Privacy Policy

This Privacy Notice explains how The Retreat York collects, uses, stores and shares personal data about you and how we maintain patient confidentiality when a client is referred or treated by us at the centre.

  1. Who Are We

We are a private mental health provider that provides services in:

  • Autism and ADHD (adults and children)
  • Children and Young People therapies e.g. eating disorders, anxiety, low moods etc.
  • Therapy e.g. Couple therapy, Group Therapy
  • PTSK and Trauma
  • Children Services
  1. Registration

The Retreat York is a company registered in England and Wales. Our company number is 4325622.

For the purposes of this notice, The Retreat York is the data controller for all information it creates and receives. We are registered with the Information Commissioner’s Office (ICO) at:

Our Registration Number is Z6470446.

  1. How we Collect information

To enable The Retreat York to provide a service to you we first need to collect information from you to diagnosis your situation. This is done through a number of ways:

  • When we interact with you directly face to face during our registration and consultation activities or where we create accounts for you;
  • When you apply for a job or volunteer placement;
  • When you interact with us for any reasons for e.g. over the phone or when you complete our online forms;
  • When you interact with us through third parties;
  • When you initiate or make a purchase with us;
  • When you view our website. Our website collects location data and general information on website pages you visit most often and the information you are most interested in. More information about this is listed in the ‘Web Cookies Section’ below
  1. Why We Collect Information

We collect information from you to enable us to deliver a high-quality care and treatment service to you. This is because as we form a relationship with you it is important that we have a complete picture of your medical history so that we can do assessments and develop plans to improve your care and treatment. Collecting information about you helps us to:

  • Provide a range of services to you. This includes creating and administering client accounts, fulfilling transactions, providing related assistance and sending administrative information to you;
  • Provide better care. Our staff need information from you to make better informed decisions about you and to ensure all care provided is safe and effective;
  • Ensure our outsourced suppliers have relevant information to work with you effectively;
  • Inform our professional bodies and commissioning bodies of the treatment and services we are providing to you (all data reports are anonymised);
  • Safeguard vulnerable children and adults (including staff) who may be at risk of harm or where an incident has occurred and needs to be tracked;
  • For research and audit purposes. (This will always be in an anonymised format unless consent has been sought from you);
  • Accomplish our business goals and plan our services (especially if we ask you to complete surveys/questionnaires about yourself);
  • Report and identify current trends;
  • Respond to our legal duties and be able to defend our legal rights;
  • Complete audits to verify internal processes are compliant with current legislation and standards;
  • Keep track of our volunteer arrangements that may be in place.
  1. What Data We Collect

The data we collect includes:

  • Personal information (, address, date of birth, GP details);
  • Contact information (email address, telephone/mobile number);
  • Health condition and status data (e.g. medical records/medical history and diagnostic and observational data);
  • Details of appointment with practitioners (i.e. dates and times);
  • Next of kin details and emergency contact details (this will be family members or those you define as your next of kin);
  • Referrals and assessment letters;
  • Details regarding medication and prescription records;
  • Exemption details if you do not pay NHS prescriptions;
  • Transaction and bank details;
  • Photographs and videos;
  • Consents to treatment;
  • CCTV images

All medical information collected is classed as special category data and will be treated with the utmost care.

  1. Lawful Basis for Collecting Your Personal Data
  1. a) Personal data

The legal basis relied on for processing your personal data will be that it is required to fulfil a contract (agreement) with you as per Article 6(1)(b) of UK GDPR.

For other processing activities such as consent or research requirements we will rely on Article 6(1)(a) of UK GDPR – explicit consent for the data processing activity.

  1. b) Special category data

For the processing of special category data such as your health information we will rely on Article 9(2)(h) of UK GDPR – the processing is necessary for the provision of health or social care treatment or ‘pursuant to contract with a health professional’. This is because you have placed a request with us to provide a service to you.  For consent/research issues we will rely on Article 9(2)(a) – explicit consent – under UK GDPR.

We may also rely on the ‘legitimate interests’ basis for data processing where as a business we need to pursue and achieve our vision and work arrangements for example employment arrangements, research analytics, improving services, complaints, legal claims etc. Where we process your information for a ‘legitimate interest ‘we will always make sure that your rights and freedoms are taken into account and will not process any information where an imbalance or privacy issue exists.

Any other uses of data will be explained at the point of collection and will apply to all relevant statutory provisions.

For the purposes of this Privacy Notice, special category data is deemed as any information that is in relation to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data and health data.

  1. Who We Share Data With

We will never share any personal information with any third parties unless we have your explicit consent to do so. Organisations that we primarily share personal information with include:

  • GPs and Health Care Professionals associated with your referral, assessment or treatment
  • Social and welfare organisations
  • NHS England Commissioning Teams (CCGs), Vale of York CCG
  • NHS Spine (for E-Prescribing Services)
  • Outsourced suppliers and providers (Private and Public) who help us to provide services to you and who are involved in your care
  • Other Healthcare Organisations

Subject to stricter requirements data may be shared where there are exceptional circumstances and where we are required to share to comply with the law. These include:

  • Local Authorities / Social Services
  • Education Establishments
  • Voluntary Providers
  • The Police
  • Family members or those who act on your behalf e.g. Power of Attorneys, acting agents
  • Selected employees, and only where absolutely necessary for e.g. to fulfil their job role
  • Fraud prevention agencies

This may be in respect of:

  • To the extent that we are required to do so by law;
  • In connection with any legal proceedings or prospective legal proceedings;
  • A Court Order which is served upon us (if not challenged);
  • To prevent and detect crime, disorder and/or fraud;
  • Where it is required for ‘substantial public interest’;
  • To protect vulnerable children and adults;
  • For a life or death matter;
  • Where there is a risk of harm to another individual(s);
  • For health and safety purposes e.g. infectious diseases such as meningitis, measles etc.
  1. Research

Research plays a pivotal role in the development of Health and Medical Care Services. At The Retreat York, we are very proactive in research studies and will always ask you for your explicit consent and advice before directly entering you into any medical trials as a participant unless legislation permits otherwise. This reflects our true aims and values as an organisation.

  1. Responding to Emails and Phone Calls

If you have contacted us by email we will use this to contact you. Please do not send anything confidential to us via email unless it is password protected. Confidential information can be intercepted online via personal email accounts (e.g. Yahoo of Hotmail) where they are not encrypted in transmit.

  1. Staff Training and Data Quality

Calls to The Retreat are not recorded but occasionally they may be used for staff training and quality purposes. Please do inform us of any changes to your mobile, email or home address so that we can ensure that we keep your contact details up to date.

  1. Text Reminders and Marketing

The Retreat York does not participate in any direct marketing. However, we may send you text messages to remind you of your appointment if you have formally agreed to this beforehand. You can opt out of this service at any time. Please contact your clinician to update your choices asap so that we can ensure that we are sending you the right communication via the right format.

  1. Signing in Services

You can now log onto our clinical system, via Compucare to see your appointment and general information. To do this you will need to authenticate your identity and provide your name and email address information. Details will be collected in relation to your username and password.

  1. Payment Processors

We use a third-party processor for our payment transactions. Information collected for this purpose may be transferred to the relevant third-party processor and will be subject to the third party’s Privacy Notice.

  1. Social Media Platforms and Blogs

Our website and social media pages and blogs will contain information about the services we provide. Please keep in mind that if you share any personal information about yourself on these platforms that this information will be viewed, collected and used by others worldwide.

  1. Testimonials and Reviews

If you submit testimonials or reviews to our website please note this may include personal information about you.

  1. Data Subject Legal Rights

Either as a client or an employee of The Retreat York you will have the following legal rights in respect of your data under UK GDPR. These include:

  • A Right to Access to Your Information (Article 15): (Also known as a Data Subject Access Request (DSAR). If you want to find out what information is held about you then you can either submit a verbal or written request to your Administration Lead. To ensure there is no confusion, we ask that you put in this writing to avoid any delays. All SARs are free and will be responded to within 30 days (i.e. 1 month) from the date we receive your request). Where the cost to produce your request is excessive a reasonable administrative charge may be applied to cover any disbursement costs. All costs will be advised upfront, where this applies. Please advise if you want to receive your information either physically or electronically and we will try to accommodate your request, where possible. Please note all requests for access to medical records will be processed under the Access to Health Records Act 1990.
  • A Right to Rectification (Article 16): You can request information to be rectified or updated about you where personal data is found to be inaccurate, incomplete or out of date.
  • A Right to Erasure (Article 17): (Also known as a ‘Right to be Forgotten’ (RTBF)). You can request data to be erased about you where it is no longer necessary for The Retreat York to retain your data, or where you have withdrawn consent or where there is no legal basis for us to keep your information. However, please note it is our policy not to delete data whilst you are still in our care or where the retention period in relation to our Corporate Retention Schedule has not been reached. All records are managed in accordance with the Records Management Code of Practice – Oct 2020.
  • A Right to Restriction (Article 18): You have a right to request your data be restricted where you have objected to, it is considered incorrect, the processing is regarded as unlawful or you have asked us to erase it. However, such a request must be reasonable for us to consider it.
  • A Right to Data Portability (Article 20): You have the right to ask us to transfer your data to another service provider where we hold your data in a structured, common electronic format and where it is easily transferrable.
  • A Right to Object (Article 21): You have a right to object to how your data is processed where we are relying on a legitimate interest (or those of a third party) or where you consider your information is being misused e.g. direct marketing. With all objections we will consider any legitimate reasons and will contact you formally with an outcome once we have finalised our decision. No personal information is used for direct marketing or research purposes without your consent upfront.
  • A Right to not be Subjected to Automated Decision Making, including Profiling (Article 22): You have the right not to be subjected to any automated decisions that may create legal effects or which may have a similar significant impact on you unless you have consented to it, it is necessary for the performance of a contract or it is otherwise permitted by law. Currently no automated decision is undertaken at The Retreat York.
  • A Right to Withdraw Consent: You have a right to withdraw your consent to any processing at any time where we have sought your explicit consent to do so. Simply contact us to make any relevant changes.
  • The Right to Make a Complaint: If you are unhappy about how your data has or is being processed or handled then you a right to make a complaint to the Information Commissioner’s Office (ICO).

All data subject right queries will be handled within 30 days (i.e. 1 month) of receiving a request.

  1. Employment Data

All personal data submitted for employment and administration purposes i.e. applying for a job role at The Retreat York will be processed on the basis of Article 9(2)(b) (i.e. the processing is necessary for the Performance of a Contract) of the UK GDPR (UK General Data Protection Regulations 2016). If we do not offer you a role then your data will be kept for 6 months before it is securely destroyed onsite. Any other use of your data will be explained to you at the point of collection in respect of any other relevant statutory provisions.

  1. CCTV Images

The Retreat York has surveillance cameras onsite to monitor the security of its estate as well as the safety of its staff and clients. All CCTV surveillance provision in York is maintained by our outsourced security provider SWAT. For other satellite sites, the CCTV surveillance will be manged by the Landlord of the building. All CCTV footage is retained for 30 days.

  1. Retention of Data

All data held by The Retreat York is retained in respect of our Corporate Retention Schedule.

  1. a) Non-accepted or withdrawn referrals: These are retained for a period of 2 years from the date of the initial referral or withdrawal.
  2. b) Medical Files and Assessments: All client data is retained for a period of 20 years from the date of your discharge from the centre or 8 years after death, whichever is applicable.
  1. Security of Personal Information

As a business we take the protection of your personal data very seriously. Appropriate technical and organisational measures have been implemented to protect your personal data from unauthorised access, abuse, loss, theft, alteration and misuse. All data is stored on secure servers and cloud-based solutions which have encrypted back up data measures in place. All data uses TLS encryption for data to be encrypted at rest and transfer. Access to your data is protected through role-based access controls, authorised personnel, password management tools, data encryption and two factor authentications, where practical.

Information that is collected by The Retreat York may be stored (including back-ups) and processed and transferred between any of the countries in the EU in accordance with this Privacy Policy.

  1. Cross Data Border Transfers

As a rule, we do not transfer or process personal data outside the European Economic Area unless we have your specific consent to do so or where the nature of the processing requires it (for example, because you have chosen to use an email or other communications service which routes data outside the EEA).

In addition, any approved personal information that is submitted for publication on our website will also be published on the internet making it available around the world.

  1. Website Cookies Policy

Our website uses technology called ‘cookies’ to enable us to deliver a better user browser experience for our clients and to help us understand your preferences and habits. This involves a cookie file being placed on your device each time you visit our website. Cookies do not contain any person-identifiable information.

The Retreat York uses three types of cookies:

Session Cookies: These enable the tracking of your movement across the website and save information to make life easier. For instance, a session cookie might save an item to your shopping basket, which without would force you to order the item again separately.

Persistent Cookies:  These enable your preferences and settings to be saved each time you visit our website. This enables you to use the site faster and reduces the need to re-enter data.

Third Party Cookies:  These enable us to track your user activity outside the website and optimise campaigns and analytics better.

All cookies can be disabled online but you are advised that this will limit the service you receive online. For more information on this please review our Cookie Policy online.

  1. Log Files

For the purpose of error capture and analysis, we capture log files which contain information about you and/or your computer. This includes:

  • Computer name
  • Operating System version
  • Browser version
  • IP address

No data processing or transformation is undertaken with this data. We do however analyse usage of the site to ensure our pages and services are relevant and current and that information can be delivered effectively.

  1. Complaints

The Retreat York aims to meet the highest of standards when collecting and using personal data. As a business we treat all complaints we receive very seriously. We encourage anyone to bring concerns to our attention if they think we are using their data in any unfair or misleading way.

 Contact Us (Data Protection Officer)

If you have any queries about exercising your data subject rights or how your data is being processed and handled then please contact our Data Protection Officer at:

107 Heslington Road


YO10 5BN


  1. Information Commissioner’s Office (ICO)

The Information Commissioner’s Office (ICO) is the UK’s independent supervisory authority responsible for overseeing all data protection issues. If you are still dissatisfied with how your data is being processed or handled by us following our complaint procedure then you can submit a complaint to the Information Commissioner’s Office (ICO) to ask for an independent review at the following address:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire

Telephone: 0303 123 1113 (local rate) or 01625 545 745
Fax: 01625 524 510


 Changes to this Privacy Notice

 From time to time we may amend this Privacy Notice to reflect changes in the law, case law or updates on ICO guidance or for other legitimate reasons. We suggest you check our latest Notice to ensure you are up to date with our latest version.

Last updated: 28th March 2023