Privacy Policy


Mountain Healthcare Limited is a private company, commissioned by NHS England and the Police to provide forensic healthcare services.

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 are data protection laws that apply to companies that are established in the UK. UK GDPR requires us to provide people with information about what personal data we process, what are their rights, how they can exercise those rights, and how to make complaints.

Mountain Healthcare takes your privacy very seriously and is committed to protecting your personal information. This Privacy Notice provides that information in a way we have tried to make clear and transparent. If you would like more information about what data we process, for what purpose or how long we keep it for, please use one of the contact details provided to ask us.


Data Controller

Mountain Healthcare Limited (referred to as Mountain, “we”, “us” or “our” in this privacy policy) is a limited company with registration number 11394918. Mountain is the Controller of the personal data to which this privacy policy relates. This means that we are responsible for making sure that we process your personal data in a safe and lawful way.

We have appointed a data protection lead (“DPL”) whose role includes overseeing questions in relation to how we process your personal data. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact our DPL using the details set out below.


Contact details

Our full name: Mountain Healthcare Limited

Email and postal address for contacting us and our DPL:

Email address:

Registered Office: First Floor, Station Place, Argyle Way, Stevenage, SG1 2AD, UK

Telephone: 0330 223 0099


Personal data processed

Personal data is any information we have that can identify you, such as your name, date of birth, or medical history.

Our data retention period, which is the length of time we hold your personal data, is informed by our commissioners and the Department of Health, NHS England and professional bodies such as the British Medical Association and The Health and Care Professions Council.

We might also keep some information that doesn’t identify you to help improve our business and our services as well as helping with health research. We do this by removing your identifiable information such as your name, date of birth, contact details to form ‘de-identified’ data.

In accordance with national opt-out legislation, you can choose to opt out of your confidential information being used for research and planning. For more information on this, please visit the NHS data opt-out website.  If you have any concerns about this or wish to change your data preferences, please email the Governance team at or call 0330 223 0099.

We process the following personal data for the purposes listed. Where we use personal data, we will only use the minimum necessary personal data for that purpose.



Purposes Types of personal data Retention period Lawful basis
Providing health and care to NHS referred patients • Basic details • Contact details • Details of accompanying persons and/or next of kin • Medical history/Medication usage  • Reason for attending • Notes regarding any physical mental health assessments/examinations carried out  • Results of any tests that we refer the individual to • Information about onward referrals made to other support services • Any feedback provided to us by the individual. If you are an adult service user, we will keep your data for 8 years. If you are 16 we will keep your data until your 25th birthday or 26 if you were 17 at the time of your treatment. Performing a task in the public interest [Article 6(1)(e)] and; The provision of health or social care or treatment [Article 9(2)(h)]
Communicating regarding any concerns, queries or complaints Name, contact details, any relevant information including health We keep your data for 10 years Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; Ensuring high standards of quality and safety of health care [Article 9(2)(i)]
Quality assurance, quality improvement, training and security including conducting peer reviews of treatment conducted by clinicians delivering Mountain services Health data, video and/or audio conversations recorded through clinical sessions as well as recorded calls and emails to support teams regarding your service with us If you are an adult service user, we will keep your data for 8 years. If you are 16 we will keep your data until your 25th birthday or 26 if you were 17 at the time of your treatment. Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; Ensuring high standards of quality and safety of health care [Article 9(2)(i)]
Complying with our legal or regulatory obligations, and defending or exercising our legal rights where necessary or in the vital interests of the data subject All personal data held by Mountain where necessary We keep your data for 8 years, although it may be longer to comply with legal requirements For compliance with a legal obligation [Article 6(1)(c) and Article 9(2)(f)] and; For reasons of substantial public interest [Article 9(2)(g)]
To conduct research Name, contact details, study ID and health data, video recorded through clinical sessions.  We remove any details that could identify you from this information. This includes your name, address and contact information. We keep your data for up to 10 years, which will vary on the type of research Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; For the public interest, scientific or statistical purposes [Article 9(2)(j)]

Purposes Types of personal data Retention period Lawful basis
Supplier retention Name, address, contact details and payment information We keep your contact details for the life of the contract plus 6 years for audit purposes Processing is necessary for the performance of a contract [Article 6(b)]
Where we rely on GDPR Article 6(1)(f) ‘legitimate interests’ are as follows:
  1. Providing health care to individuals

  1. Ensuring complaints and communications are handled appropriately

  1. Ensuring we provide and maintain a high level of quality of service

  1. Undertaking research to further improve our service


Helping with health research

When using your de-identified data to support health research, we aim to publish our research results in peer-reviewed journals or by working with academics. We may conduct research with partner organisations such as universities or other academic institutions.

We may also use data that does not identify you personally as part of statistics that we collect on certain types of illness, symptoms and conditions. This might include us contributing medical data to our partners and organisations such as NHS England. They will always be anonymised, which means you cannot be personally identified. This is so we can improve our medical knowledge, help deliver better care and help the public.


Sharing your personal data

We will only share your personal data with organisations involved with your care for example your GP, unless we have a legal obligation to share with another party. Where personal data will be shared outside the purposes of providing you care we will inform you unless the law restricts us from doing so. These services may include Sexual Health, Social Services, Independent Sexual Violence Advisor (ISVA) Services, Talking Therapies, Mental Health, Drug & Alcohol as well as other local services.


Where we store and process your data

Your data may be processed or stored outside of the UK and the European Economic Area (EEA). This is because we sometimes work with other companies who help us deliver our services to you and they might have servers outside of the UK or EEA.

This will always be in line with applicable data protection lawful mechanisms and protected by appropriate safeguards such as EU-approved standard contractual clauses, a Privacy Shield certification, or a supplier’s Binding Corporate Rules.

For further information on how we protect your data if we transfer it outside of the EEA, contact us by email at:


Further uses of personal data for corporate purposes:

Contractors, Third-Party Service Providers, and Suppliers:

Purposes Types of personal data Retention period Lawful basis
Supplier retention Name, address, contact details and payment information We keep your contact details for the life of the contract plus 6 years for audit purposes Processing is necessary for the performance of a contract [Article 6(b)]

Patients and commissioners:

Purposes Types of personal data Retention period Lawful basis
Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (eg tax or legal advice) Financial, contact details, name We keep your data for 8 years Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; For compliance with a legal obligation [Article 6(1)(c)]

Your Data Protection Rights

The UK GDPR allows various rights for people whose data is being processed. The rights are not absolute and so sometimes do not apply. Where you wish to exercise any of your rights, you may do so free of charge contacting us at We will respond within one month.

Details of the rights within UK GDPR are below. You will be informed if the right is available to you upon application:

Right Meaning
UK GDPR Article 15
You may request a copy of the data held by us about you.
Rectification UK GDPR Article 16 If you think the data held by us is wrong and you may request that it is corrected.
Erasure (Right to be forgotten)
UK GDPR Article 17
You can request that your data is deleted by us.
UK GDPR Article 18
There are circumstances in which you may ask us to stop processing your data, but we must otherwise keep the data. For example, where required by law.
Portability  UK GDPR Article 19 You can ask for a copy of your data in a format that can be readily transferred to another company.
Objection UK GDPR Article 20 You can object to the processing of your personal data when we are relying on a legal obligation or public duty legal basis or where we are processing in our legitimate interest, especially for direct marketing.



At Mountain Healthcare we want to treat personal information lawfully, correctly and in compliance with the General Data Protection Regulation (GDPR).

We will meet the principles of the GDPR by:

  • Ensuring that we seek a lawful basis for collecting, processing and sharing personal information.
  • Making sure that individuals are made aware of what personal information will be collected and how it will be processed.
  • Restricting the processing of data to the purposes for which it is specified to be processed.
  • Only collecting and processing information which is necessary for carrying out our services and taking reasonable measures to ensure such information is kept relevant and up-to-date.
  • Keeping all personal information safe and secure, through appropriate storage and transfer methods.
  • Ensuring that personal information is only kept for as long as required/necessary (our retention schedules are guided by our Commissioners and other professional bodies).

Protecting Your Personal Data

Mountain takes protection of your personal data very seriously. Mountain uses a range of precautions that include administrative, technical and physical measures, to safeguard your personal data against loss, theft and misuse, as well as against unauthorized access, disclosure, alteration and destruction. We store the personal data you provide encrypted on computer servers that are in highly secure and controlled facilities. We restrict access to personal data to our employees, contractors and agents who need access to operate, develop, or improve our services and the application.

We follow industry accepted security standards to protect the personal data you submit to us, both during transmission and once we receive it.

We have implemented several technical and organisational measures to ensure your personal data is kept secure. This includes:

  • Compliance with the NHS Data Security and Protection Toolkit
  • Completing annual Cyber Essentials Plus certification by external security specialist company

  • Annual penetration testing of our systems by an external cyber security specialist company
  • Annual training for all staff on how to handle information securely.
  • Having role-based access controls so that staff can only access records necessary for their role.


Website User and Social Media Platforms

Personal data processed:

Purposes Types of individuals Types of personal data Retention period Lawful basis
Collect analytics to understand user numbers accessing website, registering interest for our research All individuals access social media platforms that click on our adverts IP address, device address, time of day, length of time, what screens are visited We keep your data for 8 years Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)]

For website users and social media platforms, where we rely on GDPR Article 6(1)(f) our legitimate interests are as follows:

  1. Marketing our products, services and research.


Information Requests

Under the General Data Protection Regulation (GDPR) and Data Protection Act, individuals have the right to access the information we hold about them, both on paper and electronically. There are some exceptions to this however, which include:

  • If information has been provided about the individual by someone else and they have not given their permission for this to be shared with them.

  • The information is considered to have the potential to cause mental or physical harm to the individual or someone else.

Please note we will require proof of identity before we can disclose personal information.


Mountain Employees

Job Applicants

When potential candidates apply for one of our vacancies, we will collect basic contact details, as well as standard curriculum vitae information. We will also give individuals the opportunity to provide information regarding equal opportunities. As the individual’s application progresses, we may require information to support security checks and professional body compliance. This information is collected to process the individual’s application and to complete our ‘New Starter’ process, should the individual be appointed.


Mountain will collect your personal data for the performance of your employment contract. We will normally record the following information:

  • Basic details
  • Contact details
  • Curriculum Vitae information, including qualifications, employment history, etc.
  • Information to support Equal Opportunities
  • Finance/Bank details
  • Medical/Health information
  • Information required for DBS/Vetting Checks
  • Information to confirm compliance with professional bodies such as the GMC/NMC/HCPC
  • Staff training and development
  • Staff appraisals, probation and promotion

Additional personal information may also be collected throughout your employment with Mountain Healthcare Ltd, to manage your ongoing employment relationship with us. This information may include but is not limited to leave requests, medical certificates, performance appraisals, etc.

The main purposes for collecting your personal information are to process your employment application, maintain your employee records, manage your employment and administer your salary.

Personal employee information, which is collected by Mountain Healthcare Ltd, will be used for managing processes associated with your employment relationship with us.

​We use external companies to support some functions, we may be required to share your personal information with third parties. If you would like further information regarding this, please contact our Human Resources Department by email at




Child-Friendly Privacy Policy

This document is about how we use, and how we look after the information we have got about you.

You can always:

  • Ask us for a copy of the information we have about you
  • Ask us to update the information we have about you
  • Ask us to delete the information we have about you
  • We will always:
  • Follow the law on how we can keep and use the information we have about you
  • Make sure our policies are the best they can be
  • We will never:
  • Give the information we have about you to anyone else, unless…
  • …you tell us we can
  • …we think that doing so will protect you from harm
  • …the law says we have to (e.g. to prevent a crime)
  • Tell people about our work with you in a way that you can be identified unless you have told us we can
  • Use the information you have given us to sell you anything unless you have told us we can

And here is more detail:

At Mountain Healthcare we do our very best to keep the information we have about you safe and private.  This goes for all the children and young people we support.  It goes for our staff and other people who work with us too.  We have made sure that we have set up good ways to keep information about you safe and private.  We keep checking these to make sure they are as good as possible.

We keep to what the law says about using and looking after information about people.  We will keep to the latest rules about this which are part of the law from 2018 onwards.  The main law is called the “Data Protection Act”.  This became law in 1998.  The latest rules are called the General Data Protection Regulations 2018, sometimes called GDPR.

The sort of information we have about you might be your name, your date of birth, your email and postal addresses, your phone number, and your health.

We may ask you about your physical and mental health, the choices you may make about sex, your race and background, and your religion.  We might of course know other things about you as part of our treatment.  We only keep information like this about you so we can use what we know to help you, or so we can work with you in the future.  For example, if we are going to give you help and advice, we may see from our records that there are other problems you have already told us about.  Using that information about you means we can give you better help or advice.  As another example, we may need to use the address, email address or phone number you have given us, to get in touch with you again if we need to.

We only ask things about you that you want to tell us, or things that we think we need to know so we can help you, even though they are very private.  We will not tell anyone else what we know about you unless you ask us to or if we need to ask other people to help you.

The law says there are only two ways we can use any information we have about you.

One is when you have given us your permission.  We have only got your permission if you have actually told us it is ok.  We can’t say you have given us permission just because you haven’t said “no” to something.

The other way we can use information about you is when we think that using it will really help us to help you, even though it is very private.  Before we use information about you, we decide whether it is more important to use it to help you, or not to use it because it is private.

There can be times when the law says we must pass on some information about people.  For example to help stop someone from helping you.  If the law says we have to pass something on we don’t have a choice.  We aren’t allowed to say no, even if you haven’t given us permission.

We need to see how well we are doing in helping children from different groups.  Sometimes we need to use information like your age or whereabouts you live, so we can see the sorts of people we are helping.  We also need to give some information about our work to people who are giving us money towards our work, or to people who are checking to see how well we are doing.  What we tell them is about the work we do, not private information about particular people.   The information we share is “anonymous”, which means nobody can tell which bits of information are about you.  They will not be able to see the name of anyone any of the information is about.  For example, we might simply tell them the sorts of problems we have helped people with over the past year, but not the personal details of anyone.

If another organisation tells us something about you, we will keep to their rules about what we do with what they have told us.  We will keep to any permission you have given them about using what they tell us about you.

Your rights

The law says that you can always …

  • Ask us for a copy of the information we have got about you
  • Change the information we have got about you, or bring it up to date, if it is wrong
  • Change how you’d like us to get in touch with you
  • Ask us to delete all the information we have got about you unless another law tells us we can’t

  • Tell us if you are worried about the way we are keeping or using information about you, and want to make a complaint about this.

Our contact details are:

  • Registered Office: First Floor, Station Place, Argyle Way, Stevenage, SG1 2AD, UK
  • Telephone: 0330 223 0099We will get back to you in a month – or sooner.

You can get in touch with us in any of these ways too if you have any questions about how we keep what we know about you safe and private.

About our website

Like lots of websites, ours downloads tiny files called “cookies” onto your computer.  These help our website to work properly for you.  You can find out lots about cookies here.

You can stop your computer from having cookies put on it.  The “Help” part of your computer’s web browser should tell you how to do this.  It is best not to do this though because stopping cookies can mean that websites like ours won’t work so well on your computer.

Celebrating our sector, sharing our contribution