@theretreatyork12 October 2019
General Privacy Notice
This Fair Processing Privacy Notice explains how The Retreat York collects, uses, stores and shares personal data and how we maintain patient confidentiality when a patient is referred or treated at the centre.
Who Are We
We are a private mental health provider that provides services in:
- Autism and ADHD (adults and children)
- Eating disorders
- PTSD and Trauma
- Children Services
The Retreat York is a company registered in England and Wales. Our company number is 4325622.
For the purposes of this notice, The Retreat is the data controller for the information we receive. We are registered with the Information Commissioner’s Office (ICO) at: https://ico.org.uk/ESDWebPages/Search
Our Registration Number is Z6470446.
How we Collect information
To support The Retreat in providing a service to you we first of all need to collect information from you to diagnosis your situation. This is done through a number of ways:
- When we interact with you directly face to face during our registration and consultation activities or when you are enquiring about a job or volunteer placement. We may also contact you by post, email or any other medium which is considered confidential
- When you interact with us through third parties
- When you interact with us over the phone or through our website. Our website collects general information on the website pages you visit most often and the information you are most interested in. More information on this is listed below in the ‘Web Cookies Section’ below
Why We Collect Information
We collect information from you to enable us to deliver a high quality care and treatment service to you. This is because as we form a relationship with you it is important that we have a complete picture of your history and can do assessments to develop plans to improve care and treatment. Collecting information about you:
- Helps our staff (i.e. support workers, nurses, doctors, psychiatrists, psychologists and any other necessary professional required) to make informed and appropriate decisions and to ensure continuity of care across teams when making referrals and assessments to treat you
- To ensure the treatment provided to you is safe and effective
- To help us work effectively with other organisations who may be involved in your care
- To safeguard vulnerable children and adults who may be at risk of harm or where an incident has occurred and needs to be tracked
- To inform our professional bodies and commissioning bodies of the treatment and services we are providing to you (all data reports will be anonymised and will only show performance and progress updates by the Patient Group Service and Safety)
- For research and audit purposes.(This will be in an anonymised format where approval has not been sought from you).
- Help us to plan our services for the centre (especially if we ask you to complete surveys/questionnaires about yourself)
- To keep track of any volunteer arrangements that may be in place
What Data We Collect
The data we collect includes:
- Personal information (e.g. name, address, date of birth, GP details)
- Contact information (email address, telephone/mobile number)
- Health condition and status data (e.g. medical records/medical history and diagnostic and observational data)
- Details of appointment with practitioners (i.e. dates and times)
- Next of kin details and emergency contact details (this will be family members or those you define as your next of kin)
- Referrals and assessment letters
- Details regarding medication and prescription records
- Exemption details if you do not pay NHS prescriptions
- Transaction and bank details
- Photographs and videos
- Consents to treatment
All medical information collected is classed as special category data.
Lawful Basis for Collecting Data
The legal basis relied on to process your data is based on a need to fulfil a contract requirement with you as per Article 6(1)(b) (the processing is necessary for a contract) and Article 9(2)(a) (explicit consent) and 9(2)(h) (special category data) where the processing is necessary for the provision of health or social care treatment or ‘pursuant to contract with a health professional. This is because you have placed a request with us to provide a service to you.
Where information is required for us to pursue our legal obligations the legal purpose for processing the data will be Article 6(1)(c) (processing is necessary for a legal obligation) and Article 9(2)(b) (the processing is necessary for exercising specific rights as a data controller for sensitive data).
However, we may also have ‘legitimate interests’ as a business to pursue which help us to achieve our vision and work arrangements for example employment arrangements, research analytics, improving services, complaints, legal claims etc. Where we process your information for a ‘legitimate interest ‘we will always make sure that your rights and freedoms are taken into account and will not process any information where an imbalance or privacy issue exists.
Any other uses of data will be explained at the point of collection and will apply to all relevant statutory provisions.
Who We Share Data With
We will never share any personal information with any third parties unless we have your explicit consent to do so. Organisations that we primarily share information with include:
- GPs and Health Care Professionals associated with your referral, assessment or treatment
- Social and welfare organisations
- NHS England Commissioning Teams (CCGs)
- Suppliers and Providers (Private and Public) involved in your care
- Other Healthcare Organisations
Subject to stricter requirements data may be shared where there are exceptional circumstances and where we are required to share to comply with the law. These include:
- Local Authorities / Social Services
- Education Establishments
- Voluntary Providers
- The Police
This may be in respect of:
- To the extent that we are required to do so by law
- In connection with any legal proceedings or prospective legal proceedings
- A Court Order which is served upon us (if not challenged)
- To prevent and detect crime, disorder and fraud
- Where it is required for ‘substantial public interest’
- To protect vulnerable children and adults
- For health and safety purposes e.g. infectious diseases such as meningitis, measles etc.
Research plays a pivotal role in the development of Health and Medical Care Services. Where we are proactive in research studies we will always ask you for your explicit consent and advise you about how the information will be used before you are directly entered into a trial as a participant unless legislation permits otherwise. This reflects our true aims and values as an organisation.
Text Reminders and Marketing
The Retreat does not participate in any direct marketing. However, we may send you text messages to remind you of your appointment if you have formally agreed to this beforehand. You can opt out of this service at any time. Please contact your clinician to update your choices asap so that we can ensure that we are sending you the right communication through the right format.
Data Subject Legal Rights
Under GDPR, all patients and staff have certain legal rights in respect of their data. These include:
- A Right to Access to Information (Article 15): (Also known as a Data Subject Access Request (DSAR).If you want to find out what information is held about you then you must submit a written Data Subject Access Request (DSAR) to your Administration Lead. All SARs are free and will be responded to within 30 days. Where the cost to produce your request is excessive a reasonable administrative charge may be requested to cover any disbursement costs. All costs will be advised upfront, where this applies. Please advise if you want to receive your information either physically or electronically.
- A Right to Rectification (Article 16):You can request information to be rectified or updated about you where personal data is found to be inaccurate, incomplete or out of date.
- A Right to Erasure (Article 17):(Also known as a ‘Right to be Forgotten’ (RTBF). You can request data to be erased where it is no longer necessary for The Retreat to retain or you have withdrawn consent or where there is no legal basis for us to keep processing it. However, it is our policy not to delete data whilst you are still in our care or where the retention period in relation to our Corporate Retention Schedule has not been reached.
- A Right to Restriction (Article 18):You have the right to restrict how your data is used or managed by us where you have asked us to erase it or have objected to it. However, this request must be reasonable.
- A Right to Data Portability (Article 20):You have the right to ask us to transfer your data to another provider where we hold your data in a structured, common electronic format and where it is easily transferrable.
- A Right to Object (Article 21):You have a right to object to how your data is processed where we are relying on a legitimate interest (or those of a third party) or where you consider your information is being misused. With all objections we will consider any legitimate reasons and will contact you formally with an outcome once we have finalised our decision. No personal information is used for direct marketing purposes without your consent upfront.
- A Right to not be Subjected to Automated Decision Making, including Profiling (Article 22): You have the right not to be subjected to any automated decisions that may create legal effects or which may have a similar significant impact on you unless you have consented to it, it is necessary for the performance of a contract or it is otherwise permitted by law. Currently no automated decision making takes places at The Retreat.
- A Right to Withdraw Consent:You have a right to withdraw your consent to any processing at any time where we have sought your explicit consent to do so.
- The Right to Make a Complaint: If you are unhappy about how your data has or is being processed or handled then you can complain to the Information Commissioner’s Office (ICO).
All personal data submitted for employment and administration purposes e.g. applying for a job role will be processed on the basis of Article 6(1) (consent) and Article 9(2)(b) (necessary for the performance of a contract) of the General Data Protection Regulations (GDPR). If we do not offer you a role then your data will be kept for 6 months before it is securely destroyed onsite. Any other use of the data will be explained at the point of collection with reference to any relevant statutory provisions.
The Retreat has surveillance cameras onsite to monitor the security and safety of the estate as well as our staff and patients. The Retreat’s CCTV surveillance provision is managed by the Estate and maintained by our outsourced provider SWAT. All CCTV footage is retained for 30 days.
Retention of Data
All data held by the Retreat is retained in respect of our Corporate Retention Schedule.
a) Referrals:These are retained for a period of 10 years from the date of the initial referral.
b) Assessments & Out Patient Data:These are retained for a period of 20 years from the date of your discharge from the centre.
Security of Personal Information
As a business we take the protection of all personal data very seriously. Appropriate technical and organisational measures have been implemented to protect people’s personal data from abuse, loss, theft, alteration and misuse of data. All data is stored on secure servers and cloud based solutions which have encrypted back up data measures in place. All data uses SSL encryption for data to be encrypted at rest and transfer. Access to data is protected to authorised personnel and password management tools, data encryption and two factor authentications are used, where possible.
Cross Data Border Transfers
As a general rule, we do not transfer or process personal data outside the European Economic Area unless we have your specific consent to do so or where the nature of the processing requires it (for example, because you have chosen to use an email or other communications service which routes data outside the EEA).
In addition, any personal information that is submitted for publication on our website will also be published on the internet making it available around the world.
Website Cookies Policy
Our Website uses technology called ‘cookies’ to enable us to deliver a better user browser experience and to help us understand your preferences and habits. This involves a cookie file being placed on your device each time you visit our website. Cookies do not contain any person-identifiable information.
The Retreat York uses three types of cookies:
Session Cookies:These enable the tracking of your movement across the website and save information to make life easier. For instance, a session cookie might save an item to your shopping basket, which without would force you to order the item again separately.
Persistent Cookies: These enable your preferences and settings to be saved each time you visit our website. This enables you to use the site faster and reduces the need to re-enter data.
Third Party Cookies: These enable us to track your user activity outside the website and optimise campaigns and analytics better.
For the purpose of error capture and analysis, we capture log files which contain information about you and/or your computer. This includes:
- Computer name
- Operating System version
- Browser version
- IP address
No data processing or transformation is undertaken with this data. We do however analyseusage of the site to ensure our pages and services are relevant and current and that information can be delivered effectively.
The Retreat aims to meet the highest of standards when collecting and using personal data. As a business we treat all complaints we receive very seriously. We encourage anyone to bring concerns to our attention if they think we are using their data in an unfair or misleading way.
Contact Us (Data Protection Officer)
If you have any queries about how your data rights or how your data is being processed and handled then please contact our Data Protection Officer at:
107 Heslington Road
York, YO10 5BN
Information Commissioner’s Office (ICO)
The Information Commissioner’s Office (ICO) is the UK’s independent supervisory authority responsible for overseeing all data protection issues. If you are still dissatisfied with how your data is being processed or handled by us following our complaint procedure then you can submit a complaint to the Information Commissioner’s Office (ICO) to ask for an independent review at the following address:
Information Commissioner's Office
Wycliffe House, Water Lane
Telephone: 0303 123 1113 (local rate) or 01625 545 745
Fax: 01625 524 510
Last Updated: 19thJune 2019