please note that disabling cookies will limit the service that The Retreat York can provide. For more information on how to update your settings, visit

The Retreat York uses three types of cookie:

Session cookies:  These enable the tracking of your movement across the websites and save information to make life easier. For instance, a session cookie might save an item to your shopping basket, without which you would be forced to order each item separately.

Persistent cookies:  These enable your preferences and settings to be saved each time you visit our websites. This makes using the site faster and reduces the need to re-enter data.

Third party cookies:  These enable tracking of user activity outside the websites and optimise campaigns and analytics better.

Log Files

For the purpose of error capture and analysis, we capture log files which contain information about you and/or your computer.

This includes:

  • Computer name
  • Operating System version
  • Browser version
  • IP address

No data processing or transformation is undertaken with this data. We do however analyse usage of the site to ensure our pages and services are relevant and current and that information can be delivered effectively.

The Data Protection Act and GDPR provide you with a number of rights in terms of your data - to learn more about these rights please see the ICO website.

Please address any requests to the Data Protection Officer through the contacts page.

If you are dissatisfied with our response you can complain to the Information Commissioner's Office

Information Commissioner's Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113 (local rate) or 01625 545 745
Fax: 01625 524 510

Your Data Abroad:

We do not transfer or process data outside the European Economic Area unless we have your specific consent or where the nature of the processing requires it (for example, because you have chosen to use an email or other communications service which routes data outside the EEA).

Last update: March 2018